A large-scale audit by researchers at the Georgia Institute of Technology found that thousands of Chrome browser extensions can silently extract passwords, financial details, and other sensitive information from the web pages users visit. The study, first published in September 2024, demonstrated that automated tools can scan the Chrome Web Store’s entire catalog and flag dangerous behavior patterns at volume. As of May 2026, no public statement from Google addresses whether the flagged extensions have been removed or whether the Chrome Web Store has adopted the continuous auditing methods the researchers proved are technically feasible.
What the Georgia Tech researchers actually found
The research team built automated auditing tools to examine how browser extensions interact with live web pages. Their core finding: extensions that request content-script access can read and modify data on every site a user visits, including text typed into forms, dynamically loaded content, and information rendered by web applications after a page finishes loading.
That permission model is not inherently malicious. Password managers, ad blockers, and accessibility tools all rely on some degree of page access to function. The problem is that the same access lets a poorly designed or deliberately harmful extension scrape login credentials from a banking portal, copy credit card numbers from a checkout page, or read the contents of an email inbox. The browser treats all of this as permitted behavior once a user clicks “Add to Chrome” and accepts the listed permissions. No additional prompt or alert fires while the extension operates.
The Georgia Tech team confirmed this type of data harvesting happens at scale across the Chrome Web Store, not just in isolated cases. Their automated approach flagged thousands of extensions with the ability to compromise user data, a figure that encompasses extensions with confirmed risky behavior as well as those whose broad permissions create the technical conditions for abuse.
The institutional weight behind the findings matters. Georgia Tech is a top-tier research university with established cybersecurity research programs, and the study was published through the university’s official channels rather than through a private security vendor or sponsored blog post. That gives the methodology a higher degree of accountability than a typical industry white paper.
Why the “100-plus” number needs context
Secondary reporting around the study frequently cites a figure of more than 100 malicious extensions. The Georgia Tech publication itself references thousands of extensions that compromise user data. The gap between those numbers reflects a real distinction: “extensions that request dangerous permissions” is a much larger category than “extensions confirmed to exfiltrate data to a remote server.”
Some extensions that harvest page data do so for advertising analytics or behavioral tracking rather than outright credential theft. The line between aggressive data collection and a criminal backdoor is not always clear from automated scanning alone. The researchers demonstrated that their auditing method works and can identify problematic extensions at scale, but the publicly available materials do not include a full list of extension names, developer identities, or the specific data each extension was observed extracting.
That missing detail creates a frustrating gap for users trying to figure out whether their own installed extensions are among those flagged. Without a published list, the safest approach is to treat any extension with broad site access and an unclear purpose as a potential risk.
What Google has and hasn’t done
Google has not issued a public response specifically addressing the Georgia Tech findings. The company does perform automated and manual reviews of extensions before listing them on the Chrome Web Store, and it has been migrating extensions to Manifest V3, a framework that restricts some extension capabilities and limits persistent background access. Manifest V3 is designed in part to reduce the attack surface that the Georgia Tech study exposed.
However, Manifest V3 does not eliminate content-script access. Extensions built under the new framework can still request permission to read and modify page content. The migration addresses some categories of abuse, particularly extensions that run hidden background scripts, but it does not fully close the gap between what extensions can access and what users expect them to see.
Whether Google has quietly removed specific extensions flagged by the study, or whether the Chrome Web Store team has adopted any form of continuous automated auditing, remains undisclosed as of this writing.
What Chrome users should do right now
The practical steps are straightforward, even if the broader problem is not.
Open Chrome’s extension manager by navigating to chrome://extensions in the address bar. Review every installed extension. Click “Details” on each one and check what site access it has. Any extension that claims access to “All sites” or “On all sites” without a clear functional reason, such as a password manager or an ad blocker you deliberately chose, deserves scrutiny.
Remove extensions you do not actively use. Extensions that have not been updated in over a year, that come from developers with no verifiable identity or website, or that you installed once for a single task and forgot about are the highest-risk items in most people’s browsers.
Where possible, restrict an extension’s site access to “On click” or to specific sites rather than granting blanket permission. Chrome allows this through the extension’s detail page, and it limits what data the extension can reach without your explicit action each time.
The permission model hasn’t kept up
The deeper issue the Georgia Tech research surfaces is structural. The permission model for browser extensions was designed during an era when most in-browser activity involved reading static web pages. Users now manage bank accounts, file taxes, access medical records, and run entire businesses inside browser tabs. Extensions sit between users and some of the most sensitive transactions of their digital lives, operating under permissions that were never calibrated for that level of risk.
The Georgia Tech team proved that continuous, large-scale auditing of extension stores is technically possible. Whether Google or other browser vendors, including Mozilla for Firefox and Microsoft for Edge, adopt that kind of ongoing surveillance of their own marketplaces is a policy decision, not a technical limitation.
Until that happens, the responsibility for vetting extensions falls largely on individual users. Checking permissions, pruning unused extensions, and staying skeptical of tools that ask for more access than they need are the most reliable defenses available right now.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
