Every Extension Data Privacy Audit check

Chrome extensions operate inside the browser with elevated trust, making them a uniquely dangerous collection point for PII. Collecting names, emails, or browsing patterns without explicit opt-in consent violates GDPR Art. 6 and Art. 7, CCPA §1798.100, and the Chrome Web Store User Data Policy — each of which requires a lawful basis before processing. CWE-359 captures the failure mode precisely: exposing private information without authorization. Beyond compliance, extensions that silently harvest PII expose users to identity theft and damage developer reputation irreparably if discovered by a store reviewer or security researcher.

Why this severity: Critical because silent PII collection without consent is the defining privacy violation regulators and app store reviewers flag first — it enables data harvesting at browser-scale with zero user awareness or recourse.

Content scripts run in the context of every web page the user visits, giving them direct DOM access to password fields, credit card inputs, and API key fields. Automatically reading these values — even for seemingly benign purposes like autofill — is classified as unauthorized data access under OWASP 2021 A02 and CWE-200. A compromised extension or malicious update can silently exfiltrate credentials at scale across every site the user visits. The Chrome Web Store User Data Policy explicitly prohibits capturing sensitive fields without user initiation; violations result in immediate takedown and potential account termination.

Why this severity: Critical because automatic DOM capture of password or credit card fields enables credential theft at browser scale — an attacker who compromises the extension gains silent keylogger capability across every site the user visits.

OAuth tokens and session tokens stored in `localStorage` are readable by any JavaScript running on the page — including third-party scripts, ad networks, and XSS payloads. Because extensions share the DOM with page scripts when using content scripts, a single XSS vulnerability on any site the user visits can silently extract a token and enable full account takeover. OWASP 2021 A02 and CWE-312 both call this out: storing sensitive credentials without isolation is a broken authentication failure. GDPR Art. 32 requires appropriate technical measures to protect personal data — storing auth tokens in `localStorage` fails that standard.

Why this severity: Critical because auth tokens in `localStorage` are accessible to any page script, making a single XSS injection sufficient to exfiltrate the token and impersonate the authenticated user across all their sessions.

GDPR Art. 5(1)(c) codifies data minimization as a legal obligation, not a guideline — collecting more data than your declared function requires is itself a violation. Chrome extensions that request `history`, `cookies`, or `webRequest` permissions for features that do not use them expand the blast radius of any future compromise and invite rejection from store reviewers performing permission audits. CCPA §1798.100 gives users the right to know what data is collected; collecting data not mentioned in your listing undermines that right and exposes you to regulatory action. Overpermissioned extensions are also a primary signal in automated Chrome Web Store policy enforcement.

Why this severity: High because unnecessary permissions and extraneous data collection expand the attack surface of every future vulnerability — a bug in an extension with `history` access is far more damaging than the same bug without it.

A background script that persistently logs visited URLs to `chrome.storage.local` or an external server is, functionally, spyware — regardless of intent. GDPR Art. 5(1)(c) prohibits collecting data beyond what is necessary; Art. 5(1)(e) requires data not be retained longer than needed. Persistent browsing history in extension storage becomes a high-value target: a single compromise of the extension or its backend server exposes a complete record of the user's online behavior. The Chrome Web Store User Data Policy explicitly prohibits collecting user activity beyond declared core functionality, and violations result in immediate delisting.

Why this severity: High because persistent browsing history constitutes a detailed behavioral profile that, once collected, can be exfiltrated, subpoenaed, or sold — the harm is irreversible once the data exists.

Chrome Web Store policy mandates a privacy policy link for any extension that collects user data — failure to provide one is a direct cause of rejection or takedown. Beyond the store requirement, GDPR Art. 13 requires controllers to provide privacy information at the point of data collection, and CCPA §1798.100 requires consumers to be informed of data practices before collection. An extension that buries its privacy policy or omits it entirely prevents users from exercising their GDPR rights to access, correction, and erasure. Prominent, accessible disclosure is the first signal that a developer takes user privacy seriously.

Why this severity: High because missing or inaccessible privacy policy links are a direct Chrome Web Store policy violation that triggers removal — and they prevent users from exercising GDPR and CCPA data rights they are legally entitled to.

When a manifest requests permissions that are never used in code, the extension presents a larger attack surface than necessary and violates the data minimization principle in GDPR Art. 5(1)(c). Reviewers at the Chrome Web Store explicitly audit permission-to-usage alignment — requesting `history` or `cookies` without a clear purpose triggers human review and is a common cause of rejection. CWE-272 addresses least privilege failure: granting more access than required means any future exploit, supply chain attack, or malicious update can leverage permissions that should never have existed. Without documented justification, neither users nor reviewers can verify that permissions are legitimate.

Why this severity: High because unjustified permissions fail Chrome Web Store review, inflate attack surface, and violate GDPR Art. 5(1)(c) data minimization — any future vulnerability in the extension automatically gains the scope of every undocumented permission.

