← field notes

How a Helpful Browser Extension Can Spy on Everything

it called itself a coupon finder. one little button next to the address bar, a friendly icon, a promise to dig up a discount code at checkout so you never paid full price again. you clicked add to browser without thinking, the way everyone does.

and from that second on, the same small program that hunted for coupons sat quietly behind every page you opened. not just the shopping pages. the bank tab in the morning, the email before lunch, the search at midnight you would not say out loud. it was never only watching for discounts. it was allowed to watch everything, and watching everything was the part nobody read.

the permission nobody reads

when you install an extension, somewhere in that quick flow a line appears that says it can read and change all your data on the websites you visit. most people glance at it for half a second and click accept, because the button is right there and the coupon is waiting. that one sentence is the whole story.

read and change all your data on all websites is not a narrow power. it is close to the broadest thing software can ask for inside your browser. and the browser is where your life happens now, so granting it there is granting it almost everywhere that matters.

what that sentence actually means

think about what a web page really is while you are using it. it is your bank balance rendered on screen. it is the message half typed in a box. it is the search you just ran, the email in the next tab, the form with your address and card number sitting in fields waiting to be filled.

an extension with that permission can see all of it. it sits inside the page, on the same side of the screen as you, after the encryption has already been undone so you can read the page yourself. the little padlock that protects your traffic on the way to the site does nothing here, because the extension is not on the way. encryption guards your data while it travels between your machine and the server. the extension is not in the middle. it is at the destination, sitting next to you at the moment the page is decrypted and laid out plainly on screen.

inside the page, beside you

this is the part that surprises people. they picture an extension as a small tool bolted on the outside, poking at the browser from a safe distance. the reality is the opposite. a content script runs inside the page itself, in the same space as the site’s own code, with the same view of everything on it.

so it can read the text of the page after it loads. it can watch the fields you type into, character by character. it can see the buttons you click and the requests the page sends. anything the page can see about what you are doing, the extension can see too, because for that moment they live in the same room. and none of this looks like anything. there is no warning light, no slowdown, no sign in the corner that something is reading along.

the useful disguise

here is what makes it hard to spot. the dangerous extension and the genuinely helpful one ask for the same permission, because they often do the same job. a real coupon finder does need to read the checkout page to find the price. a real grammar helper does need to read what you type so it can fix it. a real price tracker does need to watch the product page.

so the request looks reasonable, because for an honest extension it is reasonable. you cannot tell a good actor from a bad one by the permission alone, because they both ask for the keys to the whole house. the usefulness is real, which is exactly why the access feels acceptable, and exactly why it is so easy to hand over far more than you meant to.

the extension that turns

now add time, because this is where it gets worse. an extension does not have to be malicious on the day you install it. plenty start out completely honest, built by someone who actually wanted to make a coupon finder. it works well, and it earns a few hundred thousand trusting users over a couple of years.

then one day it changes hands, or its account is broken into, and the new owner has different plans. there is a quiet market for this, because an extension with a large, trusting user base is worth real money precisely for the access it already holds on all those machines. nothing on your screen tells you. the icon is the same, the button still finds coupons. underneath, it has started doing something else as well. the users never agreed to the new owner, because they were never asked.

a silent update for millions

the reason this stays quiet is the auto update. extensions update themselves in the background, with no prompt and no announcement, because that is how security patches reach you fast. it is a genuinely good design that also happens to be the perfect delivery system for the opposite.

so when an extension goes bad, it does not need to convince anyone to reinstall anything. the next routine update carries the new behavior, and it lands on every machine that has it. an extension trusted by a million people can flip from helpful to harmful overnight, across a million browsers at once, and almost nobody notices the morning it happened.

how the stores try to catch it, and why it slips through

the extension stores are not blind to this. before an extension is allowed in, it gets reviewed, partly by automated systems scanning the code for known bad patterns and partly by human checks. they look for an extension asking for far more access than its job needs, or code that phones home to strange places. they keep watching after a listing goes live, because the version you installed is not the only one that matters. updates get scanned, ownership changes draw attention, sudden shifts get flagged.

but review has a hard problem. the same code can be harmless or harmful depending on a signal it receives later. an extension can behave perfectly during review and wait, holding its bad behavior back until a certain date, or until it runs on a real machine rather than a test one, or until a server quietly tells it to begin. reviewers see a snapshot. detection keeps getting better and catches plenty, but a system that decides its behavior after it is already inside your browser will always have somewhere left to hide.

how to think about it, defensively

the useful shift is not paranoia, it is a question you ask before you click. when an extension wants to read and change everything on every site, weigh whether the job it does actually needs that, and whether you trust the people behind it enough to hand them that view for as long as it stays installed. a tool that works on one site should not need every site. a tool that does something simple should not need to watch everything you type.

then keep fewer extensions. the ones you keep, keep because you know what they are for and roughly who makes them. the ones you stopped using, remove, because an extension you forgot about is still a door left open, and a forgotten door is exactly the kind that gets quietly walked through. look at the list now and then and ask, honestly, do i still use this, and do i still trust it.

the stores carry a real load here. the review, the scanning, the watching for ownership changes all catch a great deal. but it is a filter, not a wall, and it sits a long way from your screen. by the time something slips through and auto updates onto your machine, the only thing between it and everything you do is the access you granted on the day you first clicked add to browser.

so come back to that coupon finder, and the moment you added it. it was one click, and it handed a stranger a seat inside every page you would ever open in that browser. not the pages from that day, all of them, for as long as it stayed installed and for whoever came to own it later. that is the real shape of an extension. not a small tool on the edge of your browser, but a guest you let all the way in, and trust to keep being who they were the day you opened the door.

The Hidden Internet takes apart the systems that quietly run the modern web, explained from the inside. No products, just the machinery. Subscribe on YouTube.

watch
The Hidden Internet on YouTube

Every field note starts as a short documentary. Watch the systems in this piece explained on screen.

subscribe →
read on
More field notes

The rest of the series on how the modern internet detects, tracks, and sorts the traffic that reaches it.

browse the archive →