I Audited Every Browser Extension I Had Installed β 14 of Them Had No Business Being There
Last Thursday evening, around 9 PM, I was reading an article about a Chrome extension that got caught selling user browsing data. Pretty standard cybersecurity news, right? Except I scrolled up to my toolbar and counted my own extensions.
Twenty-three. I had twenty-three browser extensions installed.
I am supposed to be the security guy. The person who tells other people to be careful online. And I had not reviewed my own extensions in over a year. Classic do-as-I-say-not-as-I-do moment.
So I spent my Saturday doing a full audit. The results were... uncomfortable.
The Audit Process (Steal This)
Before I share the carnage, here is exactly how I reviewed each extension. You should do this too β it takes about 45 minutes for 20 extensions:
- Check permissions: Go to chrome://extensions, click "Details" on each one. Read what it can access.
- Check last update: Extensions not updated in 12+ months are a red flag. Abandoned extensions get sold to shady companies.
- Check the developer: Google them. Do they have a website? A real company? Or is it "ChromeToolz LLC" registered in the Cayman Islands?
- Read recent reviews: Sort by newest. Look for complaints about new ads, weird behavior, or ownership changes.
- Ask yourself: Do I actually use this? If you hesitate for more than three seconds, remove it.
The 14 Extensions I Removed (And Why)
Category 1: The "I Forgot This Existed" Group (6 extensions)
Six extensions I had not clicked in months. A color picker I used once for a design project in 2024. A tab manager I replaced with a better one. A screenshot tool that Chrome can do natively now. You know the type.
My friend Kevin, who runs an IT consultancy, calls these "digital barnacles." They attach themselves to your browser and just... stay there. Collecting data. Using memory. Doing nothing useful.
Rule of thumb: If you have not used it in 30 days, kill it. You can always reinstall.
Category 2: The "Wait, It Can Read WHAT?" Group (4 extensions)
This was the scary part. Four extensions had permissions I never should have granted:
- A coupon finder that could read and change all data on all websites (spoiler: it needs this to show coupons, but it is also reading your banking sites, email, everything)
- A grammar checker with access to all browsing history β why does a grammar tool need my history?
- A "productivity tracker" that could read clipboard data. My clipboard regularly contains passwords I am copy-pasting from my password manager. Great.
- A weather widget with location tracking plus access to all site data. For weather. Really.
I actually felt a little sick removing that grammar checker. I had been typing passwords, financial info, and private messages for two years with that thing watching every keystroke. Was it doing anything malicious? Probably not. But "probably not" is not a security policy.
Category 3: The "Ownership Changed and I Didnβt Notice" Group (3 extensions)
This is the one nobody talks about enough. Three of my extensions had been acquired by different companies since I installed them. The original developer sold them β along with the user base β to companies I had never heard of.
When an extension changes hands, the new owner can push an update that completely changes what the extension does. Your browser auto-updates extensions by default. You would never know.
I checked the acquisition history by reading recent reviews. Multiple users had flagged new ads appearing, slower performance, and suspicious network requests. One extension that used to be a simple bookmark manager was now, according to its updated privacy policy, "collecting anonymized browsing data to improve services." Anonymized. Sure.
Category 4: The "This Is Just Chrome Now" Group (1 extension)
One extension literally duplicated a feature Chrome added natively two years ago. I am embarrassed it took me this long to notice. (It was a PDF viewer. Chrome has had a built-in PDF viewer since approximately the Jurassic period.)
The 9 I Kept
After the purge, here is what survived:
- uBlock Origin β the only ad blocker I trust. Open source, no "acceptable ads" program, no business model that depends on advertising companies paying them off
- Bitwarden β password manager. Open source, audited, minimal permissions
- HTTPS Everywhere β forces encrypted connections (though honestly, this is becoming less necessary as most sites default to HTTPS now)
- Privacy Badger β EFF-made tracker blocker. I trust the Electronic Frontier Foundation more than I trust "CouponMagic Pro"
- Four work-related extensions from known, reputable companies with clear privacy policies
- One developer tool I use daily
What You Should Do Right Now
I am serious β do this today. Open chrome://extensions right now. I will wait.
Here is the quick version:
- Count your extensions. If it is more than 10, you almost certainly have dead weight.
- Remove anything you donβt recognize or havenβt used in 30 days.
- Check permissions on everything that remains. If a coupon tool wants to read "all site data," that is a no from me.
- Turn off auto-update for extensions you are unsure about. Manual review before each update is annoying but safer.
- Set a calendar reminder to do this audit every 3 months. I clearly needed one.
The browser extension ecosystem is essentially the Wild West of software security. There is minimal vetting, permissions are overly broad by design, and the acquisition pipeline means your trusted tool can become spyware overnight without any notification.
Twenty-three extensions. Fourteen removed. And I am supposed to be the guy who knows better. If my browser was this messy, I genuinely wonder what yours looks like right now.
Found this helpful?
Subscribe to our newsletter for more in-depth reviews and comparisons delivered to your inbox.
Related Articles
