Skip to main content
Guide

Is That Chrome Extension Safe? 7 Checks Before Install (2026)

The Featured badge didn't stop a Chrome extension stealing 900K ChatGPT chats. A 7-point audit of permissions, source, and ownership to vet any extension.

7 min read Verified Chrome 150

Key takeaways

  • Badges are a weak signal. One of two fake AITOPIA extensions that stole 900,000 users’ AI chats carried Google’s Featured badge when it was caught.
  • Permissions are the fastest filter. An extension asking to read every page when its job doesn’t require it fails before you check anything else.
  • A CRX file is a ZIP. You can read the full source in five minutes without installing anything.

The single most reliable way to tell whether a Chrome extension is safe is to compare the permissions it demands against what it actually claims to do. If a screenshot tool wants to “read and change all your data on all websites,” the mismatch is the answer. Below is the full seven-point audit, including how to read an extension’s source before you trust it.

Most safety advice starts and ends with “check for the verified badge.” That advice failed 900,000 people in January 2026 (six months before this article’s July 2026 publication).

Two extensions impersonating the legitimate AITOPIA developer harvested full ChatGPT and DeepSeek conversation content and shipped it to an attacker’s server every 30 minutes. One of the two carried Google’s Featured badge at the time of discovery. The badge is applied after a manual review for best practices, and the malicious behavior slipped through anyway.

The two Chrome Web Store badges certify less than most people assume:

BadgeWhat it confirmsWhat it does not confirm
Established PublisherDeveloper verified their identity and has a track record. ~75% of the store carries it.That the code is safe or the permissions are reasonable
FeaturedGoogle manually reviewed the listing for best-practice and privacy guidelinesThat a later update is safe, or that hidden behavior was caught

Badges are worth a glance. They confirm identity and a review, never safe code. The seven checks below are what actually protect you.

Checks 1-3: Read Permissions Like a Threat Model

Every extension declares its access in four buckets: permissions, optional_permissions, host_permissions, and optional_host_permissions. Chrome collapses these into the plain-English prompt you see at install time. Read it instead of clicking through.

The all-access flag. “Read and change all your data on all websites” maps to the <all_urls> host permission. It lets the extension see and modify every page you load, including your email, your bank, and any AI chat you have open. Some extensions require it by design: an ad blocker or a password manager works everywhere. A currency converter, a single-site helper, or a new-tab theme does not. The real test is whether this specific function needs it.

The mismatch test. Line up the permission list against the one-sentence description of what the extension does. A wallpaper extension requesting tabs and scripting access is asking for capabilities its stated job never touches. That gap is where hidden behavior lives.

The manifest-version test. Manifest V2 has been disabled in stable Chrome since October 2024. An extension still shipping V2 in mid-2026 is not being maintained. Abandoned extensions with broad permissions are exactly what attackers buy and repurpose, which is the next check.

Read the Source: A CRX File Is Just a ZIP

You do not have to take the developer’s word. A packaged Chrome extension (a .crx file) is a ZIP archive holding the manifest and every line of source. You can read it without installing anything.

  1. Grab the extension ID. It is the long string of letters in the Web Store URL, right after /detail/name/.
  2. Open it in a viewer. Paste the ID into CRXcavator, CRXPlorer, or Rob Wu’s open-source crxviewer. Each fetches and unpacks the extension in the browser. To work offline, download the CRX and run unzip on it.
  3. Read manifest.json first. It lists the permissions, the content_scripts and the sites they run on, and the background service worker. This is the ground truth the marketing copy is written on top of.
  4. Grep the JavaScript for two patterns. Search for fetch( and XMLHttpRequest to find every outbound request, then check the destination domains. A legitimate tool talks to its own API or the service it integrates. Requests to unfamiliar domains, especially alongside code that reads document.body or scrapes page text, are the exfiltration pattern that hit AITOPIA users.

Static source reading tells you what an extension can do. To watch what it actually sends while running, the companion audit in how extensions steal AI chats walks through the DevTools Network tab. Use both: read the manifest before install, watch the network after.

The Ownership-Transfer Trap

The nastiest 2026 vector needs no coding skill. An attacker buys a clean, popular extension and pushes one poisoned update.

QuickLens was listed for sale in late 2025. Its owner changed in February 2026, and a malicious update landed within days (roughly five months before this article’s publication). That update stripped security headers from web responses, opening the door to cross-origin attacks against every user who had installed it months earlier for a completely benign feature.

This works because granted permissions survive updates. When you approve <all_urls> once, every future version inherits it silently. There is no second prompt when new code arrives. Two defenses:

  • Prefer extensions from a named company or developer with a public history, not a solo listing that could quietly change hands.
  • Re-audit after any big behavior change, new permission request, or visible ownership shift. A sudden 1-star review wave after an update is often the first public sign.

