You probably have between five and twenty Chrome extensions installed right now. Ad blockers, password managers, productivity tools, AI assistants. Each one has access to some portion of your browsing activity, and many have far more access than you realize. Understanding how extensions work, and what can go wrong, is one of the most practical security steps you can take.

How Extensions Actually Work

Chrome extensions operate through a permissions model defined in a file called manifest.json. When you install an extension, it declares what it needs access to, and Chrome enforces those boundaries. At least, that is the theory.

The Permissions Model

Extensions request permissions at install time. Some are narrow, like access to a single website. Others are broad, like "Read and change all your data on all websites." That second category is where the risk concentrates. An extension with activeTab permission can only access the current tab when you click the extension icon. An extension with <all_urls> permission can read every page you visit, all the time.

Content Scripts

Content scripts are JavaScript files that run inside web pages. They can read the DOM, modify page content, and intercept form submissions. If an extension injects a content script into your banking site, that script can see everything you see, including account numbers, balances, and session tokens.

Background Workers

In Manifest V3, background service workers handle the extension's core logic. They can make network requests, manage storage, and communicate with content scripts. A malicious background worker can silently exfiltrate data to a remote server without any visible indication in the browser.

The Real-World Risks

The permission model creates a trust relationship between users and extension developers. When that trust is violated, the consequences can be severe.

Data Harvesting

Some extensions collect browsing history, search queries, and form data, then sell that information to data brokers. This often happens through extensions that provide a legitimate service while quietly logging everything in the background. The extension works as advertised, so you never suspect a problem.

Session Hijacking

Extensions with broad permissions can access authentication cookies and session tokens. An attacker who compromises an extension, or who builds a malicious one from scratch, can steal active sessions for email, banking, cloud services, and corporate applications. No password needed.

AI Chat Interception

As AI assistants become central to daily work, extensions that can read page content can also read your conversations with ChatGPT, Claude, Gemini, and other AI tools. People routinely paste proprietary code, business strategies, and personal information into these chats. A content script on those pages captures all of it.

Notable Attack Patterns

Security researchers have documented several recurring patterns in malicious extension campaigns:

How to Audit Your Extensions

Taking control of your extension security does not require technical expertise. Here is a practical process you can follow today:

  1. Open your extension list. Navigate to chrome://extensions in your browser. Review every extension installed. If you do not recognize one, remove it immediately.
  2. Check permissions. Click "Details" on each extension and review its permissions. Be skeptical of any extension requesting access to "all sites" or "all your data."
  3. Review the developer. Click through to the Chrome Web Store listing. Check the developer's website, the number of users, and recent reviews. Look for complaints about privacy or unexpected behavior.
  4. Check update frequency. Extensions that have not been updated in over a year may be abandoned. Abandoned extensions are acquisition targets for malicious actors.
  5. Remove what you do not use. Every extension is an attack surface. If you installed something six months ago and forgot about it, remove it. You can always reinstall it later.
  6. Monitor for permission changes. When an extension update requests new permissions, Chrome will disable it until you approve. Read those permission requests carefully before approving.

Tools That Help

Manual auditing is a good start, but it does not scale. You cannot realistically review every content script injection on every page you visit. This is where automated protection becomes valuable.

Browser-level security tools can monitor what extensions actually do at runtime, not just what they say they will do. They watch for content script injections on sensitive pages, flag unexpected network requests, and alert you to extensions behaving outside their stated purpose.

We built AI Chat Shield specifically to address the AI chat interception problem. It monitors for unauthorized content script access on AI chat platforms and blocks extensions from reading or exfiltrating your conversations. If you use AI tools for work, especially with sensitive data, this is a meaningful layer of protection that browser defaults do not provide.

"The most dangerous extensions are the ones that work perfectly. You never question something that does exactly what it promised."

Browser extensions are powerful tools, but that power cuts both ways. Take fifteen minutes today to audit your installed extensions. Remove anything unnecessary, scrutinize permissions on what remains, and consider adding runtime protection for your most sensitive browsing activity.

2025-2026: The AI Chat Harvesting Wave

The theoretical risks outlined above stopped being theoretical in late 2025. A wave of incidents confirmed that AI chat data has become a primary target for malicious extensions. Here is what happened, and what the security community learned from each case.

