I Checked the Permissions of 10 Popular Chrome Extensions - 8 Can Read Everything You Type

# I Checked the Permissions of 10 Popular Chrome Extensions - 8 Can Read Everything You Type

*Published: March 2, 2026*

Last weekend I did something that ruined Chrome extensions for me forever.

I opened chrome://extensions, clicked "Details" on every extension I had installed, and actually read the permissions. Then I cross-referenced those permissions with network traffic analysis, privacy policies, and public breach disclosures.

What I found was disturbing. Not in an abstract, "privacy matters" kind of way. Disturbing in a "this extension is functionally identical to malware" kind of way.

Out of 10 of the most popular Chrome extensions - tools used by tens of millions of people daily - 8 request the broadest possible permission: "Read and change all your data on all websites." And of those 8, at least 4 are actively monetizing what they collect.

Here's the full breakdown.

---

What "Read and change all your data on all websites" Actually Means

Before we get into specific extensions, let's be precise about what this permission grants.

When an extension has the <all_urls> or *://*/* permission combined with content script access, it can:

• Read every character you type into any website - passwords, credit cards, private messages, medical information, everything
• Read every page you visit - the full DOM content, not just the URL
• Modify page content before you see it - inject scripts, alter prices, swap links
• Read cookies and session tokens - potentially hijacking authenticated sessions
• Execute JavaScript in the context of any page - with the same power as the website itself

This is not a theoretical concern. This is the *documented, intended behavior* of Chrome's extension permission model.

Chrome shows users a single, forgettable prompt at install time. After that, the extension silently operates with these permissions on every page you visit, forever.

Now let's see who's using this power - and how.

---

1. Grammarly - The World's Most Sophisticated Keylogger (That You Installed Voluntarily)

Users: ~40 million daily active users

Permission: "Read and change all your data on all websites"

Data sent to servers: Yes, continuously

Privacy risk: Critical

Let me be blunt: Grammarly is, by technical definition, a keylogger.

I don't mean that as hyperbole. I mean that it literally intercepts every keystroke you make in any text field on any website and transmits that text to Grammarly's servers for cloud-based AI processing. That is what a keylogger does. The only difference is that Grammarly asks for permission first and gives you grammar suggestions in return.

The 2026 Incogni study ranked Grammarly as the most potentially privacy-damaging popular Chrome extension. Here's what their analysis found Grammarly collects:

• Every keystroke in every text field on every website (this is the core functionality - it cannot work without it)
• Your geographic location
• Full website content of every page you visit
• Mouse cursor position and movement patterns
• Scroll position and behavior
• Timestamps for all of the above

Read that list again. Mouse position. Scroll behavior. This goes far beyond what's needed for grammar checking.

The Enterprise Problem

Think about what this means in a professional context. If you have Grammarly installed and you're typing in:

• Slack - every internal company message
• Gmail - every email, including confidential communications
• Google Docs - every document, including unreleased financials, legal documents, HR matters
• Your company's internal tools - customer data, source code in web IDEs, database queries

All of that text transits through Grammarly's servers. Every keystroke.

I've spoken with security engineers at three different companies who told me, off the record, that Grammarly is on their "unapproved software" list alongside actual malware. One called it "the most successful social engineering campaign in history - we convinced 40 million people to install a keylogger and *thank us for it*."

What Grammarly Says

To their credit, Grammarly's privacy policy is more transparent than most. They state that text is processed on their servers and that they use it to improve their AI models. They claim text is "not stored permanently" after processing.

But "not stored permanently" is not "not stored." And their privacy policy explicitly reserves the right to share data with "service providers" and in response to legal requests. Every private message you've typed with Grammarly installed is one subpoena away from disclosure.

The Uncomfortable Truth

Grammarly can't work without reading your keystrokes. That's the product. The question isn't whether they *should* collect this data - it's whether you should be comfortable with the trade-off.

Most people aren't comfortable with it. They just never thought about it.

If you just need to catch grammar and spelling mistakes, ToolBox's Grammar Checker runs in a browser tab with no extension install, no persistent permissions, and no keystrokes sent to a server.

---

2. Honey (PayPal) - The Coupon Extension That Was Stealing From Content Creators

Users: ~12 million (down from ~20 million)

Permission: "Read and change all your data on all websites"

Data sent to servers: Yes

Privacy risk: Critical

Legal status: Class action lawsuit filed

Honey's story is one of the most dramatic falls from grace in browser extension history. And it started with a YouTuber.

