Are browser extensions a data security risk?

We all love making life easier for ourselves and browser extensions certainly help with this. They’ll block that annoying ad from popping onto your screen yet again or sniff out the discounts for you when you’re shopping online. When it comes to your practice, they can catch the typo in the draft email to your patient, help you format your treatment notes, or transcribe your words into text. But they also come with significant security risks and you have to ask yourself: is it really worth it?

What is a browser extension?

First up, let’s start with some basic terminology. Your browser is whichever software program you use to explore the internet—like Google Chrome, Firefox, or Safari. A browser extension is software that sits on top of your browser and customises it or gives it added functionality. Browser extensions can be handy tools for modifying the webpages you visit (such as automatically translating a foreign language website into English or blocking a popup) and helping you perform tasks online (for example, checking your spelling and grammar). Adobe Acrobat, AdBlock, Grammarly, and Google Translate are all common browser extensions that you might be using.

What’s the risk?

The problem is that a browser extension has high levels of access to your computer; it sees what you see and knows what you type in. This includes a lot of sensitive and confidential data like your bank details, information for your online accounts including your usernames and passwords, any patient records on your computer, your browsing history and cookies—basically everything. By design, browser extensions can even re-write the websites that you visit, for example to hide or censor things. In short, they’re powerful pieces of software. 

Given all of this, if an extension you’re using ever ends up infected with malware (malicious software), you’re toast! Suddenly, all that sensitive information you’re inputting into your computer is tracked, recorded, and relayed back to whoever is controlling the malware. It can then be published in a data dump or sold on the dark web. We chatted about this when we gave a warning about infostealers a while back, which is exactly the risk that browser extensions pose too. We’re not being alarmist when we say that it’s a big risk to download them!

Even if you know who made the extension (which is not always the case), you’re still putting a lot of faith in whoever produced it to behave ethically. Even if you do trust them and the software is completely legit to begin with, it’s also possible for an extension to be compromised somewhere down the road unbeknownst to anyone. The company developing the software might have the best of intentions and produce a totally safe product for years—until, at some point, a cybercriminal manages to sneak in some malware and suddenly the product is corrupted.

Another big danger is that you could download what you think is a legitimate browser extension from the app store, which is actually a fake. Malicious software posing as the real deal can be very tricky to spot. In 2025, an investigation by Koi Security revealed that 18 malicious extensions had infected 2.3 million users across Chrome and Edge. Likewise, there was a recent incident where 50,000 Firefox users were compromised. These programs were all in the official app store and looked completely authentic and identical to the legitimate versions—even appearing on screen with a verification badge, hundreds of reviews, and thousands of installations. Most people wouldn’t be able to tell the difference.

What can you do to stay safe?

In a perfect world, you wouldn’t install browser extensions at all! But that’s pretty hardline and of course security has to be balanced with practicality. For what it’s worth, however, our in-house privacy expert at Cliniko only has one extension installed on his computer! This speaks volumes about how risky extensions can be. Another solution that’s similarly extreme but also effective is to have a second device without browser extensions that you use for work. Again, however, that’s not necessarily realistic for a lot of people.

When it comes to more middle ground solutions, as a minimum, make sure that you only install extensions from a reputable source. And be aware that trust is a point in time. In other words, you might have full trust in an extension when you install it, but you don’t know what could change in the future. For example, the product could be sold to someone else, or the code could be changed or infiltrated without you knowing. At the end of the day, installing an extension—even one you trust in the moment—will always come with a risk.

It’s true that browser developers like Google are currently working towards making their extensions safer, for example by implementing a new platform to tighten security. But this is still a work in progress and can’t be relied upon just yet.

As for steps that you can take, it’s a good idea to do a review every 6 or 12 months to make sure that every extension you’re using looks legit, though admittedly this can be hard to analyse. When you’re conducting a review, also check the permissions and make sure that they line up with what the extension is meant to be doing. An ad block extension shouldn’t need to access your camera or microphone, for example! Lastly, consider whether you even need the extension anymore—you might’ve installed a coupon extension over the festive season or a translation extension during an overseas trip, neither of which you really need anymore. If they’re not essential, you’re much safer to remove them.

On top of that, make sure you’re doing all the regular security stuff we always recommend. In particular:

• Use a passkey: if it’s an option, passkeys are the best security measure you can take. You can definitely use a passkey for your Cliniko account, which we recommend you do.
• Switch on multi-factor authentication (MFA): if you’ve used Cliniko for a while, you’ll know that we love MFA! There’s a reason for this, though; it’s highly effective for many kinds of security threats. By requiring you to use a second device (like a phone) to authorise any attempt to log in, it prevents someone who might have access to your username and password from accessing your online accounts. Make sure you’ve got MFA enabled for your Cliniko account and even consider enforcing it across your team!
• Create strong passwords: go for length here! The longer, the better. This is significantly more effective than just doing a mix of upper case, lower case, numerals, and special characters.
• Don’t re-use passwords: keep your passwords unique across platforms. It might feel inconvenient, but this is not an area to be lax about. Store them in a password manager (like LastPass or 1Password) if it’s a struggle to keep track of them all.
• Regularly check whether your account has been compromised: Have I Been Pwned is a website that allows you to check if your email address has been involved in any known incident where data has been publicly exposed.

Taking security seriously sometimes means less convenience, but at the end of the day, some extra nuisance when you’re browsing online is always worth the alternative of a data breach.