Unchecked browser extensions could be opening you up to attacks — what you need to know and how to stay safe
Browser extensions are great for customization but come with certain risks

Extensions are an often crucial addition to your browser that let you get more functionality out of the software you use to surf the web, whether that’s customizing certain features or adding useful tools.
For example, Dark Reader is an essential extension for me that forces dark mode for websites that don’t have one built in. Since I have chronic migraines and light sensitivity, it acts as an accessibility tool rather than just a preference.
However, not all extensions are created equal and some carry real risks. So the next time you’re searching through browser extensions, make sure you’re aware of the negative effects they could potentially have on your devices and with your data.
Malware and compromised extensions
Browser extensions can expose you to malware in multiple ways. First off, there are malicious browser extensions, which are meant to inject malware onto your system once installed.
For example, some malicious extensions install a trojan on your computer, which then executes scripts designed to target your Windows registry. This means that even if you uninstall the extension, the malware can remain on your system.
There are also malicious browsers that expose you to malvertising, steal account credentials, or use your system resources for crypto-mining.
In a post on the Google Security Blog, the search giant's security researchers said that in 2024, less than 1% of all installs from the Chrome Web Store included malware. However, this still translates to millions of impacted users.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
Still, there are also times where legitimate extensions are hijacked by cybercriminals to launch phishing attacks or to steal data. For example, hackers compromised over 16 Chrome browser extensions in a campaign that was discovered back in December of last year. Likewise, even more compromised Chrome extensions were discovered in February of this year.
Data collection
In order to work, browser extensions need to access a range of permissions. Some permissions, however, allow these extensions to access a vast amount of data and sensitive information.
A study by the Georgia Institute of Technology found that thousands of browser extensions pose a significant privacy risk to users due to pervasive data collection. The study discovered that certain extensions accessed details such as a user’s name, email address, location, credit card, or physical address. Some of these extensions also did not detail the extent of data collection in their privacy policies.
Even though some permissions are required for certain browser extensions to function, this can still pose a risk to your privacy. If malicious actors hijack the extension, or breach the services where this data is stored, it can be used to target you with scams. So it’s best to assess whether the functionality of an extension is worth the potential privacy impact.
Performance issues
While most of us attribute slow performance in our browser to having too many tabs open, it turns out that browser extensions can also play a role.
Extensions can slow down your browser while running code. In isolation, a website may only lag by a few seconds. For example, if you’re using a coupon extension, it may slow down a page’s responsiveness when you visit a shopping site.
The real problem comes in when you are running multiple extensions that have an impact on performance. This can significantly slow down your browser’s performance when loading pages.
The impact on performance will depend on when the extension runs its code (before or after a page loads), how many extensions are running at the same time, and whether these extensions need to pull data from another source.
That said, some browser extensions can actually speed up page load times by blocking ads on websites.
What can you do to protect yourself?
With there being some substantial risks to installing browser extensions, what can you do to protect yourself?
When it comes to cybersecurity, make sure that you only download browser extensions from trusted sources, like the browser’s official extension store. Make sure to check the reviews of different extensions to see if users flag any issues or suspicious activity. This won’t completely eliminate the possibility of malicious or compromised browser extensions, but it does mitigate the risk.
At the same time, don’t grant an extension more permissions than necessary. You can adjust the settings for your extensions to exclude certain websites or disable the extension completely when you’re not using it. Make sure to also check the extension’s web store listing to see what information it gains access to if you do decide to install it.
Finally, you can limit the number of extensions you use with your browser. This is easier to do with browsers that have a significant level of customization. For example, on Opera I can force dark mode on pages as one of the built-in features of the browser. This would eliminate my need to rely on Dark Reader for the same purpose.
While I test certain browser extensions for work, I also make sure to delete them when I’m done with them. Over the years, I’ve significantly reduced the number of extensions I use, especially if they access sensitive content on a website. If you are no longer using an extension, it’s best to get rid of it.
There’s no denying that browser extensions play an important role in the way we use the web. Unless you find a browser that supports all the features you need, you’ll likely need to rely on a few extensions for your own daily use. However, you can reduce the risk that these extensions will negatively affect you by downloading from official sources, checking user reviews, managing extension permissions and sites, and only installing what you really need.
More from Tom's Guide
Megan Ellis is a freelance technology journalist who specializes in Windows, entertainment, social media, Android, and gaming. She has been writing about consumer tech since 2017 and tries to make devices and platforms easy to understand for those who read her work. When she’s not writing, she’s enjoying streaming services, herding two cats, browsing Reddit, or playing the latest indie game.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.