According to a February 2026 Barracuda report, 99% of employees have browser extensions installed. 52% have more than ten.
Most of those extensions were installed once, for a specific reason, and never reviewed again. Some were granted full read-and-write access to every website you visit. And some of the developers who built them have since sold the extensions to people with different intentions.
This is a walkthrough for going through them properly.
Open the extension manager
Chrome, Brave, Edge, and most Chromium browsers: type chrome://extensions in the address bar. You'll see every installed extension with its current status and a brief description.
Firefox: type about:addons. The interface is slightly different but the information is the same.
Before you start reviewing anything, enable Developer Mode. In Chrome it's a toggle in the top right of the extensions page. Turn it on. This reveals extension IDs (a long string of letters — you'll need these for looking up extensions in CRXcavator), the source paths, and in some cases the update channel.
Now go through each one methodically.
The four questions for every extension
1. Do I still use this?
Not "could I imagine using this." Do I actually open it. Extensions you installed three years ago for a specific project are still running. Still holding permissions. Still receiving every update the developer pushes. If it's not serving an active purpose, remove it.
2. Do I recognize the developer?
Click through to the extension's store page. Look at who published it. Check if the developer name matches what you remembered when you installed it. Developer transfers are the dominant attack vector right now — The Hacker News documented a March 2026 case where QuickLens was listed for sale on a broker site in October 2025, changed ownership in February 2026, and was updated with malicious code within weeks. The original functionality stayed intact. Nothing looked wrong from the outside.
ShotBird followed the same pattern in the same month. Both were previously well-regarded extensions.
3. When was it last updated?
An extension that hasn't been updated in two or three years is a risk for different reasons: the developer has likely abandoned it, which means no security patches and an eventual ownership or supply-chain issue. Check the "last updated" date on the store page.
4. Does the permission scope match what it actually does?
A dictionary lookup extension does not need access to all your data on all websites. A tab manager does not need to read your browsing history. When the permissions don't match the function, that mismatch tells you something.
The permissions that actually matter
In Chrome's extension manager, click "Details" on any extension and scroll to "Permissions." The specific language to watch:
- "Read and change all your data on all websites" — this is the highest-risk grant. The extension can read passwords as you type them, read your banking sessions, inject code into any page. Most extensions don't need this; many request it anyway.
- "Access your tabs" — can track which pages you have open and in what order.
- "Read your browsing history" — explicit history access, separate from tab access.
- "Manage your apps, extensions, and themes" — can install or modify other extensions. This one almost never has a legitimate use for consumer extensions.
- Wide host permissions (listed as
<all_urls>in the extension manifest) are functionally the same as "read all your data" — if you see this in developer mode, treat it as maximum trust granted.
The zero-trust approach to browser extensions covers the full permission taxonomy if you want to go deeper on what each grant actually allows.
Use CRXcavator for extensions you're unsure about
CRXcavator scans the Chrome, Firefox, and Edge web stores and produces a risk score for each extension based on permissions, code analysis, and metadata. It's free and runs searches by extension name or ID.
Look up anything you're keeping but feel uncertain about. The risk score won't give you a definitive answer, but an extension with an unusually high score relative to its apparent functionality is worth a second look. The extension ID from Developer Mode is what you paste into the search.
The tool's limitations: it flags risk based on what it can analyze statically. An extension that's currently clean but has a history of ownership changes, or one with a sale listing on an extension broker site, won't necessarily score high until after something happens.
Categories that deserve automatic scrutiny
Coupon and cashback extensions have a history of broad permission requests that have nothing to do with finding discount codes. They need to read your shopping pages, which means they read everything on those pages — form data, session tokens, whatever's on screen.
PDF converters and file format tools are a persistent malware distribution vector. The Chrome Web Store has repeatedly had PDF-related extensions pulled for injecting ads or harvesting data.
"Productivity" tools is a vague enough category that almost anything qualifies. An extension called "Tab Manager Pro" or "New Tab Customizer" that was installed three years ago and granted all-sites access should be treated with significant skepticism.
AI assistant extensions are the current active attack vector. Fake extensions impersonating AITOPIA scraped ChatGPT and DeepSeek conversations from 900,000+ users by injecting code into AI chat interfaces. If you've installed anything that promises to "enhance" your AI assistant experience, check it carefully.
Restricting permissions without removing
Some extensions you legitimately need but don't need running on every site. Both Chrome and Firefox let you restrict host access per extension.
Chrome: Right-click the extension icon in your toolbar → "This can read and change site data" → switch from "On all sites" to "On click" or "On specific sites." The extension can only read pages when you explicitly trigger it, or only on the domains you've allowlisted.
Firefox: In about:addons, click any extension → "Permissions." You can manage the sites it has access to here.
For most utility extensions — grammar checkers, dark mode tools, ad blockers — this is the right default. Ad blockers genuinely need all-sites access to work. Your currency converter does not.
Firefox Container Tabs as an alternative
If part of what you're using extensions for is isolating sites from each other — keeping your work logins separate from your personal logins, or keeping your shopping behavior separate from your research behavior — Firefox's Multi-Account Containers feature does this at the browser level without any third-party extension involved.
Each container has its own cookie store, so a site open in one container can't see sessions from another. It's one of the cleaner reasons to use Firefox over Chrome for privacy, and it addresses a category of problem that extensions would otherwise try to solve (with all the trust issues that come with that).
Firefox hardening in general covers Container Tabs as part of the broader setup.
After the audit
Remove everything you don't actively use. Not disable — remove. A disabled extension can still be re-enabled and still holds your data grant. If the extension isn't gone, the risk isn't gone.
For anything you're keeping: restrict permissions to the minimum that still makes it useful, and note the developer name and current version. Then check back in six months. Ownership transfers, the DarkSpectre-style campaigns that hit 8.8 million users in late 2025, the supply-chain attacks on Trust Wallet — they all worked because people installed something once and never looked again.
The browser is where most of your sensitive activity happens. Extensions run inside it with significant trust. That's worth treating seriously.
And one more thing: if you're one of those people with a saved password in the browser itself alongside a stack of extensions with all-sites access, that combination is worse than it looks. An extension with full read access can pull stored credentials from the browser's password manager. Something to factor into your audit.