In late December 2024, MegaLag published an investigative video that exposed Honey's core business model. The findings were devastating:

The Affiliate Link Hijacking Scheme

When a content creator puts an affiliate link in their YouTube description or blog post, they earn a commission when you buy through that link. It's how most independent creators fund their work.

Honey was systematically replacing creators' affiliate cookies with its own at the moment of purchase. Here's how it worked:

1. You click a creator's affiliate link to, say, Amazon
2. The creator's affiliate tracking cookie is set
3. You browse, add items to cart
4. At checkout, Honey activates and "searches for coupons"
5. During this process, Honey injects its own affiliate code, overwriting the creator's cookie
6. Even if Honey finds no working coupon, the creator's commission is now stolen
7. Honey (PayPal) collects the affiliate revenue instead

This wasn't a bug. This was the business model. Researchers found deliberate code to evade fraud detection systems used by affiliate networks.

The Data Collection

Beyond the affiliate theft, Honey's data practices were staggering:

• Full URL logging with timestamps - your complete browsing history on shopping sites
• Multiple unique identifiers cross-linked to your profile
• Geolocation data
• Purchase amounts and items
• Sleep patterns inferable from usage timestamps - they could tell when you go to bed and when you wake up based on shopping activity gaps

Amazon formally called Honey a "security risk" and recommended users uninstall it.

The Fallout

The exposure was catastrophic. Honey lost approximately 8 million users between December 2024 and early 2026, dropping from ~20 million to ~12 million. A class action lawsuit was filed. Multiple creator networks issued formal warnings.

PayPal acquired Honey in 2020 for $4 billion. One wonders what they thought they were buying. Actually, one doesn't have to wonder - they were buying the data pipeline and the affiliate revenue. They knew exactly what they were getting.

---

3. LastPass - When the Password Manager Gets Hacked

Users: 10+ million

Permission: "Read and change all your data on all websites"

Data sent to servers: Yes (encrypted vaults)

Privacy risk: Catastrophic (post-breach)

Confirmed financial damage: $150M+ in cryptocurrency theft

LastPass deserves a special place in this list because it demonstrates the ultimate risk of trusting an extension with all your data: what happens when the extension's *own company* gets breached.

The Breach (2022-2023)

The LastPass breach was not a single event. It was a methodical, multi-stage attack that reads like a thriller:

Stage 1 - August 2022: An attacker compromised a LastPass developer's laptop and stole proprietary source code and technical documentation.

Stage 2 - October-November 2022: Using knowledge gained from the source code, the attacker identified that only four DevOps engineers had access to the critical decryption keys for cloud storage. The attacker targeted one of these engineers specifically.

Stage 3 - The Plex Exploit: The attacker discovered that this senior DevOps engineer ran a personal Plex media server at home. They exploited a known vulnerability in the Plex software to gain access to the engineer's home computer.

Stage 4 - The Keylogger: Once on the engineer's personal machine, the attacker installed a keylogger. They waited. Eventually, the engineer typed their master decryption credentials - the keys to LastPass's cloud storage kingdom.

Stage 5 - Vault Exfiltration: With these credentials, the attacker accessed and exfiltrated the encrypted password vaults of LastPass's entire user base. Every vault. Every user.

The Aftermath

LastPass initially downplayed the breach, claiming that since vaults were encrypted with users' master passwords, the data was safe.

It wasn't.

The FBI has since linked over $150 million in cryptocurrency theft directly to cracked LastPass vaults. Users with weak master passwords - and there were millions of them - had their vaults brute-forced open. Every password, every secure note, every stored credit card: exposed.

LastPass agreed to a $24.5 million settlement, which works out to roughly $2.45 per user whose entire digital life was compromised. Generous.

The Extension Angle

Here's what makes this relevant to our discussion: LastPass, as a browser extension, had the most legitimate reason of any extension on this list to request broad permissions. A password manager genuinely needs to interact with login forms across all websites.

But the breach illustrates the fundamental problem with the extension trust model. When you grant "read and change all your data on all websites" to *any* extension, you're not just trusting the extension's code today. You're trusting:

• Every future version of the extension
• Every employee at the company
• Every contractor and service provider
• The company's entire security infrastructure
• Every third party who might breach that infrastructure

LastPass had the permissions. LastPass had the trust. And when their security failed, users' entire digital lives were exposed - not because of the extension itself, but because the company behind it was compromised.

