Is That Chrome Extension Safe? 7 Checks Before Install (2026)
The Featured badge didn't stop a Chrome extension stealing 900K ChatGPT chats. A 7-point audit of permissions, source, and ownership to vet any extension.
Key takeaways
- Badges are a weak signal. One of two fake AITOPIA extensions that stole 900,000 users’ AI chats carried Google’s Featured badge when it was caught.
- Permissions are the fastest filter. An extension asking to read every page when its job doesn’t require it fails before you check anything else.
- A CRX file is a ZIP. You can read the full source in five minutes without installing anything.
The single most reliable way to tell whether a Chrome extension is safe is to compare the permissions it demands against what it actually claims to do. If a screenshot tool wants to “read and change all your data on all websites,” the mismatch is the answer. Below is the full seven-point audit, including how to read an extension’s source before you trust it.
The Badge Problem: Why Featured Isn’t a Green Light
Most safety advice starts and ends with “check for the verified badge.” That advice failed 900,000 people in January 2026 (six months before this article’s July 2026 publication).
Two extensions impersonating the legitimate AITOPIA developer harvested full ChatGPT and DeepSeek conversation content and shipped it to an attacker’s server every 30 minutes. One of the two carried Google’s Featured badge at the time of discovery. The badge is applied after a manual review for best practices, and the malicious behavior slipped through anyway.
The two Chrome Web Store badges certify less than most people assume:
| Badge | What it confirms | What it does not confirm |
|---|---|---|
| Established Publisher | Developer verified their identity and has a track record. ~75% of the store carries it. | That the code is safe or the permissions are reasonable |
| Featured | Google manually reviewed the listing for best-practice and privacy guidelines | That a later update is safe, or that hidden behavior was caught |
Badges are worth a glance. They confirm identity and a review, never safe code. The seven checks below are what actually protect you.
Checks 1-3: Read Permissions Like a Threat Model
Every extension declares its access in four buckets: permissions, optional_permissions, host_permissions, and optional_host_permissions. Chrome collapses these into the plain-English prompt you see at install time. Read it instead of clicking through.
The all-access flag. “Read and change all your data on all websites” maps to the <all_urls> host permission. It lets the extension see and modify every page you load, including your email, your bank, and any AI chat you have open. Some extensions require it by design: an ad blocker or a password manager works everywhere. A currency converter, a single-site helper, or a new-tab theme does not. The real test is whether this specific function needs it.
The mismatch test. Line up the permission list against the one-sentence description of what the extension does. A wallpaper extension requesting tabs and scripting access is asking for capabilities its stated job never touches. That gap is where hidden behavior lives.
The manifest-version test. Manifest V2 has been disabled in stable Chrome since October 2024. An extension still shipping V2 in mid-2026 is not being maintained. Abandoned extensions with broad permissions are exactly what attackers buy and repurpose, which is the next check.
Read the Source: A CRX File Is Just a ZIP
You do not have to take the developer’s word. A packaged Chrome extension (a .crx file) is a ZIP archive holding the manifest and every line of source. You can read it without installing anything.
- Grab the extension ID. It is the long string of letters in the Web Store URL, right after
/detail/name/. - Open it in a viewer. Paste the ID into CRXcavator, CRXPlorer, or Rob Wu’s open-source crxviewer. Each fetches and unpacks the extension in the browser. To work offline, download the CRX and run
unzipon it. - Read
manifest.jsonfirst. It lists the permissions, thecontent_scriptsand the sites they run on, and the background service worker. This is the ground truth the marketing copy is written on top of. - Grep the JavaScript for two patterns. Search for
fetch(andXMLHttpRequestto find every outbound request, then check the destination domains. A legitimate tool talks to its own API or the service it integrates. Requests to unfamiliar domains, especially alongside code that readsdocument.bodyor scrapes page text, are the exfiltration pattern that hit AITOPIA users.
Static source reading tells you what an extension can do. To watch what it actually sends while running, the companion audit in how extensions steal AI chats walks through the DevTools Network tab. Use both: read the manifest before install, watch the network after.
The Ownership-Transfer Trap
The nastiest 2026 vector needs no coding skill. An attacker buys a clean, popular extension and pushes one poisoned update.
