Unscart

March 24, 2026

Chrome Extension Security: How to Vet Extensions Before Installing

A Chrome extension can read everything you type, see every page you visit, and intercept your login sessions — all with permissions you granted at install. Most extensions are legitimate and useful. But malicious extensions do slip through Google's review process, and even previously trusted extensions can turn dangerous after being acquired by a new owner. This guide gives you a systematic process for evaluating any Chrome extension before you install it.

Why Chrome Extensions Are a High-Stakes Security Decision

The permissions a typical extension requests are broader than most people realize. An extension with "Read and change all your data on all websites" can:

  • Read every password you type into any website's login form
  • Capture credit card numbers entered on shopping sites
  • Exfiltrate session cookies to take over your logged-in accounts
  • Inject malicious scripts or advertisements into every page you visit
  • Silently redirect searches to revenue-generating alternatives
  • Mine cryptocurrency using your CPU in the background

The Chrome Web Store vets extensions before publishing, but malicious extensions have passed review — and legitimate extensions that are later sold to bad actors can turn malicious with a single silent update. The security burden is partly on you.

Step 1: Identify the Publisher

The first question for any extension: who made it and can you verify their identity?

Trustworthy publishers include:

  • Well-known companies with established reputations: Google, Microsoft, Grammarly, Bitwarden, JetBrains
  • Active open-source projects with public GitHub repositories and contributor histories
  • Organizations with verifiable web presences that match the extension's stated purpose

Be cautious of:

  • Publishers with generic names ("App Tools", "Browser Extensions LLC") and no searchable web presence
  • Extension names that closely mimic trusted tools (searching for "uBlock" and finding "uBlock Pro" or "uBlock for Chrome" — imposters of uBlock Origin)
  • Extensions with a large install count but very few reviews — inflated install counts via bots are known to occur

Step 2: Analyze the Permissions Request

Before clicking "Add extension" on any install dialog, read the permissions list carefully. Match each permission against what the extension actually needs to do.

Permission Risk Levels

  • High risk — only acceptable from very trusted sources:
    • "Read and change all your data on all websites" — necessary for ad blockers like uBlock Origin and grammar tools like Grammarly, but alarming for an extension that does not need to interact with web content
    • "Read your browsing history" — very few legitimate extensions require this
  • Medium risk — appropriate for specific function types:
    • "Manage your downloads" — expected for download managers, suspicious otherwise
    • "Read and change data on " — less broad than all-sites access; check whether the listed sites make sense
  • Low risk:
    • "Display notifications" — cannot steal data, but can be annoying
    • "Change your search settings" — watch for extensions using this to replace your search engine with a revenue-generating alternative

Step 3: Read Reviews — But Critically

The Chrome Web Store review system is gameable. Do not rely solely on the star rating. Look specifically for:

  • One-star reviews describing specific behavior changes: "After installing this, my searches started redirecting to Yahoo," "I started seeing new ads injected into every page." These are specific, credible signals of malicious behavior.
  • Review velocity anomalies: A burst of identical five-star reviews in a short period suggests a coordinated fake review campaign.
  • Review-to-install ratio: A million-install extension with 300 reviews suggests either that most users were acquired via bots or that users found the experience unremarkable. Neither is reassuring.
  • Developer responses to negative reviews: Legitimate developers respond to criticism constructively. Absence of any developer engagement is a yellow flag.

Step 4: Check the Privacy Policy

Every Chrome Web Store listing is required to link to a privacy policy. Look for:

  • Clear language about what data is collected, how it is used, and whether it is shared with or sold to third parties
  • Specific statements about browsing data — does the extension log the URLs you visit?
  • Data retention policies — how long is your data stored, and is there a deletion mechanism?

Reject extensions whose privacy policy is missing, uses purely legal boilerplate without specific data disclosures, or explicitly reserves the right to sell browsing data.

Step 5: Look for Open-Source Code

The gold standard for extension trustworthiness is open-source code with a publicly accessible repository. Search for the extension name on GitHub. Open-source extensions allow any security researcher, journalist, or technically capable user to verify that the extension does exactly what it claims and nothing more.

Well-known open-source extensions that you can trust by verifiable code: uBlock Origin, Bitwarden, Dark Reader, Privacy Badger, and LanguageTool. Non-open-source extensions are not automatically untrustworthy — Grammarly is closed-source and widely trusted — but they require more reliance on the company's reputation and audit history.

Step 6: Monitor Installed Extensions Over Time

Even a well-vetted extension can become dangerous after the fact. Extensions have been sold to companies with different values, and a single silent background update can change what an extension does without any notification.

Regular Extension Hygiene

  • Once a month, open chrome://extensions and disable any extension you have not actively used in the past 30 days
  • Uninstall extensions whose developers have stopped maintaining them (check the "Last Updated" date on the Chrome Web Store listing)
  • Subscribe to security news relevant to tools you use — browser extension compromises are widely covered when they occur
  • Use Chrome's Task Manager (Shift+Esc) to check for extensions consuming unexpectedly high CPU or network activity, which can indicate cryptocurrency mining or data exfiltration

Quick Security Checklist

  1. Is the publisher a verifiable, reputable company or active open-source project?
  2. Are the requested permissions proportionate to the extension's function?
  3. Do the one-star reviews describe specific suspicious behavior?
  4. Does the privacy policy explicitly address browsing data and data sharing?
  5. Is the source code publicly available on GitHub?

Four or five "yes" answers: safe to install. Two or fewer: find an alternative.

Conclusion

Chrome extensions are safe when installed from trustworthy sources with appropriate permissions and a transparent privacy policy. The vetting process described here takes three to five minutes per extension and protects you from the most common attack vectors. Unscart's extension directory curates verified, useful Chrome extensions across every category — a good starting point if you want trusted recommendations without doing individual research for every tool you need.

Related Posts

Jun 2, 2026

50 Best Chrome Extensions in 2026 (By Category)

Read →

Jun 1, 2026

What Are Chrome Extensions and How Do They Work?

Read →

May 31, 2026

Best Focus and Distraction Blocker Chrome Extensions in 2026

Read →

← Back to Blog