Chrome extensions often come with the most invasive permissions. Your AI sidebar, QR code generator, paint, or any other tool can track browsing, inject scripts, store private data, and sometimes even access cryptocurrency node connections. Here’s what we discovered about 100 popular Chrome extensions.
Security researchers don’t like Chrome extensions – they sometimes recommend deleting them all because extensions see everything.
Cybernews researchers took a deeper dive into the popular 100 extensions, recently recommended by various sources.
The use of high-risk permissions is widespread – 86 extensions gain highly dangerous permissions upon installation. Only a single extension didn’t require any permissions that could be considered at least moderately dangerous to the user.
Most extensions want full access to all websites a user visits, scripting abilities, permission to read and modify browser tabs – including content and URL – and to store collected data. Many permissions also ask to check downloads, history, browsing data, or even tamper with traffic, injecting elements, such as ads, or redirecting somewhere else.
On average, an extension asks for 6.4 permissions, 5.3 of which are high or moderate-risk permissions.
“Users have almost no control over what permissions extensions use. You either agree or disagree with the permissions list and grant them all upon installing the extension,” said Teona Patussi, Information Security Researcher at Cybernews.
We also discovered many inconsistencies. Two QR code generators have the same name and function but two different sets of required permissions. One generator uses scripting to inject code into web pages, sees the active tab, and can store data. The other QR code generator has none of these permissions. Instead, it wants access to all websites, which is also dangerous.
Within the same category, such as AI chatbots, writing tools, etc., some extensions will use minimal permissions while others request extensive access.
“Best development practices require requesting a minimum amount of permissions to complete a particular action. It's unclear why one extension that only takes screenshots also wants to access your downloads and all open tabs,” Patussi noted.
“It may be a coincidence, but during the analysis, Google removed two of the 100 analyzed extensions from the Chrome Web Store that were suspected of potential malicious activity – we had to replace them with alternatives.”
While some permissions are dangerous, in many cases, they are essential for an add-on's proper functioning and do not inherently indicate malicious intent.
However, Chrome extensions often change hands and are frequently updated, which can introduce new permissions, features, and risks.
Methodology
The Cybernews research team selected 100 trending Chrome extensions and analyzed their Manifest files to determine what permissions they requested. This list, with some substitutions, served as a basis for analysis, allowing the team to examine the most popular and some niche extensions.
Extensions require permission to access specific browser functions or user data. Chrome extensions declare permissions on their Manifest file, which is like a rulebook telling the browser what the extension can access. The Chrome API contains a list of over 70 extensions, but not all of them are commonly used.
The risk attribution relies on Google’s Permission Risk whitepaper and the Cybernews research team's estimates for the newer permissions.
Which extensions require the most permissions?
The analyzed list contains 17 extensions that ask for ten or more permissions. Tampermonkey was on top with 18 declared permissions, seven of which were high-risk and seven medium-risk. Advanced users use this extension to run user scripts, which can modify websites.
AI and productivity extensions are particularly permission-heavy. The “AI New Tab: Calendar, Tasks, ChatGPT” and “Checker Plus for Gmail” extensions all require 16 permissions.
“Magical AI Agent for Autofill Automation” will ask for 14 permissions, as well as “Adobe Acrobat PDF edit” and “Awesome Screen Recorder Screenshot.”
Popular adblockers such as AdBlock or Ghostery are also among the extensions with the most permissions, as are password managers or translation services.
Forty-six extensions declared 5-9 required permissions. Only five extensions work with 0-1 permissions.
“While the number of permissions may be intimidating, the real danger lies in the combinations of specific permissions. A few permissions would be sufficient to create malware capable of keylogging, session hijacking, and full data theft,” Patussi explains.
The most requested permissions
Unfortunately, the most dangerous permissions are also the most common.
Most extensions, 95 from the analyzed list, ask for storage permission. This permission is comparatively low-risk and enables data to be stored locally. While essential for some functions, it could also be abused to collect and store excessive user data.
Sixty-five extensions ask for scripting permission. This high-risk permission allows Chrome extensions to inject JavaScript and CSS into web pages. While this capability is essential for many legitimate extensions, it can pose significant security risks if misused, such as arbitrary code injection.
Scripting is especially dangerous when combined with Host permissions that give broad access to every website. Broad Host permissions come in third place, with 60 extensions declaring they need to access all URLs (including local) or all domains (including and excluding subdomains).
Google itself categorizes it as the most dangerous permission, which “gives unrestricted access to essentially all web content and local files.”
“If an extension gets compromised, attackers could exploit Host and other permissions to steal credentials, track user behavior, intercept and modify data,” Patussi explains.
“Many extensions require access to all URLs and other sensitive permissions, demonstrating a disregard for the principle of least privilege, which mandates minimal permissions.”
Over half of the extensions (53) also ask for another dangerous permission to access the “tabs” API. This permission enables reading and modifying browser tabs, including content and URLs. It reveals sensitive information about a user's browsing habits, which attackers could use to hijack sessions and for phishing, clickjacking, and other attacks.
