Dozens of widely used browser extensions have been collecting and selling user data with explicit disclosure in their privacy policies, a LayerX Security study has found.
The browser security firm has identified more than 80 extensions that reserve the right to sell user data. These include tools across categories such as streaming, ad blocking and productivity, with millions of combined installations.
“Unlike malicious extensions that disguise themselves as legitimate extensions and do their bidding in the dark, these extensions explicitly tell users that they’re going to collect and sell their data. It’s right there in the Privacy Policy; except that nobody reads it,” LayerX Security said.
The report also claimed that 71% of Chrome Web Store extensions do not publish a privacy policy. This would leave over 73% of users with at least one installed extension that offers no visibility into how their data is handled.
Data Monetization Disclosed in Policies
Rather than hiding behavior, many extensions rely on broad legal language to permit data sales. Statements such as “may sell or share your personal information” allow publishers to commercialize user data at their discretion.
From an initial dataset of roughly 9000 extensions, the researchers said they analyzed 6666 privacy policies and confirmed 82 extensions engaged in commercial data sharing after manual review.
One network of 24 media extensions, including Netflix, Hulu, Disney+, Amazon Prime Video and HBO Max, among others, reached about 800,000 users. These tools collect viewing behavior, preferences and demographic data across major streaming platforms, then package those insights for third parties.
These tools operate as a distributed data collection system, capturing and monetizing user activity in several ways:
-
Tracking viewing history and engagement across streaming platforms
-
Building user profiles using preferences and inferred demographics
-
Packaging and selling aggregated insights to advertisers and analytics firms
Ad Blockers and Enterprise Exposure
Elsewhere, at least 12 ad blockers with a combined user base exceeding 5.5 million were found to sell or share browsing data. Some collect detailed behavioral information, including inferred sensitive attributes based on user activity.
Read more on browser security risks: Researchers Warn of Security Gaps in AI Browsers
Corporate environments are also affected. The report identified 29 business-focused extensions that gather browsing data from enterprise systems, potentially exposing internal activity through commercial datasets.
The findings suggest that traditional extension security checks may miss privacy risks. Even when disclosed, data-selling practices can operate at scale with limited oversight, posing challenges for both users and organizations.
“Most browsers already support centralized extension management through enterprise policies – Chrome’s ExtensionSettings, Edge’s group policies, Firefox’s enterprise configurations,” LayerX wrote. “If you don’t have an extension governance policy, that’s the first step. If you do, add privacy policy review to the evaluation criteria.”
