Many popular browser extensions are collecting and selling user data — and doing it legally, new research by LayerX Security shows. Unlike clearly malicious extensions that hide their behavior, these tools openly disclose what they do in their privacy policies. The problem is that most users never read those policies.
LayerX analyzed thousands of extensions from official stores and found more than 80 that say they can sell or share user data. The extensions include ad blockers, streaming helpers, job search tools, new-tab extensions, and business intelligence platforms. In some cases, multiple extensions appear to be connected and built by the same developers, possibly working together.
One group of 24 media-related extensions, installed by about 800,000 users, was found to track viewing habits and demographic data across major streaming services like Netflix, Hulu, Disney+, Amazon Prime Video, HBO, and Apple TV. Another example includes 12 ad blockers with a combined total of over 5.5 million users. Even though ad blockers are meant to protect privacy, some of them still collect and sell user information.
Most of the extensions don’t directly say “we sell your data.” Instead, they use phrases like “we may sell or share your personal information with third parties” or “this information may be shared with business partners.” This wording gives companies legal flexibility, meaning they can sell user data at any time and users have already agreed to it by installing the extension.
71% of all extensions in the Chrome Web Store don’t have any privacy policy at all, researchers note. As a result, over 73% of users have at least one extension installed without knowing how their data is being used.
“Most extension security evaluations focus on permissions or known malicious indicators – flagging extensions that request excessive access or match threat intelligence. That catches malware. It doesn’t catch an extension that openly reserves the right to sell your browsing data,” the report says.