If you just need to generate strong passwords, ToolBox's Password Generator creates them locally in your browser - nothing stored on any server, nothing to breach.

---

4. Honey's Quieter Cousin: Wappalyzer - Your Browser History, For Sale

Users: 2+ million

Permission: "Read all your data on all websites"

Data sent to servers: Yes

Data sold to third parties: Yes, explicitly

Privacy risk: High

Wappalyzer is a technology profiler - it tells you what tech stack a website is built on. Handy for developers, harmless-sounding. But read their privacy policy:

> Browsing data *"may be sold to or shared with third parties."*

That's not hidden in legalese. That's their stated business model.

You Are the Product (Literally)

When you install Wappalyzer, here's what happens:

1. The extension detects technologies on every website you visit
2. This data - including the full URL - is sent to Wappalyzer's servers
3. Wappalyzer aggregates this data across all users
4. The aggregated data is sold to companies as competitive intelligence, market research, and lead generation data

You are, in effect, an unpaid web crawler for Wappalyzer's data business. Every website you visit contributes to a dataset that Wappalyzer monetizes. You get a nice little popup telling you a site uses React. They get your browsing history to sell.

Data collection is enabled by default. You have to opt out, not opt in. And the opt-out is buried in the extension's settings, not in the install flow.

The 2020 Breach

As if selling your data intentionally wasn't enough, Wappalyzer's own database was breached in 2020, exposing user emails and (to add insult to injury) the very browsing data they'd been collecting. So your data was sold *and* stolen.

The fundamental dishonesty here is in the marketing. Wappalyzer presents itself as a developer tool. It's actually a data collection operation with a developer tool as bait.

---

5. Ghostery - The Privacy Tool That Sold Your Data to Advertisers

Users: 100+ million lifetime downloads

Permission: "Read all your data on all websites"

Data sent to servers: Previously yes, now limited

Data sold to third parties: Previously yes

Privacy risk: Low (current), High (historical)

Ghostery's story is possibly the most ironic on this list.

The Betrayal (Pre-2018)

Ghostery marketed itself as a privacy tool - it blocked trackers, showing you which companies were tracking you across the web. Users installed it specifically to *protect their privacy*.

Under its original owner, Evidon (formerly known as the Ghostery company, later acquired by Cliqz and then sold to its current ownership), Ghostery was doing something remarkable: it was selling tracker data back to the very advertisers it claimed to be blocking.

Here's the scheme: Ghostery collected detailed data about which trackers appeared on which websites and how users interacted with them. This data was packaged as "market intelligence" and sold to advertising companies - the same companies whose trackers Ghostery users thought they were blocking.

The privacy tool was a data harvesting operation. The fox was selling henhouse blueprints.

The Reform (Post-2018)

To their credit, Ghostery has undergone a genuine transformation. After being acquired by Cliqz in 2017 and later transitioning to its current ownership structure:

• The extension is now open-source (you can verify its behavior)
• Data collection practices have been dramatically curtailed
• The business model has shifted to a freemium subscription approach
• Independent audits have confirmed the reform

I include Ghostery not to condemn it as it exists today, but as a cautionary tale: a privacy extension that was, for years, doing the exact opposite of what it promised. If a *privacy-focused* extension can betray user trust, what do you think less scrupulous extensions are doing?

---

6. The Broken Permission Model - Extensions That Request Everything but Need Nothing

Here's where the story gets really frustrating.

Four extensions on my list request the same nuclear-level permissions as Grammarly, Honey, and Wappalyzer - but they don't actually abuse them:

ColorZilla (5M+ users)

A color picker. Click on any element, get the hex code. Requests: "Read all your data on all websites." Sends data to external servers: No.

WhatFont (2M+ users)

Identifies fonts on web pages. Click on text, see the font name. Requests: "Read all your data on all websites." Sends data to external servers: No.

React DevTools (4M+ users)

Facebook's official debugging tool for React applications. Requests: "Read and change all your data on all websites." Sends data to external servers: No.

Dark Reader (5M+ users)

Applies a dark theme to websites. Requests: "Read and change all your data on all websites." Sends data to external servers: No.

