Skip to content

Browser extensions

Are browser extensions the new macros?

I am not a fan of browser extensions. I keep a short list and use separate browser profiles. The blast radius is too large otherwise - scams and malware both live in the Marketplace.

The Honey pattern

Megalag's Honey reporting lays out the alleged model: pay influencers to push a "best coupon" extension, then quietly fail to find the best codes and rewrite referral tags so Honey (PayPal-owned) takes the fee - even when no voucher exists.

Users pay more. Creators lose referrals. Merchants fight their own discount stack. The extension sits in the browser with enough permission to make that game work.

The bigger mess

Malware extensions are worse. With common permissions they can:

  • Read what you read and type
  • Fire requests as you

Passwords, banks, wallets, photos - all in scope. Site allowlists and store scanning help. They are not enough. Over the 2024/25 break a campaign hit Chrome extensions across ~2.6 million devices: compromised legit extensions, lookalikes, and "useful" bait.

What I do

Password managers earn their keep. Cat-video toolbars do not.

  • Install only from the vendor's own site link when you can
  • Read permissions; walk away from anything you cannot explain
  • Separate profiles (or browsers) so shopping add-ons never sit on banking - more in Use separate browser profiles
  • Default to uninstall when unsure

I followed up on Honey again in Honey extension follow-up.

Olivier Reuland