As of 2026, 86% of the top 100 Chrome extensions request high-risk permissions upon installation, according to research by Cybernews. With 3.83 billion Chrome users worldwide and over 111,000 extensions in the Chrome Web Store, the scope of permission-related privacy exposure is enormous. A separate January 2026 study by Incogni found that 52% of AI-powered Chrome extensions collect at least one type of user data. These numbers paint a clear picture: most Chrome users are granting sensitive access to extensions without fully understanding what they’re handing over.
Chrome Permissions Statistics: Key Facts
- 86% of top 100 Chrome extensions request dangerous permissions, as of 2025.
- 52% of AI-powered Chrome extensions collect user data, based on Incogni’s 2026 analysis of 442 extensions.
- 42% of AI Chrome extensions use the scripting permission, potentially affecting 92 million users.
- 29% of AI Chrome extensions collect personally identifiable information (PII) such as names, emails, and identifiers.
- 77% of Chrome permission prompts on desktop appear without any user interaction, and only 12% of those are allowed.
- 99% of enterprise employees have at least one browser extension installed, and 52% have more than 10.
- Only 39.8% of Chrome extensions comply with the principle of least privilege.
Chrome Permissions Usage by Extension Category
Cybernews examined 100 trending Chrome extensions and found that permission requests vary widely in both frequency and risk level. Storage was the most common permission, requested by 95 out of 100 extensions. Scripting came second at 65 extensions. Broad host permissions, which grant access to all URLs, ranked third with 60 extensions declaring this need.
ActiveTab was used by 36 of the 100 analyzed extensions, alarms by 39, and notifications by 22. Only one extension out of 100 did not request at least a moderately dangerous permission. Tampermonkey had the highest count at 18 declared permissions, seven of which were high-risk and seven medium-risk.
Chrome Permissions and AI Extensions: 2026 Data
Incogni’s January 2026 study examined 442 AI-powered Chrome extensions, nearly double the 238 analyzed in 2025. The researchers found that every single extension required at least some permissions. Scripting was the most observed sensitive permission, used by 42% of extensions and potentially affecting 92 million users.
Website content and PII were the most commonly collected data types, taken by 31.4% and 29.2% of extensions respectively. Among extensions with over 2 million downloads, Grammarly and QuillBot ranked as the most potentially privacy-damaging. Both collected personal communications, location data, and website content, while also requiring scripting and ActiveTab permissions.
Ten extensions scored high on both risk likelihood and risk impact, meaning they could plausibly be misused and cause real damage. These included Nily AI Sidebar and EaseMate, each with over 10,000 downloads. Google Translate and ChatGPT Search also appeared on the high-risk list, showing that brand recognition alone doesn’t guarantee a safe permission profile.
Chrome Permissions Risk by Extension Category
When grouped by function, programming and mathematical helpers posed the greatest privacy risk on average. This category earned the top spot through larger numbers of sensitive permissions and higher data collection rates. Meeting assistants and audio transcribers ranked second, collecting more raw data but requiring fewer sensitive permissions overall.
Writing assistants placed third, followed by personal assistants and general-purpose extensions in fourth. Translators, information lookup tools, text and video summarizers, and audiovisual generators clustered at the lower end of the risk scale. If you’re looking for Chrome extensions that actually improve security, choosing from less permission-heavy categories is a good starting point.
Chrome Permissions and Translator Extensions
Among translators, 83% of extensions had a high or very high risk impact score, meaning they require potentially dangerous permissions. The saving grace: none of the translator extensions had high risk likelihood, so they’re less likely to be used with bad intent. Google Translate, eJOY AI Dictionary, and Immersive Translate topped the privacy risk list in this category. Six translator extensions claimed not to collect any user data at all.
Chrome Permissions Prompt Behavior
Chrome telemetry data from 2024-2025 reveals how users interact with permission prompts. On desktop Chrome, 77% of permission prompts appear without any preceding user interaction. Of those unprompted dialogs, only 12% are allowed. When a prompt follows a direct user action (like clicking a button), the allow rate jumps to 30%. Context matters a lot in how users respond to Chrome permission prompts.