Forty-three extensions want permission to add custom right-click menu options. While useful in most cases, attackers abuse this feature for misleading UI, phishing, ad injection, etc.
The alarm's permission, used by 39 extensions, is considered low-risk. However, it can be both dangerous and annoying. It’s used for scheduling, wanted and unwanted notifications, and running code at specific times. It can be abused for tracking by sending tracking data, pinging the server regularly, and triggering scripts. Similarly, 22 extensions request “notifications” permission.
“Many tools request a combination of permissions to offer legitimate functionality. However, extensions often overreach when they ask for permissions that aren’t necessary for their core features, putting user privacy and security at risk,” Patussi warns.
“A screen recorder or a doodling extension may be useful sometimes, but they also come with dangerous combinations of requested permissions.”
More than a third (36) of analyzed extensions also use ActiveTab permission. This permission grants access to the current tab when a user interacts with it and can read or modify tab content when triggered.
Thirty-five extensions want “unlimitedStorage,” which is self-explanatory. Twenty-seven extensions use “offscreen” permission, which enables powerful background functionalities.
A quarter of extensions (25) have "cookies" permission to access, modify, and delete cookies in the browser. Hackers could exploit this to steal credentials, perform affiliate fraud, and other schemes.
Another powerful and risky permission, “declarativeNetRequest,” enables attackers to intercept, redirect, or modify network traffic. Seventeen extensions require access to this API. If misused, this permission could lead to unauthorized data collection, phishing attacks, or injection of malicious scripts.
With the latest Manifest version (V3), Google restrained previously very dangerous webRequest permission. However, the 20 extensions that declared it can inspect or modify web requests, which could lead to blocking or altering your browsing experience.
Many extensions also use other high-risk functionality and corresponding permissions such as downloads (9), history (6), tabCapture (5), browsingData (4), nativeMessaging (3), userScripts (1), and privacy (1).
Cybernews researchers discovered that 100 extensions declared 230 high-risk permissions, 294 medium-risk permissions, and 114 low-risk permissions.
Two extensions vanished
While conducting our research, which started in February, Google removed two of the analyzed Chrome extensions.
One of them, Nimble Capture, had over a million installs and was used to capture, edit, and share screenshots and screen videos. It was popular in Japan, and many users posted complaints about its disappearance on social media.
今までよく使ってたChrome拡張機能のNimble Captureが「マルウェアが含まれている」として使えなくなってしまい、ウェブストアからも削除
undefined sonic (@sonic_pc) February 11, 2025
昔は「Nimbus Capture」だったのにある時から急に名前が変わってきな臭さは感じていたが、本当にウイルス入りだったのか...?
結構使い勝手は良かっただけに残念 pic.twitter.com/txvHfnO1wj
One user also shared a Chrome alert about the extension containing malware.
Cybernews tried to reach out to the developers of Nimble Capture to no avail.
Another extension that disappeared during analysis was “refoorest.” It claimed that users “plant trees while browsing.” Another security researcher previously warned in their blog palant.info that this extension was opening affiliate links without user consent, generating commissions from purchases.
Many popular extensions have been found to contain malicious intent in the past. Some notable examples include “The Great Suspender,” which was used to suspend inactive tabs but changed hands and was secretly updated with malicious code. Also, “Hover Zoom” and “FairShare Unlock " were found stealing browsing history.
Users have limited control compared to apps: here’s what you can do
Cybernews researchers warn that Chrome extension permissions are critical, defining what the add-on can access and control within the browser and system.
Therefore, ensuring they come from reputable developers is essential, and you should review the extensions regularly.
“In a mobile app, you get permission requests individually, accompanied by a clear explanation. However, Chrome extensions request multiple permissions simultaneously upon installation, often without adequate explanation,” Patussi warns.
“This practice makes it challenging to assess the huge risk properly.”
Real-world cases demonstrate that malicious extensions exploit permissions to track users, inject fraudulent ads, steal affiliate links, and exfiltrate user information.
They can collect browsing history, cookies, clipboard content, download files, modify web pages, and communicate with external servers, effectively turning them into malware. Even extensions that ask for one or two permissions can be dangerous.
“Extensions you install on one computer will sync with Chrome on your work computer if they share the same Google account,” the researcher cautions.
“An extension your kid adds to Chrome can lead to hackers infiltrating your business environments and deploying ransomware.”
Stay cautious:
- Always review all the permissions before installation.
- Be especially wary of permissions that grant access to running code, browsing data, file systems, and communication tools.
- Check if the developer is reputable. Also, ensure that there’s a privacy policy and that it clearly states what data the extension collects. Are you comfortable with it?
- Limit your extension use as much as possible.
- Periodically audit your installed extensions and remove those you no longer need.
- Use a capable EDR/antivirus solution with a web protection/ URL filtering solution.
“A general rule of thumb is to not use Chrome extensions for tasks that could be completed in other ways. For example, you can make PDFs with almost all Office applications, so why would you need a PDF converter extension? You don’t need a QR code scanner extension if you always have a phone nearby,” Patussi concludes.
Your email address will not be published. Required fields are markedmarked