Chrome Extension Security in 2026
How to evaluate Chrome extensions for security and privacy in 2026, what permissions actually mean, and the red flags worth taking seriously.
Browser extensions are the most powerful pieces of code most users install on their devices. A single extension with the standard "read and change all your data on websites you visit" permission can see every page you load, every form you submit, and every account you log into. The Chrome Web Store has more than 150,000 extensions. Most are harmless. A handful are not, and the line between them is not always obvious.
This article is a practical 2026 guide to evaluating extensions before you install them. It is meant for normal users, not security researchers, and it pairs well with privacy online and manifest v3 explained.
What an extension can actually do
When you install an extension, Chrome shows a permission prompt. The most consequential permissions in practice:
- Read and change all your data on websites you visit. The big one. The extension can inspect and modify every page.
- Access your browsing history. The extension can see where you have been.
- Manage your downloads. Initiate, monitor and rename downloads.
- Access your tabs. See open tabs, URLs and titles.
- Manage your bookmarks. Read and modify.
- Communicate with cooperating websites. A formal channel for the extension's own backend.
For an ad blocker, the first permission is unavoidable; that is how it does its job. For a screenshot tool, the first permission is excessive; it should only need access to the current tab when triggered.
Red flags
The patterns that should make you pause:
- Permissions out of proportion to the feature. A weather widget should not need access to every page on every site.
- A long history with a recent change of ownership. Extensions sometimes get acquired by companies that monetise via data. The brand stays the same; the behaviour changes.
- Reviews that complain about new ads or tracking. Recent reviews are the most reliable signal.
- An unclear or absent privacy policy. A privacy-respecting extension publishes a clear policy and means it.
- A publisher with no other history. Not disqualifying, but worth more scrutiny.
- Surprisingly small install count for an extension claiming a high-traffic use case. It might be new and good; it might be impersonating something else.
Green flags
- A clear, short privacy policy you can read in a minute.
- A publisher with a real company website, contact information and named team.
- A free tier funded by an honest paid tier, not by data.
- An open-source codebase or, at minimum, openly described update process.
- An active issue tracker or support channel.
The Manifest V3 effect
Manifest V3 made certain categories of malicious extension harder to build. The most important changes:
- Extensions cannot fetch and execute remote code. All JavaScript ships in the package.
- The webRequest API for arbitrary runtime request inspection is replaced with the declarative declarativeNetRequest API for most use cases.
- Service workers replace persistent background pages.
In practical terms, an MV3 extension that misbehaves is more visible (the malicious code is in the package, where Chrome's review can see it) and the runtime damage is bounded. This is a real improvement. Background in our manifest v3 explainer.
It is not a substitute for trust. A malicious extension can still abuse the permissions a user grants it. The defence is still the publisher and the policy, not the manifest version.
The pre-install checklist
Before you click Install:
- Does the extension actually need the permissions it is asking for? If not, look for a more targeted alternative.
- Who made it? Click the publisher name. Visit their website. Look for a real organisation.
- What does the privacy policy say? Specifically: does it say "we do not collect browsing history" in plain language?
- What do recent reviews say? Read the last twenty reviews, including the one-stars.
- When was the last update? A maintained extension is updated regularly. A two-year-old extension is at minimum out of date and possibly abandoned.
- Is the extension verified by the Chrome Web Store? Look for the "Featured" badge or the verified publisher mark; not definitive but a positive signal.
Comparison: trust signals across common categories
| Category | Necessary permission level | Acceptable business model | Strongest trust signal |
|---|---|---|---|
| Ad blocker | All sites | Free + paid Premium | Clear policy, no telemetry |
| Password manager | All sites | Paid subscription | Long history, security audits |
| Tab manager | Tabs | Free | Open source, small footprint |
| Screenshot tool | Active tab | Free or small paid | No "all sites" request |
| Translation | All sites | Funded by browser vendor or paid | Vendor identity |
| Note-taker | Active tab | Paid subscription | Real company behind it |
A note on the "acquired and changed" pattern
Several historically beloved extensions have been quietly sold over the years to new owners, who then added telemetry or ads in subsequent updates. The brand stayed the same. The privacy policy was updated in small print.
