Researchers have conducted a study examining the popular 100 Chrome extensions and found that 86% gain highly dangerous permissions upon installation.
Most extensions want full access to all websites a user visits, scripting abilities, permission to read and modify browser tabs – including content and URL – and to store collected data. Many permissions also ask to check downloads, history, browsing data, or even tamper with traffic, injecting elements, such as ads, or redirecting somewhere else.
“Users have almost no control over what permissions extensions use. You either agree or disagree with the permissions list and grant them all upon installing the extension,” said Teona Patussi, Information Security Researcher at Cybernews.
Key findings:
- 86% of Chrome extensions analyzed request high-risk permissions.
- Only 1 out of 100 extensions did not require at least moderately dangerous access upon installation.
- Only 5 extensions work with 0-1 permissions.
- On average, an extension asks for 6.4 permissions, 5.3 of which are high or moderate-risk.
- 60 extensions request Host permissions, giving them full access to all web content and local files – the most dangerous type of access, according to Google.
- Storage, scripting, and tab access were the top permissions – requested by 95, 65, and 53 extensions, respectively.
- AI and productivity tools are the most permission-heavy – the “Tampermonkey,” “AI New Tab: Calendar, Tasks, ChatGPT,” and “Checker Plus for Gmail” extensions ask for up to 18 permissions.
- “Magical AI Agent for Autofill Automation,” “Adobe Acrobat PDF edit,” and “Awesome Screen Recorder Screenshot” require 14 permissions.
- Adblockers such as AdBlock or Ghostery are also among the extensions with the most permissions, as are password managers or translation services.
- Some permissions allow traffic manipulation – 17 extensions requested the powerful “declarativeNetRequest” API, which can be used to intercept, redirect, or modify network traffic.
- 100 extensions declared 230 high-risk permissions, 294 medium-risk permissions, and 114 low-risk permissions.
- Dangerous combinations of permissions could enable keylogging, data theft, and phishing.
- Two extensions were removed from the Chrome Web Store during analysis – one of them, with over a million installs, reportedly contained malware.
Possible risks
Cybernews researchers warn that Chrome extension permissions are critical, defining what the add-on can access and control within the browser and system.
Therefore, ensuring they come from reputable developers is essential, and users should review the extensions regularly.
As researcher Patussi explained: “While the number of permissions may be intimidating, the real danger lies in the combinations of specific permissions. A few permissions would be sufficient to create malware capable of keylogging, session hijacking, and full data theft.”
To read the full research, please click here.
