Your browser extension may be watching your bank activity: Here’s how to stop it

What are browser extensions?

“Browser extensions are small add-on tools that people install on their web browsers to make everyday tasks easier. For example, blocking ads, checking grammar, downloading files, or improving productivity. While many of these tools are genuine, some are created with malicious intent or turn dangerous after updates or changes in ownership. Once installed, an extension operates inside the browser and can see much of what a user does online,” Vaibhav Koul, managing director, Protiviti India Member Pvt. Ltd told indianexpress.com.

Zakir Hussain Rangwala, CEO, BD Software Distribution Pvt Ltd, said, “Some extensions ask for more access than they really need. This can allow them to track browsing activity, view sensitive information, or change website content. Malicious or compromised extensions may misuse this access to steal data, redirect users to unsafe sites, or run hidden scripts. In organisations, this can result in data leaks, stolen login details, and policy violations. Even trusted extensions can become risky after updates or ownership changes.” Since extensions run quietly in the background, problems often go unnoticed.

How do malicious browser extensions misuse permissions?

“Extensions with clipboard access can monitor sensitive data like passwords or API keys that users copy and paste. Similarly, the ‘access to all websites’ permission allows an extension to act as a ‘Man-in-the-Browser’, injecting scripts to scrape corporate data from any active page window,” said Vijender Yadav, CEO of Accops.

“Some extensions hide tracking code or activate data collection only after updates, making them hard to detect. Others may access saved passwords, login sessions, or copied text if they have permission, putting personal or company data at risk. Since extensions run inside the browser and update automatically, they can keep working in the background without setting off normal security warnings,” said Rangwala.

“Traditional antivirus software and security tools mostly look for harmful files stored on a computer’s hard drive. But browser extensions don’t work like normal files. They run inside the browser itself, using trusted system processes. Because of this, many malicious extensions go undetected,” Yadav said.

Unsafe browser extension, an entry point for organisational compromise

“From a forensic and risk-assessment standpoint, even a single compromised endpoint — resulting from the installation of an unsafe or unverified browser extension — can act as an effective entry point for wider organisational compromise. Such threats are particularly difficult to detect, as malicious extensions often masquerade as legitimate tools and function within routine user workflows without generating obvious alerts,” said Sanjay Mishra, CEO and founder, Reveal Affirm Testify Pvt Ltd, who is also working with the cyber cell, Uttar Pradesh police.

“In view of these risks, it is imperative to adopt a layered and proactive control approach. In addition to user awareness, strict enforcement of browser extension hygiene should be implemented through technical and administrative controls, such as restricting installation privileges, allowing extensions only from approved repositories, maintaining a white-list of sanctioned extensions, and conducting periodic audits of installed browser add-ons across endpoints,” he added, stressing that user education remains critical.

Experts suggest following precautionary measures while downloading extensions:

📌Install browser extensions only if they are approved by the company’s IT or security team.

📌Download extensions only from official browser stores, never from pop-ups, ads, or unknown links.

📌Check the permissions an extension asks for and avoid those requesting access unrelated to their purpose.

📌Look at who developed the extension, how often it is updated, and what other users are saying about it.

📌Don’t trust extensions that promise unrealistic results or rush you into granting access.

📌Avoid installing personal or non-work extensions on office systems used for sensitive tasks.

📌Remember that even popular extensions can turn risky later through hidden background updates.

📌Keep only necessary extensions and regularly remove ones you no longer use.

📌 Keep your browser updated and report any unusual behaviour (pop-ups, redirects, slowdowns) to IT immediately.

For organisations:

📌 Shift towards Managed Enterprise Browsing, where browsers and extensions are centrally controlled.

📌Limit or completely block third-party extensions, allowing only vetted, business-essential tools.

📌Use security-first browser environments to reduce data leakage risks for employees and contractors.

Red flags:

According to Vaibhav Koul, the following are the red flags:

📌 Extensions asking for permissions that have nothing to do with what they are supposed to do.

📌 Sudden pop-ups, ads, or alerts appearing after installation.

📌 Frequent or unexplained updates without clear change details.

📌 Noticeable browser slowdowns or crashes.

📌 Being redirected to unknown or suspicious websites.

📌 Extensions that do not clearly mention the developer or company behind them.

📌 Reviews that look overly positive, repetitive, or fake.

📌 Extensions that disappear from the browser store and reappear under a new name, often to hide past complaints or security problems.

What to do in case you suspect your device has been compromised due to malicious browser extension?

Experts suggest taking the following steps immediately:

📌 Remove the extension right away from your browser. If possible, disable all extensions first and then re-enable only trusted ones.

📌Inform your IT or security team immediately, especially if the system is a work device. Do not try to fix everything on your own.

📌Change passwords for accounts accessed through the browser, starting with email, work tools, banking, and social media.

📌Log out of all active sessions on important accounts to block unauthorised access.

📌Run a full security scan using company-approved antivirus or endpoint security tools.

📌Check browser settings for changes to the homepage, default search engine, or proxy settings and reset them if needed.

📌Clear browser data (cookies, cache, stored sessions) to remove tracking or injected scripts.

📌 Monitor accounts closely for suspicious logins, transactions, or messages in the following days.

📌Report the extension to the official browser store so others are warned.

📌 Avoid reinstalling extensions until the system is cleared and approved by IT.

If your data is compromised, a case can still be registered either at 1930 or the nearest police station. Acting quickly helps limit damage and prevents the extension from spreading or stealing more data.

Browser extensions may look harmless, but they operate with access to the online activity of users. As cybercriminals grow more sophisticated, relying only on basic checks and traditional security tools is no longer enough. Awareness at the employee level, combined with stronger organisational controls like managed enterprise browsing, is essential. Treating browser extensions with the same caution as any other software is the need of the time and can reduce data leakage, financial loss, and long-term security risks.

The safe side

As the world evolves, the digital landscape evolves as well, bringing new opportunities—and new risks. Scammers are becoming more sophisticated, exploiting vulnerabilities to their advantage. In our special feature series, we delve into the latest cybercrime trends and provide practical tips to help you stay informed, secure, and vigilant online.