GDPR Art. 13(1)(e) requires explicit disclosure of any recipients or categories of recipients of personal data before collection. CCPA §1798.115 gives users the right to know whether their data is sold or shared. An extension that sends user data to Google Analytics, Sentry, or a custom analytics backend without disclosing this in its privacy policy is in direct violation of both regulations — and of Chrome Web Store policy, which requires accurate data sharing disclosures in the store listing. Users who install an extension believing it processes data locally have a reasonable expectation that has been violated if data is silently leaving their device.

Why this severity: High because undisclosed third-party data sharing is a standalone GDPR and CCPA violation — regulators treat silent data transmission to unnamed third parties as evidence of bad faith, warranting investigation and fines independent of any data breach.

Plaintext PII in `chrome.storage.local`, `chrome.storage.sync`, `localStorage`, or `IndexedDB` is readable by any code with access to the extension's storage context — including a compromised extension update, a malicious dependency, or a script that gains access via a content script bridge. GDPR Art. 32 requires appropriate technical measures to protect personal data; storing an email address or user profile in cleartext fails that standard. CWE-312 (Cleartext Storage of Sensitive Information) and OWASP 2021 A02 (Cryptographic Failures) both target this exact pattern. NIST SP 800-53 SC-28 mandates data at rest protection for sensitive records.

Why this severity: High because plaintext PII in extension storage is readable by any compromised extension update or malicious dependency that gains access to the storage context — encryption is the only mitigation that survives a supply chain compromise.

Browser permission dialogs are terse and technical — users confronted with "This extension wants to read your browsing history" without any explanation default to denial or, worse, approval without understanding. GDPR Art. 12 requires privacy information to be provided in a concise, transparent, and easily accessible form. Without user-facing help text in the options page or popup, users cannot make informed choices about which permissions to allow, cannot verify that the extension's permissions match its stated purpose, and are more likely to distrust the extension or report it as suspicious. Transparent permission explanations are the difference between an extension users recommend and one they uninstall.

Why this severity: Info because absent help text degrades user trust and informed consent rather than creating a direct technical vulnerability — but it is a signal that the extension has not considered privacy communication as part of its design.

An extension that injects external scripts into web pages becomes a forced intermediary between the user and every site they visit. The injected script runs with the page's origin permissions and can read DOM content, capture form data, and exfiltrate it to any server the injected script chooses — entirely outside the extension's declared permissions. CWE-94 (Code Injection) and OWASP 2021 A03 describe this attack class. Chrome Web Store policy prohibits executing remote code, and Manifest V3 enforces this mechanically — but content scripts that dynamically create `<script>` tags pointing to external domains achieve the same effect and are a common policy violation. Any injected external script is a persistent supply chain risk: if that third party is compromised, every user of your extension is compromised.

Why this severity: High because injecting external scripts into web pages grants an uncontrolled third party the ability to read and exfiltrate any data visible to that page — the extension becomes an involuntary attack vector for every site the user visits.

GDPR Art. 7(3) grants users the right to withdraw consent at any time; CCPA §1798.120 gives users the right to opt out of data collection. An extension that enables telemetry or analytics with no opt-out mechanism denies users these rights by design. The ePrivacy Directive Art. 5(3) specifically covers tracking mechanisms in software — non-essential analytics require prior consent in the EU. Chrome Web Store policy reinforces this: data collected beyond core functionality must be disclosed and controllable. Extensions with hidden or irremovable analytics are a frequent source of negative reviews and one-star ratings that permanently damage store placement.

Why this severity: Medium because always-on telemetry without an opt-out violates GDPR Art. 7(3) and CCPA §1798.120 user control rights — the harm scales with user count, and a single store review complaint can trigger a policy audit.

Clipboard content is among the most sensitive data on a user's device — it regularly contains passwords copied from password managers, 2FA codes, API keys, banking account numbers, and confidential text. An extension that reads the clipboard automatically, periodically, or on page load captures this data without any user signal that the action is happening. CWE-200 covers unauthorized data exposure; GDPR Art. 5(1)(c) requires collection to be limited to what is necessary and tied to a specific purpose. Chrome Web Store policy requires `clipboardRead` access to be justified by core functionality — background clipboard monitoring is explicitly prohibited.

Why this severity: Medium because automatic clipboard access can silently capture passwords, 2FA codes, and API keys during routine use — the absence of a user trigger means collection happens without any awareness or opportunity to prevent it.

`chrome.storage.sync` transmits data to Google's servers and replicates it across every browser the user is signed into. Storing an unencrypted API key, OAuth token, or password in sync storage means that credential is now held by Google and replicated to potentially untrusted devices. CWE-312 (Cleartext Storage of Sensitive Information) and CWE-313 (Cleartext Storage in a File or on Disk) both apply — the data is transmitted and stored by a third party outside the developer's control. OWASP 2021 A02 and GDPR Art. 32 require appropriate encryption for data at rest; syncing credentials in plaintext fails both standards.