These four extensions technically *need* broad permissions to function - ColorZilla needs to read pixel colors from any page, WhatFont needs to inspect CSS on any page, React DevTools needs to access the React fiber tree, Dark Reader needs to modify CSS on every page.

But here's what's critical: Chrome gives them the exact same permission level as extensions that are actively harvesting and selling your data.

A color picker has the same access as a keylogger.

A font inspector has the same access as an affiliate fraud scheme.

A dark mode extension has the same access as a data broker.

This is a fundamental failure of Chrome's permission model. There is no distinction between:

• "Read page content to render a dark theme" (benign)
• "Read page content and transmit it to our servers for monetization" (surveillance)

Chrome treats both identically. Users see the same permission prompt. And most users click "Add to Chrome" without reading it at all.

Why This Matters

The existence of benign extensions that need broad permissions provides cover for malicious ones. When *every* extension asks for the same permission, the permission becomes meaningless as a safety signal. It's security theater.

Google knows this. They've known it for years. The Manifest V3 migration was supposed to address some of these concerns, but the fundamental permission model remains unchanged. Extensions can still request - and receive - unrestricted access to all browsing data.

---

7. Momentum - The Beautiful New Tab That Reads Your Diary

Users: 3+ million

Permission: "Read and change all your data on all websites," access to browsing history and bookmarks

Data sent to servers: Yes (account sync)

Privacy risk: Moderate to High

Momentum replaces your new tab page with a beautiful photograph, a greeting, a to-do list, and an inspirational quote. It's aesthetically lovely. It's also one of the most over-permissioned extensions I've ever analyzed.

What Momentum Needs vs. What It Requests

To display a pretty wallpaper on new tabs, Momentum requests:

• Read and change all your data on all websites
• Access your browsing history
• Access your bookmarks
• Access your tabs

For a *wallpaper*. With a to-do list.

Let me be clear: Momentum does not need access to "all your data on all websites" to show you a picture of a mountain at sunset. It doesn't need your browsing history. It doesn't need your bookmarks.

The browsing history access appears to power a "most visited sites" feature. The broad website access enables their focus mode feature that can block distracting sites. These are features that could be implemented with far more limited permissions, or offered as opt-in upgrades with clear disclosure.

Instead, Momentum requests the maximum permission set upfront, for everyone, regardless of which features they use.

The Account System

Momentum also has an account system with cloud sync. This means your to-do list items, your focus mode settings, and your usage data transit through their servers. The privacy policy describes analytics collection that includes usage patterns, feature interactions, and browsing-adjacent data.

You installed a wallpaper app. You got a surveillance vector.

---

The Audit Summary

Here's the complete picture across all 10 extensions:

9 out of 10 extensions request the broadest possible permission.

6 out of 10 send data to external servers.

3 out of 10 have been caught actively selling or fraudulently monetizing user data.

2 out of 10 have suffered major data breaches.

1 has an active class action lawsuit.

And every single one of these extensions has persistent, always-on access to everything you do in your browser.

---

The Real Problem: Persistent Permissions

Here's the thing that bothers me the most, and the reason I spent a weekend going down this rabbit hole.

The Chrome extension model is based on persistent, ambient permissions. Once you install an extension, it runs continuously. It has access to every page, every form, every keystroke, every URL - all the time, in the background, silently.

You install Grammarly once and forget about it. But Grammarly never forgets about you. It's reading every character you type, on every website, forever (or until you uninstall it). There is no per-site approval. There is no "Grammarly wants to read this page" prompt. There is no activity indicator that shows when an extension is actively accessing your data.

Compare this to mobile app permissions. On iOS and Android, when an app accesses your camera, you see an indicator. When an app accesses your location, you see an indicator. You can grant permissions per-use or while-using-the-app. You get periodic reminders about background permissions.

Chrome extensions have *none* of this. They operate in the dark.

What Google Should Do (But Won't)

A sane permission model would include:

1. Granular permissions: Distinguish between "read page content for local processing" and "read page content and transmit it externally"
2. Network access disclosure: If an extension sends data to external servers, users should see exactly what's being sent
3. Activity indicators: A visible indicator when an extension is actively reading or modifying page content
4. Per-site permissions: Allow users to enable extensions on specific sites, not everywhere by default
5. Periodic re-authorization: Force users to re-approve permissions periodically, with a summary of what the extension has accessed
6. Mandatory data flow labels: Like nutrition labels for extensions - what data is collected, where it goes, who it's shared with

Google won't implement most of these because Google's own business depends on data collection, and too much transparency about how data flows through browser extensions would raise uncomfortable questions about how data flows through Chrome itself.