How to protect yourself:
- Watch for sudden permission expansions on routine updates. Chrome shows them in the extensions page.
- Watch for a flood of one-star reviews appearing after an update; users notice.
- Watch for ownership changes; some publishers add this transparently, others do not.
- If an extension is acquired, evaluate the new owner with the same checklist you used originally.
NovaBlock will not be sold to an ad network. We have published this commitment because we know users care, and we have made the structural decision to keep ownership independent. See the privacy page.
What about Firefox extensions?
Firefox's extension store is smaller, more curated, and reviewed more thoroughly. The trust signals are similar but the population of available extensions is smaller, which is its own filter. Firefox also supports the older webRequest API in extensions, giving more capability to classic uBlock Origin and similar tools.
Sandboxes and process isolation
Modern Chrome isolates extensions in their own processes. A crashing extension does not crash the browser. A buggy extension cannot read another extension's memory. This is the platform's contribution; user discretion is still required for what each extension is allowed to do on pages.
What to do if an extension turns out to be bad
- Disable it immediately from chrome://extensions.
- Remove it.
- Change passwords on any sensitive accounts you used while it was installed.
- Report the extension via the Chrome Web Store report button.
Pros and cons of being deliberate about extensions
Pros
- Significant privacy gain at zero cost.
- Fewer extensions means a faster, cleaner browser.
- You will know what each installed extension does.
Cons
- Modest time investment per install.
- You will sometimes pass on an extension that turns out to be perfectly fine.
Conclusion
The Chrome Web Store is not a managed App Store with strict vetting. It is closer to a moderated marketplace where the user is, ultimately, the one making the trust decision. Take that decision seriously for any extension with broad permissions. Use the checklist. Stick with publishers who have earned the trust. For ad blocking specifically, install NovaBlock and read the privacy page; the two pages cover everything you would normally need to ask.
Key takeaways
- •Extensions can read every page they have access to. Granting 'all sites' permission is a real trust decision.
- •Manifest V3 narrowed the attack surface, but it did not eliminate the underlying trust model.
- •Read the publisher, the install count, the recent reviews and the privacy policy before installing.
- •Avoid extensions that have changed hands recently or that have been silently acquired.
Frequently asked questions
Can an extension read my passwords?+
An extension with access to a page can read its DOM, including form inputs. Password managers are designed around this. Other extensions should not be doing it, but technically can if you grant the permission.
Are paid extensions safer than free ones?+
Not inherently. The business model question is whether the developer is funded by users (paid, donations) or by data (telemetry, ads). Both free and paid extensions can be on either side.
What does 'read and change all your data on websites you visit' mean?+
Exactly what it sounds like. The extension can inspect every page you load and modify it. For ad blockers and password managers this is necessary. For a screenshot tool, it is overreach.
Should I worry about MV3 extensions?+
MV3 narrowed what extensions can do dynamically and forced all code into the package itself. The platform is safer than MV2 was. The trust decision is still about who wrote the extension, not just the manifest version.
Is the Chrome Web Store moderated?+
Yes, but imperfectly. The review process catches obvious malware. It does not catch a quietly-acquired extension whose new owner introduces tracking in a later release.
Try NovaBlock free
A faster, calmer web in one click. Free on Chrome and Firefox. Premium across every device with a 7-day trial.
Share this article
Related articles
Manifest V3, Explained
A plain-English guide to Manifest V3, what changed for browser extensions, why some blockers struggled and how NovaBlock was built for it from day one.
Online Privacy in 2026
A grown-up guide to online privacy in 2026 without conspiracy theories or paranoia. What to do, what to skip and where the real risks are.
The Best Ad Blocker in 2026
An honest, up-to-date 2026 comparison of the best ad blockers for Chrome and Firefox. Speed, privacy, YouTube ads, cookie banners and Manifest V3 compatibility.
How to Block Trackers in 2026
What online trackers actually are, why blocking them matters, and how to set up a browser that respects your privacy in under five minutes.