QuickLens was listed for sale in late 2025. Its owner changed in February 2026, and a malicious update landed within days (roughly five months before this article’s publication). That update stripped security headers from web responses, opening the door to cross-origin attacks against every user who had installed it months earlier for a completely benign feature.
This works because granted permissions survive updates. When you approve <all_urls> once, every future version inherits it silently. There is no second prompt when new code arrives. Two defenses:
- Prefer extensions from a named company or developer with a public history, not a solo listing that could quietly change hands.
- Re-audit after any big behavior change, new permission request, or visible ownership shift. A sudden 1-star review wave after an update is often the first public sign.
Reviews and Developer Identity
The last two checks are about accountability, and both have caveats.
Reviews are not verified. Google does not confirm review authenticity, and paid review services exist. A cluster of near-identical five-star reviews posted in a short window is a manufactured-reputation signal. So is a burst of one-star reviews after a specific update, which usually means real users noticed something broke or turned hostile.
A real developer leaves a trail. A named company, a working website, a support contact, and a privacy policy that names specific data practices are all positive signals. Anonymity plus broad permissions is the combination to avoid. The Established Publisher badge helps here, but remember it sits on ~75% of the store, so its absence is a bigger flag than its presence is a reassurance.
The 2026 record these checks are built from:
| Incident (2026) | Scale | How it worked |
|---|---|---|
| Fake AITOPIA extensions (Jan) | 900K downloads | AI chat + tab URLs exfiltrated every 30 min; one had a Featured badge |
| History-harvest ring (Feb) | 287 extensions / 37M downloads | Browsing history leaked, many on install |
| QuickLens ownership transfer (Feb) | 1 extension | Sold, then updated to strip security headers |
| Wallpaper adware ring (Jun) | 152 extensions / 105K installs | Ad fraud and fake traffic |
| OAuth token theft ring | 100+ extensions | Stole Google OAuth2 bearer tokens |
Running the Full Checklist
Verified on Chrome 150 (current stable, July 2026), the seven points in order:
- Permissions match the stated function.
- Host access is no broader than the job requires.
- Manifest V3, not the abandoned V2.
- Source reads clean (manifest permissions, no exfiltration pattern in the JS).
- No recent unexplained ownership change or permission bump.
- Reviews look organic, not clustered or freshly astroturfed.
- The developer has a verifiable public identity.
The other lever is simply owning fewer extensions. Every install is a standing permission grant that lasts until you revoke it, and each one is a separate thing to keep auditing. SuperchargePerformance folds ad blocking, tracker blocking, cookie-banner rejection, and popup blocking into one extension that stores everything locally, sends zero telemetry, needs no account, and holds the Featured badge on the Web Store. Fewer grants, fewer things to vet.
If an extension asks to read every page and its function does not need that, stop at check one; you already have your answer. If the permissions are reasonable but the developer is anonymous, extract the CRX and read the manifest before trusting it. If it clears all seven, install it, then re-run the audit the next time it updates or changes hands.
Frequently Asked Questions
How can I tell if a Chrome extension is safe before installing it?
Does the Featured or Verified badge mean a Chrome extension is safe?
What Chrome extension permissions are red flags?
How do I read the source code of a Chrome extension?
What is the extension ownership-transfer attack?
Is Manifest V2 a sign an extension is abandoned?
Don't miss the next release
Be first to know when we ship something new.
Related Articles
STOP Extensions Stealing Your AI Chats: 5 Checks (2026)
900K users had ChatGPT & DeepSeek chats exfiltrated in 2026. How Prompt Poaching works, how to audit your extensions, and red flags before installing.
Chrome Privacy Extensions Ranked by Data Collection (2026)
Most "privacy" extensions collect more than they block. We ranked popular extensions by actual telemetry — from zero collection to selling browsing history.
Manifest V2 vs V3 Chrome Extensions: What Changed (2026)
Manifest V2 has been disabled in stable Chrome since October 2024. What MV3 changed, why uBlock Origin split, and what still works as of June 2026.
Is Volume Booster Safe? The Chrome Spyware Problem (2026)
Some Chrome volume boosters got caught injecting affiliate code and calling malware domains. Which are safe, which to delete, and how to vet one in 2026.