Skip to main content
Protect My Mac — FreeNo credit card required
Privacy Guides7 min read

Browser Extensions Are a Bigger Security Risk Than You Think

Hassanain

I want to talk about something that flies under the radar for most Mac users: browser extensions.

We all have them. An ad blocker, a password manager, maybe a coupon finder or a dark mode toggle. They feel harmless. They sit quietly in your toolbar, doing their thing. But the truth is, browser extensions have some of the broadest access to your personal data of anything running on your Mac, and most people never think twice about what they've installed.

Privacy on Mac is tricky because Apple markets heavily on privacy, and they genuinely do some things really well, but there are still gaps. One of the biggest gaps is that macOS has no meaningful oversight over what your browser extensions are doing. Safari has gotten stricter, sure, but Chrome extensions? They operate in their own world, with their own permission model, and it is remarkably easy for a trusted extension to go rogue.

What Permissions Browser Extensions Actually Have

When you install a Chrome extension and it asks for permission to "Read and change all your data on all websites," that is not an exaggeration. Here is what that actually means:

  • Read every page you visit. The full HTML content of every webpage, including your email inbox, bank statements, medical records, anything you view in a browser tab.
  • Modify page content. The extension can inject JavaScript and CSS into any page. It can change what you see, add invisible elements, or redirect form submissions.
  • Access cookies and session tokens. This means an extension can silently steal your authenticated sessions. No password needed. If you are logged into Gmail, your extension can be logged into Gmail too.
  • Monitor all network requests. Extensions with webRequest permissions can intercept, modify, or block HTTP requests before they even reach a server.
  • Access clipboard data, storage, and browsing history. Depending on the permissions granted, extensions can read what you have copied, store persistent data, and see everywhere you have been.

The kicker: most of this happens silently within the browser process. From the outside, there is no file copy, no USB activity, no suspicious outbound email. Traditional security tools often cannot see it. The extension is just doing what extensions do, except it is doing it for someone else.

This is a fundamentally different threat model than a regular app on your Mac. A native app has to go through Gatekeeper, request entitlements, and get sandboxed. A Chrome extension just needs you to click "Add to Chrome."

How Extensions Get Compromised

Here is where it gets really concerning. You do not need to install a sketchy extension to be at risk. The extension you installed years ago, the one with great reviews and millions of users, can become malicious overnight. There are three main ways this happens:

1. The Developer Sells the Extension

This is more common than you would think. A solo developer builds a useful extension, grows it to hundreds of thousands of users, and then gets an offer to "acquire" it. The new owner pushes an update with tracking code, ad injection, or outright data exfiltration. You never notice because the extension still works the same way on the surface.

2. Supply Chain Attacks

An attacker compromises the developer's account or build pipeline and pushes a malicious update through the official Chrome Web Store. From the user's perspective, it is just a routine update. In December 2025, Trust Wallet's Chrome extension was hit with exactly this kind of attack. An attacker leaked a Chrome Web Store API key, bypassed Trust Wallet's internal release process, and distributed a malicious version 2.68 that silently exfiltrated users' seed phrases. The result: roughly $8.5 million in stolen cryptocurrency.

3. Sleeper Extensions

This is the most insidious pattern. Extensions behave perfectly normally for months or even years, building up millions of installs and earning "Featured" or "Verified" badges in the Chrome Web Store. Then, one day, a silent update flips the switch. In late 2025, Malwarebytes researchers discovered a network of "sleeper" extensions that had been dormant for up to seven years before activating as spyware across 4.3 million Chrome and Edge installations. The extensions deployed browser hijacking mechanisms that captured every URL visited, sent browsing data to remote servers, and could redirect users to phishing sites on command.

Real Incidents That Should Worry You

These are not hypothetical scenarios. Here is what has actually happened in just the last few months:

The AI Extension Heist (January 2026). Two Chrome extensions masquerading as AI tools, "Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI" and "AI Sidebar with Deepseek, ChatGPT, Claude and more," were caught stealing ChatGPT and DeepSeek conversations alongside general browsing data. Together, they had over 900,000 downloads. People were literally feeding sensitive business prompts into ChatGPT while an extension silently forwarded every conversation to an attacker's server.

The Stanley Toolkit (January 2026). Security researchers at Varonis uncovered "Stanley," a Russian malware toolkit sold for $2,000 to $6,000 that comes with a turnkey website-spoofing operation disguised as a Chrome extension. The premium tier explicitly promises guaranteed publication on the Chrome Web Store, meaning it passes Google's moderation. This is malware-as-a-service, sold with a Chrome Web Store guarantee.

Mass Data Theft Campaign (February 2026). Researchers identified over 300 malicious Chrome extensions with a combined 37.4 million users. Approximately 153 of those extensions were confirmed to be leaking complete browsing history the moment they were installed. Business emails, browsing data, and authenticated sessions were all being siphoned.

