Large-scale research into the Chrome Web Store has put a hard number on a suspicion many users already felt: a substantial share of millions of installs ship risky, outdated, or policy-violating extensions. Between July 2020 and February 2023, Stanford and CISPA researchers found that over 346 million users installed extensions with potential security concerns, 280 million installed extensions containing unsafe scripts, 63 million installed policy-breaching extensions, and 3 million installed known-vulnerable extensions in a single snapshot.
This article explains what that research found, how extension threats actually function today, and what you can do before your next install.
What did the Chrome extension vulnerability study find?
The paper “What is in the Chrome Web Store? Investigating Security-Noteworthy Browser Extensions” (July 2024) systematically classified extensions by risk outcome. The headline figures are below.
| Category (July 2020 – Feb 2023) | Users affected | What it means |
|---|---|---|
| Security-Noteworthy (SNE) extensions | 346 million | Potentially unsafe code paths |
| Extensions with unsafe scripts | 280 million | Inline scripts or remote code loading |
| Policy breaches | 63 million | Violates Chrome Web Store Developer Program Policies |
| Known-vulnerable extensions | 3 million | Publicly known unpatched flaws at snapshot time |
Several dynamics explain the scale. Extensions have short life cycles — many pause updates soon after launch, freezing in a vulnerable state. The study found almost 60% of extensions never received updates, leaving old dependencies unpatched indefinitely. Extensions with similar codebases (cloned by different publishers) spread one flaw across many store listings.
Manifest V3 was supposed to help: Google introduced MV3 in November 2020 to retire the powerful blockingWebRequest API in favor of the tighter declarativeNetRequest model. As of February 2023, 74% of extensions still ran the more permissive V2 manifest, slowing the security transition. (See our Manifest V3 overview for the technical background.) The result: millions of users running extensions that retain legacy capabilities their developers never audited for modern threats.
How do malicious Chrome extensions actually compromise a browser?
Four threat patterns account for most high-impact abuse:
- Over-permissioned legitimate extensions. A coupon helper or theme tool requests “Read and change all your data on the websites you visit” to do its modest job — and then quietly exfiltrates browsing history or session cookies. Because the permission was granted at install, Chrome shows no further warning.
- Extension flipping. A popular extension is sold to a new owner who pushes an auto-update introducing ad injection, tracking, or data sales. The user keeps the trusted listing; the code underneath changes.
- Supply-chain / remote code loading. Some extensions load executable logic from a developer-controlled endpoint at runtime, bypassing the static store review. The review approves clean code; the endpoint swaps it after publishing.
- Typo-squat and clone publishers. Non-trivial clones of popular blockers ship under near-identical names and harvest browsing data under a false brand.
Each abuses the reality that MV3 still grants meaningful power — broad host permissions, cross-origin fetches, and DOM access — to any extension the user trusts once.
How to stay safe when installing Chrome extensions
A practical, repeatable checklist:
- Read recent reviews, not just the star rating. Malicious updates arrive after launch; reviews are the freshest signal, especially the 3-star-and-below posts.
- Verify the developer. Visit their site, confirm real contact and a privacy policy. Treat no-name developers with a single, recently published extension as higher risk.
- Prefer the Featured badge. Google awards the badge to extensions that meet best-practice guidelines; it is a real, useful trust signal.
- Respect permission scope. Avoid extensions that request microphone, camera, or “all websites” access unless the functionality demands it — an ad blocker never needs your microphone.
- Update and prune constantly. Keep the browser and all extensions on automatic updates; audit
chrome://extensionsmonthly and remove anything you no longer use. - Research outside the Store. A quick search on Reddit or a reputable tech site turns up developer-flagged abuse reports that the Store review missed.
How ProBlocker addresses Chrome extension risk
ProBlocker was designed specifically to avoid the patterns the Stanford/CISPA study flagged: it is open source (github.com/theproblocker/adblocker) so its code is publicly auditable, runs on Manifest V3 natively, and requests only the minimum declarative permissions required for network-level ad and tracker blocking. It collects zero user data, has no paid tier, no account, and no Acceptable Ads, and its filter lists refresh daily. With a 4.8-star Featured-badge rating across 10,000+ users, it competes on transparent blocking rather than data monetizatio. Read our malware protection tips and best ad-blocker comparison for more.
Practical takeaways for staying safe with Chrome extensions
- Audit
chrome://extensionsmonthly; remove every extension you no longer use. - Before installing, read the two-week-old reviews, check the Featured badge, and confirm the developer’s site and privacy policy.
- Never grant “all websites” access to an extension whose job is narrower.
- Prune the extension set you actually need; fewer extensions mean a smaller attack surface.
- For a broader alternative, see the uBlock Origin alternative comparison.