Reviews and Developer Identity

The last two checks are about accountability, and both have caveats.

Reviews are not verified. Google does not confirm review authenticity, and paid review services exist. A cluster of near-identical five-star reviews posted in a short window is a manufactured-reputation signal. So is a burst of one-star reviews after a specific update, which usually means real users noticed something broke or turned hostile.

A real developer leaves a trail. A named company, a working website, a support contact, and a privacy policy that names specific data practices are all positive signals. Anonymity plus broad permissions is the combination to avoid. The Established Publisher badge helps here, but remember it sits on ~75% of the store, so its absence is a bigger flag than its presence is a reassurance.

The 2026 record these checks are built from:

Incident (2026)ScaleHow it worked
Fake AITOPIA extensions (Jan)900K downloadsAI chat + tab URLs exfiltrated every 30 min; one had a Featured badge
History-harvest ring (Feb)287 extensions / 37M downloadsBrowsing history leaked, many on install
QuickLens ownership transfer (Feb)1 extensionSold, then updated to strip security headers
Wallpaper adware ring (Jun)152 extensions / 105K installsAd fraud and fake traffic
OAuth token theft ring100+ extensionsStole Google OAuth2 bearer tokens

Running the Full Checklist

Verified on Chrome 150 (current stable, July 2026), the seven points in order:

  1. Permissions match the stated function.
  2. Host access is no broader than the job requires.
  3. Manifest V3, not the abandoned V2.
  4. Source reads clean (manifest permissions, no exfiltration pattern in the JS).
  5. No recent unexplained ownership change or permission bump.
  6. Reviews look organic, not clustered or freshly astroturfed.
  7. The developer has a verifiable public identity.

The other lever is simply owning fewer extensions. Every install is a standing permission grant that lasts until you revoke it, and each one is a separate thing to keep auditing. SuperchargePerformance folds ad blocking, tracker blocking, cookie-banner rejection, and popup blocking into one extension that stores everything locally, sends zero telemetry, needs no account, and holds the Featured badge on the Web Store. Fewer grants, fewer things to vet.

If an extension asks to read every page and its function does not need that, stop at check one; you already have your answer. If the permissions are reasonable but the developer is anonymous, extract the CRX and read the manifest before trusting it. If it clears all seven, install it, then re-run the audit the next time it updates or changes hands.

Frequently Asked Questions

How can I tell if a Chrome extension is safe before installing it?
As of July 2026, run a seven-point check: match the requested permissions against what the extension actually does, confirm it uses Manifest V3, read the source by extracting the CRX file, check for a recent ownership change, scan reviews for fake-looking clusters, and verify the developer has a real identity. If a screenshot tool asks to 'read and change all your data on all websites,' that mismatch alone is a reason to stop.
Does the Featured or Verified badge mean a Chrome extension is safe?
No. As of July 2026, the Established Publisher badge only confirms the developer verified their identity and has a track record; roughly 75% of the store carries it, so it is necessary but not sufficient. The Featured badge means Google manually reviewed the listing, yet one of the two fake AITOPIA extensions that stole 900,000 users' AI chats in January 2026 carried a Featured badge when it was discovered. Treat badges as one weak signal, not proof.
What Chrome extension permissions are red flags?
As of July 2026, the biggest red flag is 'Read and change all your data on all websites' (the <all_urls> host permission) requested by an extension whose function does not need it. A dictionary, a theme, or a single-site tool has no reason to read every page you visit. Also watch for permissions unrelated to the stated purpose, like a wallpaper extension requesting tabs or scripting access.
How do I read the source code of a Chrome extension?
As of July 2026, a CRX file is a ZIP archive containing the full source. Paste the extension's Web Store ID into a viewer like CRXcavator, CRXPlorer, or Rob Wu's crxviewer, or download the CRX and unzip it. Open manifest.json first to see the permissions, then search the JavaScript for fetch() calls to unfamiliar domains and code that reads page content. No installation required.
What is the extension ownership-transfer attack?
As of July 2026, it is the most dangerous 2026 vector: a legitimate, well-reviewed extension is sold, and the new owner ships an update that adds malicious code. Because permissions you granted persist through every update, the new owner inherits your trust without a fresh prompt. The QuickLens case (ownership changed in February 2026, malicious update days later) stripped security headers from responses to enable cross-origin attacks.
Is Manifest V2 a sign an extension is abandoned?
As of July 2026, yes. Manifest V2 has been disabled in stable Chrome since October 2024. Any extension still shipping Manifest V2 in mid-2026 has not been maintained and should be treated as abandoned, regardless of how many users it still shows.

Don't miss the next release

Be first to know when we ship something new.

Related Articles