Why this severity: Medium because unencrypted secrets in `chrome.storage.sync` are transmitted to Google's infrastructure and replicated to all the user's signed-in browsers — a single compromised device in the sync chain exposes the credential everywhere.

HTTP transmits data in plaintext — any network intermediary, including ISP-level traffic inspection, corporate proxies, and shared Wi-Fi routers, can read or modify the payload. An extension that sends user data over HTTP instead of HTTPS exposes that data to passive interception and active man-in-the-middle attacks. CWE-319 (Cleartext Transmission of Sensitive Information) directly describes this failure. GDPR Art. 32 requires appropriate technical measures to ensure data security in transmission; HTTP is not an appropriate measure for any data linked to a user. OWASP 2021 A02 and NIST SP 800-53 SC-8 both require confidentiality of transmitted data.

Why this severity: Medium because HTTP API calls containing user data are readable by any network intermediary between the extension and the server — encrypted transmission via HTTPS is a baseline security requirement, not an advanced hardening measure.

GDPR Art. 5(1)(e) (storage limitation) and Art. 13(2)(a) (right to information) together require that users are told how long their data is retained and that data is not kept longer than necessary. A privacy policy silent on retention gives users no way to exercise their GDPR Art. 17 right to erasure — they cannot request deletion of data if they do not know how long it is held or where. CCPA §1798.100 similarly obligates disclosure of retention practices. For extensions, where users often forget they have installed a tool that is still collecting data, indefinite-retention silence compounds the harm.

Why this severity: Low because absent retention disclosure is a compliance gap rather than an immediate data exposure — but it undermines user rights under GDPR Art. 17 (right to erasure) and blocks users from making informed decisions about keeping the extension installed.

GDPR Art. 13(1)(a) requires the data controller's contact details to be provided to users. GDPR Art. 77 gives users the right to lodge a complaint with a supervisory authority if their privacy concerns are not addressed — that right is meaningless without a contact mechanism for raising concerns first. CCPA §1798.130 requires businesses to designate at least two means for consumers to submit data rights requests. Chrome Web Store policy also requires developers to be contactable about their data practices. An extension with no privacy contact forces users with legitimate concerns directly to regulatory complaints or store reviews, both of which damage the developer's standing.

Why this severity: Low because a missing privacy contact is a regulatory compliance gap under GDPR Art. 13 and CCPA §1798.130 — it does not expose data directly but removes users' only non-regulatory avenue for exercising their data rights.

DevTools console output is visible to anyone with access to the browser — shared workstations, screen recordings, bug reports, and automated testing pipelines all routinely capture console output. Logging an auth token, user email, or session ID turns every debug session into a credential exposure event. CWE-200 and CWE-532 (Insertion of Sensitive Information into Log File) both apply; OWASP 2021 A09 (Security Logging and Monitoring Failures) includes logging sensitive data as a primary failure mode. Extension console output is also visible to any page script that exploits a content script bridge, making it a secondary exfiltration vector beyond direct log viewing.

Why this severity: Low because console log exposure requires DevTools access or a screen share to exploit — but it is a persistent risk in shared environments and turns routine debugging into a credential leak that may not be noticed until after the fact.

GDPR Art. 5(1)(e) requires personal data not be retained longer than necessary — cached session data that survives a logout or uninstall violates this principle. A user who logs out of an extension expecting their session to be cleared can still have their data re-accessed if the extension is re-opened without re-authentication. GDPR Art. 17 (right to erasure) is practically impossible to honor if cached data persists beyond logout. CWE-212 (Improper Removal of Sensitive Information Before Storage or Transfer) covers this failure. Uninstall handlers that do not clear extension storage leave personal data on the user's device indefinitely — often forgotten and never cleaned up.

Why this severity: Low because data persistence after logout is a latent privacy risk rather than an immediate exfiltration — but it directly violates GDPR Art. 5(1)(e) storage limitation and makes Art. 17 erasure requests unenforceable.

GDPR Art. 13(1)(e) requires naming every recipient category of personal data at the time of collection. CCPA §1798.115 gives users the right to know specifically which third parties receive their data. An extension that integrates Google Analytics, Mixpanel, or Segment without disclosing this in its privacy policy is transmitting user data to unnamed third parties — a standalone GDPR violation and a Chrome Web Store policy breach. The ePrivacy Directive Art. 5(3) requires prior consent for non-essential tracking; undisclosed analytics satisfies neither the consent nor the transparency requirement. Users who would object to data sharing with specific analytics providers are denied the ability to make that choice.

Why this severity: Low because undisclosed analytics is a transparency violation rather than a direct data breach — but it is a GDPR Art. 13 and Chrome Web Store policy violation that regulators and store reviewers treat as evidence of broader privacy non-compliance.