December 2025: The Trusted VPN Extension

In December 2025, researchers at Koi Security discovered that a popular VPN extension with over 8 million users had been silently harvesting conversations from eight major AI platforms, including ChatGPT, Claude, Gemini, and five others. The extension carried Google's "Featured" badge, which most users interpret as a seal of safety. Malwarebytes independently confirmed the findings and reported that the harvested data was being sold to third-party data brokers. The extension had been operating with broad host permissions for months before anyone noticed, because it performed its VPN function perfectly well. Users had no reason to suspect a problem.

January 2026: Fake AI Productivity Tools

Two extensions marketed as AI productivity assistants accumulated over 900,000 installs combined before being pulled from the Chrome Web Store. SOCRadar and Dataprise both published analyses showing that these extensions stole complete chat histories from ChatGPT and DeepSeek, along with authentication tokens that could be used to access user accounts directly. The extensions used content scripts to scrape conversation text from the DOM, then exfiltrated the data through encoded POST requests disguised as analytics calls. By stealing auth tokens alongside chat content, the attackers could also access stored conversations that happened before the extension was even installed.

March 2026: Microsoft's Research on Passive Collection

In March 2026, Microsoft's Security Blog published research documenting a category of malicious extensions designed specifically for passive AI chat collection. Unlike the earlier incidents, which relied on active data exfiltration, these extensions used a subtler approach. They quietly recorded chat content into local storage, then uploaded it in small batches during normal browsing activity to avoid triggering network anomaly detections. Microsoft's research highlighted that the passive collection model makes these extensions significantly harder to detect through traditional network monitoring alone.

How Multi-Factor Risk Scoring Catches These Patterns

Each of the incidents above followed a pattern that, in hindsight, was detectable. The challenge is catching these patterns before damage is done, not after. This is why AI Chat Shield uses a multi-factor risk scoring approach that evaluates extensions across several dimensions simultaneously. No single factor is conclusive on its own, but when multiple factors score high together, the risk picture becomes clear.

1. Permission Scope

The first factor is the breadth of an extension's declared permissions. Extensions requesting <all_urls> or broad host access score higher than those with narrow, targeted permissions. A VPN extension does not need access to every website's DOM content. When it requests that access anyway, the risk score increases.

2. Content Script Targeting

Multi-factor scoring examines whether an extension injects content scripts specifically into AI platform URLs. An extension that injects scripts into chat.openai.com, claude.ai, gemini.google.com, or similar domains has a much higher probability of interacting with chat data. This factor is especially significant when the extension's stated purpose has nothing to do with AI tools.

3. Known Malicious Signatures

The scoring system checks extensions against databases of known malicious code patterns, obfuscation techniques, and data exfiltration methods. These signatures are updated continuously as new threats are documented by the security research community.

4. Network Request Patterns on AI Sites

When an extension makes outbound network requests while the user is on an AI chat page, the scoring system evaluates those requests. Are they going to the extension's expected backend, or to an unfamiliar third-party endpoint? Requests that carry encoded payloads to unknown servers trigger a significant score increase.

5. DOM Access Behavior on Chat Pages

Extensions that read conversation content from AI chat interfaces exhibit specific DOM access patterns. They query elements that contain message text, monitor for new messages being appended, and copy content from those elements. The scoring system detects these access patterns and distinguishes them from benign DOM interactions like styling changes or UI enhancements.

6. Behavioral Changes After Updates

One of the most telling indicators is when an extension's behavior changes after an update. The "legitimate-to-malicious pipeline" depends on this pattern. Multi-factor scoring tracks an extension's behavior over time and flags sudden changes, such as new content script injections, new network request destinations, or new DOM access patterns that did not exist in previous versions.

Putting It Together: The VPN Extension Example

Consider how the December 2025 VPN extension would score under this model. It requested broad host permissions (high score on factor 1). It injected content scripts into eight AI platform URLs despite being a VPN tool (high score on factor 2). It made network requests to data broker endpoints while users were on AI chat pages (high score on factor 4). And it accessed conversation text in the DOM on those pages (high score on factor 5). Any one of these factors alone might not be conclusive. A VPN extension legitimately needs broad host access. But when four out of six factors light up simultaneously, the combined risk score leaves little ambiguity.

This layered approach is what makes multi-factor scoring effective where single-factor checks fail. The VPN extension passed Google's review process. It earned a Featured badge. But it could not pass a scoring system that evaluates behavior across multiple dimensions at once. That is the difference between checking permissions at install time and monitoring actual runtime behavior. AI Chat Shield is built on this principle.

Related Reading