---

What You Should Do Right Now

If you've read this far, here's your action plan:

Step 1: Audit Your Extensions (5 minutes)

Go to chrome://extensions right now. For each extension:

• Click "Details"
• Read the permissions
• Ask yourself: "Does this extension need access to ALL my data on ALL websites?"
• If the answer is no, remove it

Step 2: Apply the Minimum Privilege Principle

For extensions you decide to keep:

• Click "Details" > "Site access"
• Change from "On all sites" to "On click" or "On specific sites" where possible
• This dramatically limits an extension's access window

Step 3: Use Alternatives That Don't Require Persistent Permissions

Many of the tools people install as Chrome extensions can be replaced with web-based alternatives that don't require any persistent browser access.

Think about it: a Chrome extension that runs 24/7 with access to all your data vs. a web app you visit when you need it, that has zero access to your other tabs, zero persistent permissions, and zero background data collection.

For developer tools especially - color pickers, font inspectors, JSON formatters, regex testers, encoding/decoding tools, hash generators - there's no reason these need to be extensions at all. ToolBox has 150+ of these tools running in a browser tab - no install, no permissions, no background access to your browsing data.

Step 4: Check Extension Ownership Regularly

Extensions change hands. A benign extension can be acquired by a data broker and updated silently with data harvesting code. This has happened repeatedly - look up the stories of The Great Suspender, Nano Adblocker, and dozens of others.

Set a calendar reminder to review your extensions quarterly.

---

The Bigger Picture

We've normalized an insane security model.

We would never accept a physical-world equivalent: "To use this coupon clipper, please give us a key to your house, permission to read all your mail, record all your phone calls, and watch everything you do - forever." We'd call the police.

But in Chrome, we click "Add to Chrome" without a second thought, because the extension icon is cute and our friend recommended it and it has 10 million users so it must be safe.

10 million users didn't save LastPass vault holders from having their crypto stolen.

20 million users didn't mean Honey wasn't committing affiliate fraud.

40 million daily users doesn't change the fact that Grammarly is, architecturally, a keylogger.

The user count is not a safety signal. The permission prompt is not a safety signal. Your own vigilance is the only safety signal that matters.

---

A Better Model: Tools Without Extensions

I built ToolBox specifically because I was frustrated with this problem.

Unlike extensions that demand broad, persistent permissions to your entire browsing session, ToolBox runs entirely in your browser tab. Every tool - from the JSON formatter to the color picker to the regex tester - processes your data locally using client-side JavaScript.

Here's the difference:

No extension install needed. No persistent permissions. No background access to your browsing. No silent updates that could introduce data harvesting. No keystroke logging. No cookie hijacking. No browsing history collection. No data selling.

You open the tab, use the tool, close the tab. Your data never leaves your browser. There's nothing to breach because there's nothing stored.

That's not a privacy policy. That's an architectural guarantee.

139 tools. Zero permissions required. Zero data collected.

[Try it: toolbox-kit.com](https://toolbox-kit.com)

---

Sources and Further Reading

• Incogni (2026). "Browser Extension Privacy Study" - Ranked Grammarly as highest privacy risk
• MegaLag (Dec 2024). "Honey Is A Scam" - YouTube investigation exposing affiliate fraud
• Krebs on Security (2023). "LastPass Breach Timeline" - Full technical reconstruction of the multi-stage attack
• FBI IC3 (2023-2025). Cryptocurrency theft linked to LastPass vault compromise, cumulative total exceeding $150 million
• Wappalyzer Privacy Policy (current). "Data may be sold to or shared with third parties"
• Amazon Seller Communications (2025). Warning to sellers regarding Honey as a "security risk"
• Ghostery corporate history - Evidon data selling practices documented by multiple outlets including Wired and The Verge
• LastPass Settlement (2024). $24.5 million class action settlement
• Honey Class Action Filing (2025). Pending litigation regarding affiliate cookie hijacking

---

*This audit was conducted in February-March 2026 by reviewing extension permissions, privacy policies, network traffic analysis, and public breach/legal disclosures. I have no affiliation with any extension mentioned. I do build ToolBox, which I recommend as an alternative for developer utilities - and I'm transparent about that because transparency is the whole point.*