Your browser extensions might be quietly making money off your personal information. A recent study by LayerX Security reveals that dozens of popular browser extensions are openly selling user data, with explicit permission buried in their privacy policies.
The research uncovered more than 80 extensions that reserve the right to sell user data. These tools span categories like streaming, ad blocking, and productivity, boasting millions of combined installations. This isn’t about malicious software hiding in the shadows—it’s about legitimate-looking extensions that tell you exactly what they’re doing, assuming you bother to read the fine print.
“Unlike malicious extensions that disguise themselves as legitimate extensions and do their bidding in the dark, these extensions explicitly tell users that they’re going to collect and sell their data. It’s right there in the Privacy Policy; except that nobody reads it,” LayerX Security stated.
The Scale of Browser Extension Data Selling
The problem is massive. According to the report, 71% of Chrome Web Store extensions do not publish a privacy policy at all. This leaves over 73% of users with at least one installed extension that offers no visibility into how their data is handled. The implications for browser extensions selling user data are staggering.
From an initial dataset of roughly 9,000 extensions, researchers analyzed 6,666 privacy policies and confirmed 82 extensions engaged in commercial data sharing after manual review. These numbers highlight a systemic issue in the browser extension ecosystem.
How Extensions Monetize User Data
Rather than hiding their behavior, many extensions rely on broad legal language to permit data sales. Statements such as “may sell or share your personal information” allow publishers to commercialize user data at their discretion. This practice is especially concerning when it involves browser extensions selling user data without explicit user consent.
One network of 24 media extensions, including tools for Netflix, Hulu, Disney+, Amazon Prime Video, and HBO Max, reached about 800,000 users. These extensions collect viewing behavior, preferences, and demographic data across major streaming platforms, then package those insights for third parties. They operate as a distributed data collection system, capturing and monetizing user activity in several ways:
- Tracking viewing history and engagement across streaming platforms
- Building user profiles using preferences and inferred demographics
- Packaging and selling aggregated insights to advertisers and analytics firms
Ad Blockers and Enterprise Exposure
Ad blockers are not exempt. At least 12 ad blockers with a combined user base exceeding 5.5 million were found to sell or share browsing data. Some collect detailed behavioral information, including inferred sensitive attributes based on user activity. This means that tools designed to protect your privacy might actually be compromising it.
Corporate environments are also affected. The report identified 29 business-focused extensions that gather browsing data from enterprise systems, potentially exposing internal activity through commercial datasets. This creates a serious risk for organizations that rely on browser extensions for productivity.
For more on browser security risks, check out this analysis of security gaps in AI browsers.
How to Protect Yourself from Data-Selling Extensions
The findings suggest that traditional extension security checks may miss privacy risks. Even when disclosed, data-selling practices can operate at scale with limited oversight, posing challenges for both users and organizations. So, what can you do?
For Individual Users
Start by auditing your installed extensions. Remove any you don’t use regularly. When installing new extensions, read the privacy policy—yes, actually read it. Look for phrases like “may sell” or “share your personal information.” Use browser features that allow you to control extension permissions.
For Organizations
“Most browsers already support centralized extension management through enterprise policies – Chrome’s ExtensionSettings, Edge’s group policies, Firefox’s enterprise configurations,” LayerX wrote. “If you don’t have an extension governance policy, that’s the first step. If you do, add privacy policy review to the evaluation criteria.”
Implementing a browser extension governance policy can help mitigate risks. Regularly review the extensions allowed in your organization and ensure privacy policies are part of the approval process.
The Bottom Line on Browser Extension Privacy
Browser extensions are powerful tools, but they come with hidden costs. The practice of browser extensions selling user data is more common than most people realize. By staying informed and taking proactive steps, you can protect your privacy without sacrificing functionality.
Remember: if an extension is free, you might be the product. Always verify what data an extension collects and how it’s used. For more tips on digital privacy, explore our guide on browser security best practices.