A spyware browser extension rarely looks like a threat. You install a free PDF converter, a coupon finder, or a grammar checker, then forget it exists. Months later that same extension may be reading every page you open, capturing form fields, and quietly sending your browsing history to a data broker you have never heard of. The most dangerous extension on your machine is almost always one you stopped thinking about.
I run this audit on my own laptops every couple of months, and it has never taken longer than a coffee break. Security researchers keep finding popular extensions with millions of users harvesting data and selling it on, so a quick review is cheap insurance against a gap you did not know was open.
Quick Answer
Open your browser’s extension manager (chrome://extensions in Chrome, about:addons in Firefox, edge://extensions in Edge), then review each extension’s permissions. Remove anything you do not recognise, anything requesting access to all websites, and any extension not updated in over a year. Keep only what you actively use.
Why Are Browser Extensions a Security Risk?
Installing an extension grants it real permissions, sometimes sweeping ones. An extension with “read and change all your data on all websites” can reach your banking pages, email inbox, and login forms. Those permissions persist silently too: a legitimate tool can be sold to an untrustworthy company and pushed a new update full of data-collection code without ever alerting you.
An extension’s permissions, not its install count, decide how much damage it can do.
What Do Extension Permissions Actually Mean?
| Permission | What the Extension Can Do |
|---|---|
| Read browsing history | See every URL you visit |
| Read and change all site data | Access forms, passwords, and banking pages |
| Read clipboard | Capture anything you copy, including passwords |
| Manage downloads | Save or block files on your device |
| Access tabs | Monitor which websites are open at any moment |
How Do I Audit My Extensions in Chrome?
Chrome commands the majority of desktop browser usage, which makes it the most targeted platform for malicious extensions. It is also where I start every audit.
Step 1: Open the Extension Manager
Type chrome://extensions in the address bar and press Enter. Every installed extension appears here, including the ones you added months ago and forgot. The first time I did this I found three I could not even name.
Step 2: Review Permissions
Click Details under each extension, then scroll to the Permissions section. An extension that only reads the active tab is far less risky than one demanding access to all your data on all websites.
Step 3: Remove What You Do Not Use
Click Remove for anything you cannot account for. If you are unsure about a specific extension, search its name plus the word “security” to check for reported problems before deciding. Chrome also shows a “Last used” date under each one; anything idle for 30 days is a safe removal target, since reinstalling from the Chrome Web Store takes under a minute if you change your mind.
In Chrome, Details then Permissions tells you in seconds whether an extension can read everything you type.
How Do I Check Extensions in Firefox, Edge, and Safari?
The navigation paths differ slightly, but the goal is identical: open the manager, check permissions, remove the unused.
- Firefox: Go to
about:addons, click the three-dot menu next to any extension, and choose Permissions to review or Remove to uninstall. - Edge: Go to
edge://extensions, click Details, and check “Access to websites.” Avoid extensions set to On all sites unless the task clearly demands it. - Safari (Mac): Open Safari, then Settings, then Extensions. Safari enforces stricter limits by default, but unused extensions still deserve a removal pass.
If removing an extension breaks a website feature you rely on, reinstall it only from the official browser store, never from a third-party download page, which is a common route for distributing compromised versions. For safe-browsing habits that complement this audit, see my guide on how to check if a website is actually safe before entering any personal details.
Every major browser exposes the same two facts: what an extension can access, and whether you still use it.
What Are the Red Flags of a Spyware Extension?
- Permissions do not match the task. A dark-mode extension has no legitimate reason to read your clipboard or full browsing history.
- No recent updates. Abandoned extensions get no security patches, yet they keep running with full permissions indefinitely.
- Unknown or impersonating developer. Malicious extensions often clone the icon and name of a trusted tool. Verify the publisher on the official store listing before installing.
- Alarming one-star reviews. Filter reviews by one star and look for phrases like “started redirecting searches” or “injecting ads.” Problems usually surface in reviews before any takedown happens.
Google’s documentation on extension permission warnings explains exactly what each install prompt means, and it is worth reading once before your next install. While you are auditing, it is also a good moment to move your logins into a dedicated password manager like Bitwarden, since a rogue extension with broad permissions can read browser-saved passwords as you type.
When the permissions outweigh the job an extension does, treat that mismatch as the warning itself.
Common Mistakes to Avoid
- Installing from outside the official store. Third-party sites often bundle extensions with hidden malware. Fix: always use the Chrome Web Store, Firefox Add-ons, or Microsoft Edge Add-ons.
- Accepting every permission prompt without reading it. Excessive permissions for a simple task are a clear red flag. Fix: spend 15 seconds reading the list before clicking Add to Chrome.
- Forgetting that extensions sync across devices. Chrome extensions linked to your Google account appear on every signed-in device automatically. Fix: check the extension list on each device separately after any audit.
- Keeping “just in case” extensions. Every idle extension is an active attack surface with nothing to show for it. Fix: remove it now, since reinstalling from the official store takes seconds.
- Assuming a high install count means it is safe. Several extensions with tens of millions of users have been caught harvesting data. Fix: check the developer’s privacy policy and recent reviews, not just the star rating.
Frequently Asked Questions
Can a browser extension steal my passwords?
Yes. An extension with “read and change all your data on websites” permission can capture passwords typed into login forms before they ever leave your browser. I once removed a “free coupon” extension that held exactly that permission despite having no reason to touch a login field.
Are extensions disabled in private or incognito mode?
By default, yes. In Chrome extensions are off in Incognito unless you enable them. When I checked mine, two had “Allow in Incognito” switched on from a setup I had forgotten, which I turned off in chrome://extensions under each extension’s detail panel.
How often should I audit my extensions?
Every one to three months is a sensible rhythm. I tie mine to the start of each season, and I also do a quick pass whenever a browser update drops me into the Extensions menu anyway.
Is there an automated tool that detects bad extensions?
Some security suites flag suspicious extensions, but manual review stays the most reliable approach. When I tested a third-party “extension scanner,” it wanted broad permissions of its own, so I deleted it and went back to the browser’s built-in manager, which lists every active extension already.
Should I use a VPN as well as auditing extensions?
They solve different problems, so use both. A clean extension list stops local snooping, while a VPN encrypts your traffic in transit; my VPN setup guide explains what a VPN does and does not protect.
Conclusion
Keeping your extension list short and intentional is one of the simplest high-impact security moves any browser user can make. Check permissions before every install, revisit the list every few months, and remove anything you cannot account for.
Once your browser is clean, finish the checkup by reviewing unknown logins on your Google, Microsoft, and Apple accounts to close the most common account-level gaps in one sitting.