A new investigation has found that dozens of widely used browser extensions are collecting and selling user data to third parties, often with full legal consent buried in their privacy policies.
The research, conducted by LayerX Security, identified more than 80 browser extensions affecting at least 6.5 million users that openly monetize personal data.
Unlike traditional malicious extensions that secretly exfiltrate information, many of the flagged tools operate within legal boundaries. Developers explicitly disclose data collection and resale practices in their privacy policies, making the activity permissible under current regulations.
Researchers found that the issue is widespread across different categories of extensions, including ad blockers, media tools, and productivity add-ons. In one case, a group of ad-blocking extensions with a combined user base of over 5.5 million was found to collect and sell browsing data.
The data collected varies but can include browsing activity, streaming habits, demographic insights, and inferred personal attributes such as age and gender. Some extensions were also found to track activity across platforms like Netflix, Amazon Prime Video, and other major services.
A key factor enabling these practices is user consent, even if it is rarely informed. According to LayerX, many users accept permissions and privacy terms without reviewing them, allowing extensions to legally collect and sell their data.
At the same time, the research highlights broader transparency gaps in the browser extension ecosystem. Around 71% of extensions in the Chrome Web Store do not publish a privacy policy at all, making it difficult for users to understand how their data is handled.
Security experts note that browser extensions have extensive access to sensitive information, including browsing history and page content, which increases the potential impact of both legal and malicious data collection.
The findings point to a dual risk model. On one side are explicitly compliant extensions that monetize user data through disclosed practices. On the other, malicious or compromised extensions that exploit similar access privileges without disclosure.
As browser-based tools continue to expand in functionality, researchers warn that the extension ecosystem remains a largely unregulated channel for large-scale data collection. The combination of broad permissions, limited oversight, and low user awareness creates conditions where personal data can be monetized at scale, often without meaningful transparency.