How to reduce the risk from unsafe browser extensions
Browser extensions can improve convenience, but they also introduce additional risk.
This guide explains how extensions interact with your browser and how to manage them safely.
Browse this guide
Use the links below to jump to the section most relevant to your question.
- How browser extensions normally work
- What risks extensions introduce
- Why even legitimate extensions need review
- Extensions can sit close to signed in sessions
- What to check before installing an extension
- How to review existing extensions
- Why fewer extensions is usually better
- What a browser extension does not need to do
- What to do if you are unsure
- Why this matters for real accounts and services
- Further Guidance and Support
How browser extensions normally work
Extensions add functionality by interacting with web pages and browser features.
They may read content, connect to services, or run background processes.
Browsers treat extensions differently from ordinary websites. Once installed, an extension may be allowed to observe or change parts of browsing activity in ways that normal web pages cannot. That does not automatically make extensions unsafe, but it does mean they should be treated as trusted software rather than as minor convenience tools.
For a broader explanation of how browsers handle permissions, data exposure, and security controls, see our guide on browser security and privacy.
What risks extensions introduce
Extensions can increase exposure by accessing content, interacting with sessions, or collecting data.
The level of risk depends on permissions and maintenance.
This matters because an extension may be able to see information entered into websites, interact with account sessions, or continue operating quietly in the background. In some cases, the main risk is not obvious breakage or malware, but unnecessary access that remains in place long after the extension has stopped being useful.
This type of risk often overlaps with unsafe websites and misleading pages, which may attempt to trigger permissions or downloads through normal browsing behaviour.
Why even legitimate extensions need review
Even trusted extensions can change over time.
Permissions, ownership, or behaviour may evolve, so periodic review is necessary.
An extension may be legitimate when first installed and still become a concern later. Permissions can change, ownership can change, and the extension may begin requesting broader access than before. In other cases, the extension may simply no longer be maintained properly, which can leave it behind as browsers and websites evolve.
This is similar in principle to wider software supply chain risk. Trust is not only about whether something looked legitimate when first installed. It is also about how permissions, maintenance, ownership, and connected services change over time.
Extensions can sit close to signed in sessions
Browser extensions should be treated as trusted software because they may operate inside the same browser used for email, Microsoft 365, Google Workspace, banking, cloud storage, password managers and credential managers.
An extension with broad permissions may not be able to copy a passkey private key directly, but that is not the only risk. It may be able to read page content, interact with websites, observe browsing behaviour, or operate near signed in sessions.
This matters because attackers increasingly target the browser environment around the account, not only the password itself. Google’s Device Bound Session Credentials work is partly a response to the wider problem of session cookie theft, where attackers try to reuse an already authenticated browser session rather than defeat the original sign in method.
DBSC can make stolen cookies less useful away from the original device, but it does not remove the need to review extensions, because extensions may still interact with pages, permissions and active browser sessions on the device itself.
For this reason, extension review should be part of account security. Fewer extensions, narrower permissions and periodic review reduce the number of components that can interact with important browser sessions.
What to check before installing an extension
Before installing, check:
-
- who developed it
- what permissions it requests
- whether those permissions are necessary
- whether it is actively maintained
How to review existing extensions
Review extensions periodically and remove anything unnecessary.
Check permissions and behaviour carefully.
Why fewer extensions is usually better
A smaller number of extensions reduces risk and complexity.
It also improves browser performance and clarity.
What a browser extension does not need to do
A useful way to assess an extension is to ask whether its permissions match its purpose. For example, a simple visual theme, screenshot helper, or tab organiser should not normally need broad access to read data across all websites.
When the requested access feels wider than the function being offered, that is often a sign to pause and review more carefully.
Some modern incidents have shown that the wider risk is not limited to obviously malicious add-ons. In practice, excessive permissions, connected services, and background access can all contribute to wider account or browser exposure over time.
What to do if you are unsure
If unsure, disable the extension temporarily and assess whether it is needed.
Remove it if it is not essential.
Additional protection can also come from network-level controls such as filtering DNS services, which can reduce exposure to known malicious or newly registered domains.
Why this matters for real accounts and services
Extensions may interact with accounts, cloud services, and stored data.
This means poor choices can affect more than just browsing.
For many users, the browser is the route into email, banking, Microsoft 365, Google Workspace, business portals, and support systems. If an extension has wider access than expected, the effect may extend beyond one website or one browsing session. That is why extension review is not only a privacy preference or performance choice. It is part of how access to important accounts and services is controlled.
This forms part of a wider layered security approach, where different controls work together across browsers, devices, networks, and accounts.
Further Guidance and Support
This guide forms part of a broader layered security approach. For structured guidance on security and resilience planning, see our Security and Resilience page.
For information about practical implementation and ongoing support, you can review our IT services and local IT support coverage across London, Hertfordshire, and Essex.
Author
Elías Sánchez
IT Support Consultant
Evening Computing
London, United Kingdom
This guide was prepared by Elías Sánchez with research and drafting assistance from AI tools. All technical content has been reviewed and adapted for clarity and accuracy.
Last reviewed
28 April 2026