Privacy
Troubleshooting guides, comparisons, and practical tips for privacy issues in Chrome. Free solutions from SuperchargeBrowser.
1 article
The riskiest Chrome extensions in 2026 are not the obscure ones — they are the high-install-count AI assistants and productivity tools that have been silently acquired. Two extensions with a combined 900,000 installs were removed from the Chrome Web Store in early 2026 after researchers caught them exfiltrating ChatGPT and DeepSeek conversation history to external servers every 30 minutes. The extensions worked normally. Users had no reason to suspect anything.
The attack pattern — Secure Annex named it "Prompt Poaching" — exploits how extension permissions work. An extension that requests access to all URLs (or specifically to chatgpt.com, claude.ai, deepseek.com) can read the full page DOM, including conversation text. Permissions granted at install persist through every future update, including after silent ownership transfers.
The verification process takes about 60 seconds: open the extension's service worker in DevTools, switch to the Network tab, and use the app the extension claims to enhance. A legitimate extension should only make requests to that app's own API — not to unfamiliar analytics endpoints or third-party servers. Extensions that make zero outbound requests cannot exfiltrate data by design.
Privacy and performance overlap significantly: extensions that collect data typically do it through background network requests, and blocking that at the source also eliminates the CPU and RAM overhead of those requests.
Frequently Asked Questions
Can Chrome extensions read my ChatGPT or Claude conversations?
As of March 2026, yes — if an extension requests broad host permissions (access to all URLs or specifically to chatgpt.com, claude.ai, or similar), it can read the full DOM content of those pages, including conversation text. Two extensions caught doing this in early 2026 had a combined 900,000 installs. Both appeared functional and received positive reviews while silently exfiltrating data.
How do I check if a Chrome extension is collecting my data?
Open chrome://extensions, enable Developer Mode, then click 'service worker' on the extension you want to audit. In the DevTools Network tab, use the app the extension claims to assist with and watch for outbound requests to domains you do not recognize. As of March 2026, any requests to third-party analytics, tracking, or unrecognized servers are a red flag. A truly privacy-safe extension makes zero outbound network requests.
What does zero telemetry mean for a Chrome extension?
Zero telemetry means the extension makes no outbound network requests — no analytics, no crash reports, no usage data, no sync to external servers. All processing happens locally in the browser. As of March 2026, this is verifiable: open the extension's service worker in Chrome DevTools and monitor the Network tab. If there are no network requests, the extension cannot exfiltrate data regardless of what permissions it holds.
SuperchargePerformance
Tab suspension, ad blocking, and script control. Free.