Can a scammer gain access to my accounts through a fake browser extension?
Yes — malicious browser extensions can read everything you type in your browser, including passwords and payment details, and capture session cookies that allow account access without needing your password.
Last reviewed: 10 June 2026
Explanation
Browser extensions have deep access to your browsing session by design — they can read and modify page content, capture form inputs, and access cookies. When that access is granted to a malicious or compromised extension, the consequences are serious.
Malicious extensions typically enter browser stores disguised as useful tools: PDF converters, ad blockers, screenshot utilities, VPNs, or productivity tools. Some start legitimate and later push malicious updates after building a user base. Others are outright fakes riding on the name of a popular extension with minor spelling variations.
Session cookie theft is particularly effective: your browser stores session tokens (cookies) that keep you logged in to sites. An extension with the right permissions can exfiltrate these tokens to an attacker's server, allowing them to impersonate your logged-in session on that site without knowing your password — even bypassing 2FA on sites that only require 2FA at the initial login.
Keylogging extensions capture what you type on any page, including passwords, credit card numbers, and any private messages. They can also read the DOM of any page you visit, extracting any displayed data.
Install only extensions you genuinely need, from developers you can verify. Check the permissions an extension requests before installing — an extension that asks to 'read and change all data on websites you visit' should be scrutinised carefully. Regularly audit your installed extensions and remove any you no longer use.
Common red flags
- An extension requests permissions that seem excessive for its stated purpose
- You installed an extension from a source other than the official Chrome Web Store, Firefox Add-ons, or similar official store
- An extension you have prompts you to update and asks for new, broader permissions
- Accounts show unexpected activity after you installed a new extension
- You see ads or redirects in your browser that were not there before installing an extension
- An extension was installed without your knowledge — check your extension list
What to do now
- Open your browser's extension manager and review every installed extension — remove anything unnecessary
- If you find a suspicious extension, remove it, then change passwords for accounts you were logged into
- Sign out all sessions on your key accounts to invalidate any captured session cookies
- Enable 2FA on your key accounts so session cookie theft requires more than just the cookie
- Only install extensions from verified developers with clear privacy policies
- Run a malware scan to check whether any browser settings were also modified
Frequently asked questions
How do I audit my browser extensions safely?
Go to your browser's extension or add-on manager. For each extension, click 'Details' or 'Manage' to see the permissions it holds. If you don't recognise an extension or cannot find the developer's legitimate website, remove it.
Can a malicious extension access my password manager's stored passwords?
A well-designed password manager extension encrypts its vault and typically protects it with a master password separate from your browser session. However, if the password manager is open and autofilling, a malicious extension that can read page content may capture the filled-in credentials.