Chrome Extensions Turn Shady

8 min read Original article ↗

One of the best things about Chrome extensions is also one of the worst things about them: they sit directly inside your browser.

That makes them incredibly useful, but it also means the extension can watch pages, inject content, rewrite requests, and quietly monetize your browsing session in ways most users will never notice.

And the tricky part is this: an extension does not have to be shady on day one. It can launch as a helpful tool, build trust, be installed by millions of people, and then change later through an update, a shift in business model, or a sale to a new owner.

A Recent Example

Not an April Fool's joke, but on April 1, 2026, Wes Bos posted a warning about a popular JSON formatter extension. His screenshot showed the extension injecting geolocation tracking and a donation UI directly into websites. He also pointed to reports that it may have been swapping affiliate IDs, too.

HEADS UP. Popular JSON formatter extension has started injecting geolocation tracking and donation UI into websites

Reddit thread seems to think they are also swapping tracking IDs for affiliates (a-la honey)

Uninstall and switch to another one pic.twitter.com/dbMwHp4XQv

— Wes Bos (@wesbos) April 1, 2026

That is exactly the sort of behavior that makes extensions hard to trust. A JSON viewer should format JSON. It should not be modifying pages, injecting location logic, adding donation prompts, or doing anything remotely related to affiliate attribution.

The Honey Scandal

If you want a high-profile example of how weird extension incentives can get, watch the Honey controversy. The issue is not just “coupon codes.” The bigger issue is that a browser extension sitting in the checkout flow has a lot of power.

MegaLag’s video argues that Honey inserted itself at the last moment and replaced affiliate attribution, even when it was not meaningfully helping with the purchase. That is exactly the kind of browser-side behavior users and creators rarely see happening in the background. And the influencers promoting the extension were often scammed out of their affiliate revenue and possibly earned less than they would have by promoting the extension.

Whether you frame that as aggressive attribution optimization or something much shadier, the lesson is the same: if an extension can modify the checkout experience, it can also redirect value.

Why I Usually Build My Own Extensions

This is one reason I often just create my own extensions.

Some of the ones I actively use or still support are Weather Extension, Link Shortener, Link Unshorten, QR Code Generator, and JSON Viewer.

If I need a small utility, I would rather know exactly what the code does, what permissions it requests, and what domains it can touch. When you install a random extension from the store, you are not just trusting the current version. You are trusting every future update and every future owner. This is also why all my extensions have very limited permission requirements.

You never know when an extension will get sold, and the new owner decides to inject ads, affiliate tracking, popups, or worse. A boring tool can suddenly become an ad network or a data collection tool.

The more extreme version of this problem is crypto mining and cryptojacking. Troy Hunt wrote a great post, "I Now Own the Coinhive Domain," about how sites were abusing visitors’ browsers to mine. Even if an extension is not doing that today, the broader lesson still matters: once someone decides your browser session, bandwidth, CPU, or checkout flow is something they can monetize, the line gets crossed very quickly.

Alternative JSON Extension

That is also why I built my own JSON Viewer Extension. It does the job I want, keeps the scope tight, and I know what it is supposed to do.

If you want to try it, you can install it from the Chrome Web Store here. If I need something more niche for my own workflow, I increasingly skip the store and just load a local extension instead.

AI Makes This Much Easier

A few years ago, building your own extension felt like a real project. Now AI can write most small extensions for you.

If you need a custom JSON formatter, page helper, text tool, link utility, or internal workflow shortcut, AI can usually generate the manifest, popup, options page, background script, and content scripts pretty quickly. The important part is that you still review the code before running it.

If you want more of my thinking on the extension side of things, I also talked about building and marketing them in Creating Successful Chrome Extensions and in Building a Better Bitly.

If the extension is only for you, you do not need to publish it at all. Chrome supports loading an unpacked extension locally.

  1. Ask AI to generate the extension files in a local folder.
  2. Review the code and permissions.
  3. Open chrome://extensions.
  4. Turn on Developer mode.
  5. Click Load unpacked and select the extension folder.

Google covers the local install flow in its Chrome extension getting started docs. For personal tools, this is often the best option because you keep full control and do not have to rely on a store listing that could change later.

How I Review Chrome Extensions

What if you are not a developer or want to build them yourself? Before I install an extension, I review the source code. I wrote a separate post on how to view source code of an extension, and it is still one of the simplest habits you can develop. You could even upload the extension's zip file to ChatGPT and ask it to review it. It's pretty amazing what it can detect, even if the code is minified.

At a minimum, I want to know:

  • What permissions does it request
  • Whether it runs on every site or only specific domains
  • Whether it injects content scripts into pages
  • Whether the code is heavily obfuscated or minified for no good reason
  • Whether it calls home to tracking or analytics endpoints that do not make sense
  • Whether there is anything related to affiliate IDs, redirects, donation prompts, or remote config

If a tiny utility extension requires broad host permissions, touches checkout pages, or modifies every website you visit, that should immediately raise the bar for trust.

The Permissions That Worry Me Most

Not all extension permissions are equal. Some are relatively narrow. Others are powerful enough to warrant immediate scrutiny.

  • <all_urls> or broad host patterns like *://*/*. This is one of the biggest red flags because it lets an extension access nearly every site you visit. Chrome warns that this level of access can read and change your data across websites.
  • cookies. If an extension also has access to a site, cookie access can expose session-related data and create obvious potential for abuse related to tracking, identity, and authentication.
  • webRequest or rules that can manipulate network traffic. These can be legitimate for blockers and security tools, but they are also the sort of capabilities that make request rewriting, tracking injection, and affiliate hijacking possible.
  • tabs and history. These can reveal a lot more about browsing behavior than most users realize, especially when combined with broad site access.
  • Broad content script access through host_permissions or matches on every site. If an extension can inject code everywhere, it can modify what you see, what you click, and what data gets captured from the page.
  • Any combination of broad permissions plus remote configuration. Even if the current version looks harmless, remote config can let behavior change later without making the extension's real intent obvious up front.

For small utilities, I much prefer the safer Chrome pattern of activeTab when possible. Chrome describes it as temporary access to the current tab after a user action, which is very different from giving an extension standing access to every site all the time.

My Rule of Thumb

I still like browser extensions. I build them. I use them. They are one of the fastest ways to make a browser more useful.

But I trust them less than I used to.

These days, my default assumption is simple: if an extension has the power to change the page, it also has the power to do something you did not ask for. Sometimes that is harmless. Sometimes it is an affiliate swap. Sometimes it is aggressive tracking. Sometimes it is something worse.

So if an extension matters to my workflow, I would rather review it, use an open implementation I understand, or just have AI help me build my own and load it locally.