·
Browser extensions
Are browser extensions the new macros?
I am not a fan of browser extensions. I keep a short list and use separate browser profiles. The blast radius is too large otherwise - scams and malware both live in the Marketplace.
The Honey pattern
Megalag's Honey reporting lays out the alleged model: pay influencers to push a "best coupon" extension, then quietly fail to find the best codes and rewrite referral tags so Honey (PayPal-owned) takes the fee - even when no voucher exists.
Users pay more. Creators lose referrals. Merchants fight their own discount stack. The extension sits in the browser with enough permission to make that game work.
The bigger mess
Malware extensions are worse. With common permissions they can:
- Read what you read and type
- Fire requests as you
Passwords, banks, wallets, photos - all in scope. Site allowlists and store scanning help. They are not enough. Over the 2024/25 break a campaign hit Chrome extensions across ~2.6 million devices: compromised legit extensions, lookalikes, and "useful" bait.
What I do
Password managers earn their keep. Cat-video toolbars do not.
- Install only from the vendor's own site link when you can
- Read permissions; walk away from anything you cannot explain
- Separate profiles (or browsers) so shopping add-ons never sit on banking - more in Use separate browser profiles
- Default to uninstall when unsure
I followed up on Honey again in Honey extension follow-up.
Related
- Use Separate Browser Profiles for containing extension risk
- Admin and Devs Are Great Targets for the same pattern in IDE and shell tooling
- Honey extension follow-up for the later Megalag coverage