Crypto Users Are Especially At Risk

If you use browser-based crypto wallets like MetaMask, you should be particularly concerned. Extension-based infostealers specifically target cryptocurrency wallets because the payoff is immediate and irreversible. A malicious extension can:

  • Read your wallet's seed phrase or private key from the page DOM
  • Modify transaction details so you send funds to the attacker's address instead
  • Steal session tokens from DeFi platforms
  • Overlay fake transaction confirmations

The Trust Wallet supply chain attack I mentioned earlier resulted in millions of dollars in Bitcoin, Ethereum, and Solana stolen from users who did nothing wrong except have the extension installed when the malicious update dropped.

How to Audit Your Extensions Right Now

Here is a practical walkthrough for each browser. Do this today.

Chrome

  1. Navigate to chrome://extensions/ in your address bar.
  2. Review every extension installed. If you do not recognize it or have not used it in months, remove it.
  3. Click "Details" on each remaining extension and review its permissions. If a simple utility has "Read and change all your data on all websites," ask yourself if that is really necessary.
  4. Disable "Allow in Incognito" for everything except your password manager.
  5. Check for extensions you did not install. Enterprise policies or bundled software can sneak them in.

Safari

  1. Open Safari, then go to Settings (Cmd + comma) and click the Extensions tab.
  2. Review each extension. Safari extensions now come through the App Store, which adds a layer of review, but it is not foolproof.
  3. Uncheck any extension you do not actively use.
  4. Pay attention to "Allow on All Websites" vs. specific site access. Limit access wherever possible.

Firefox

  1. Navigate to about:addons in your address bar.
  2. Click on each extension and review its permissions.
  3. Firefox has a useful "Permissions" tab that clearly shows what each extension can access. Use it.
  4. Remove anything you do not need.

Best Practices Going Forward

Based on everything I have seen, here is what I recommend:

Minimize aggressively. Every extension is an attack surface. If you can accomplish the same thing with a bookmark, a native app, or a browser setting, do that instead. I try to keep my extension count under five.

Use browser profiles. Chrome and Firefox both support profiles. Use a dedicated profile for sensitive activities like banking and crypto, with zero extensions installed except your password manager. Your main profile can have your convenience extensions. This way, a compromised coupon extension cannot read your bank session.

Review permissions after every update. Extensions can request new permissions through updates. Chrome will sometimes flag this, but not always. Make a habit of checking quarterly.

Prefer Safari for sensitive browsing. Apple's extension review process is stricter, and Safari extensions have more limited APIs by design. It is not perfect, but the attack surface is meaningfully smaller than Chrome. This is one area where Apple's restrictive approach genuinely helps.

Be skeptical of new AI extensions. The wave of AI-powered extensions is a goldmine for attackers. If an extension promises to "enhance" ChatGPT, Claude, or any other AI tool, be extremely cautious. The legitimate AI platforms already have web interfaces that work fine without extensions.

Check extension ownership changes. If an extension you use suddenly has a different developer name or company listed, that is a red flag. The extension may have been sold.

What CoreLock Does About This

One of the things we built into CoreLock is the ability to detect anomalous browser behavior at the system level. While CoreLock does not inspect inside your browser (that would be its own privacy issue), it monitors for the kinds of suspicious patterns that malicious extensions produce: unexpected network connections, unusual process behavior, and data exfiltration patterns that are invisible from within the browser itself.

Think of it as a layer of defense that watches what your browser is doing from the outside, the same way you might notice someone acting strangely even if you cannot hear what they are saying. If a compromised extension starts phoning home to a suspicious server or behaving in ways that do not match normal browsing, CoreLock flags it.

Combined with the permission monitoring and process-level visibility CoreLock provides, you get a much more complete picture of what is actually happening on your Mac, not just what apps tell you they are doing.

The Bigger Picture

Browser extensions represent one of the largest unmonitored attack surfaces on modern Macs. Apple has locked down a lot of macOS security, but your browser is essentially running its own operating system with its own permission model, and most of that is sending data without meaningful oversight.

The fix is not to stop using extensions entirely. Some, like password managers and ad blockers, genuinely improve your security. The fix is to treat extensions with the same scrutiny you would give any other software that has full access to your digital life. Because that is exactly what they have.

Take ten minutes today. Open your extensions page. Remove what you do not need. Check the permissions on what you keep. It is one of the highest-impact things you can do for your privacy, and it costs nothing.

Download CoreLock to add system-level visibility to your Mac's security and catch what your browser cannot see.

Related Articles

Privacy Guides

23 Apps on Your Mac Probably Have Camera Access Right Now

6 min read
Security Tips

Mac Infostealers in 2026: What They Steal, How They Spread, and How to Stop Them

8 min read
Privacy Guides

How to Check if Apps on Your Mac Are Secretly Recording You

6 min read

Ready to try CoreLock?

Free to download. No credit card required.

Download CoreLock Free
Back to all posts