Google has introduced one-time permissions for camera and microphone access on both Android and Desktop. Once the user leaves a site, Chrome revokes the permission automatically. The revamped Safety Check feature now runs in the background, revoking permissions from sites users don’t visit anymore and flagging deceptive notification requests.
Chrome Permissions in Enterprise Environments
The enterprise picture is just as striking. According to LayerX’s 2025 Enterprise Browser Extension Security Report, 99% of employees have at least one browser extension installed. More than half (52%) have more than 10 extensions running. Among enterprise-deployed extensions, 51% pose high security risks, and 33% of all organizational extensions carry elevated risk profiles.
IT departments respond by blocking specific extensions outright. The most commonly blocked extensions include uBlock Origin (78% block rate), GenAI Helper Pro (65%), Dark Reader (62%), Price Tracker+ (58%), and VPN Proxy Free (55%). These blocks happen for reasons ranging from Manifest V3 compatibility to excessive permission requests. You can learn more about which Chrome extensions were banned in 2024-25 and the patterns behind those removals.
| Enterprise Metric | Percentage |
|---|---|
| Employees with 1+ extension | 99% |
| Employees with 10+ extensions | 52% |
| Extensions posing high security risk | 51% |
| Extensions not updated in 12 months | 60% |
| Extensions confirmed malicious | 1% |
Chrome Permissions and Extension Security Incidents
Permission abuse isn’t theoretical. In December 2024, a supply chain attack compromised over 35 Chrome extensions, affecting 2.6 million users. The compromised extensions used their granted permissions to steal cookies and passwords. A separate campaign in early 2025 hijacked developer accounts for 16 additional extensions, exposing another 3.2 million users. Understanding the broader Chrome extension ecosystem helps put these incidents in context.
Google says less than 1% of Chrome Web Store installs contain malware. Independent research tells a different story: 60% of extensions haven’t been updated within 12 months, and roughly 350 million users run what researchers classify as security-noteworthy extensions. If you want to review and manage your extension permissions, Chrome’s settings page at chrome://extensions is the place to start.
Chrome Permissions and Manifest V3 Migration
Google’s push from Manifest V2 to Manifest V3 has reshaped the permissions model. As of August 2025, 73.4% of Chrome extensions had migrated to Manifest V3. The new framework restricts background page capabilities, limits remote code execution, and tightens how extensions declare and use permissions. Extensions that haven’t migrated face automatic disabling by Chrome.
The policy shift also introduced stricter review processes. Google updated Chrome Web Store policies in March 2025 to ban extensions claiming affiliate commissions without showing discounts. January 2025 brought managed enterprise controls, allowing IT admins to curate safe extension lists, blacklist threats, and remove compromised add-ons. For those managing security on Chrome OS devices, this Chromebook security guide covers the basics and beyond.
FAQ
How many Chrome extensions request dangerous permissions?
86% of the top 100 Chrome extensions request high-risk permissions upon installation, according to Cybernews research. These include scripting, broad host access, and tab monitoring capabilities.
What percentage of AI Chrome extensions collect user data?
52% of AI-powered Chrome extensions collect at least one type of user data, and 29% collect personally identifiable information, according to Incogni’s January 2026 study of 442 extensions.
Which Chrome extension permission is the most common?
Storage is the most frequently requested permission, used by 95 out of 100 trending extensions. Scripting ranks second at 65 out of 100, followed by broad host permissions at 60.
How often do users allow Chrome permission prompts?
Only 12% of Chrome permission prompts shown without user interaction are allowed. When a prompt follows a direct user action, the allow rate rises to 30%.
What is Manifest V3 and how does it affect Chrome permissions?
Manifest V3 is Google’s updated extension framework that restricts background capabilities and tightens permission declarations. As of August 2025, 73.4% of extensions had migrated to Manifest V3.
