A lot of Google Chrome extensions have the permission to read my data on websites that I visit. To avoid password theft I therefore picked my Google Chrome extensions very carefully.

Now I need to use a Google Chrome extension, that seems reputable, but I don't trust it 100 percent.

I plan to install this extension, use it for a few hours and then uninstall it again. Will this extension be able to access the passwords/data of websites that I visited before I installed the extension? Or will it be only able to access information about websites that I visit after I installed it?

My plan b is install the extension in a virtual machine or an old laptop instead.

  • Depending on how concerned you are, you could backup "Login Data", delete "Login Data", restart browser, test your extension, close browser, restore "Login Data", start browser. See #56 Chrome - Data Backup for instation on accessing the "Login Data" file.
    – DavidPostill
    Commented Oct 20, 2015 at 11:13
  • why not creating new profile at chrome and install the extensions? Commented Oct 20, 2015 at 13:08

2 Answers 2


The extension may or maynot be able to collect your previously saved password depending on your usage scenario. I am assuming your extension asks permission "Read and change data on all websites you visit".

Say, You have saved login credential for ebay.com. Now if you goto ebay login page, chrome automatically fills the credential.

enter image description here

Now as the extension can read all element on all web page, it can extract the password field value. eg: In the following screenshot, it is shown, how just a one line code can extract the information.

enter image description here

So, your best bet would be, not opening any website for which you saved login credentials and not logging into any website while the extension is installed because the extension can steal the password as you type the password.

Otherwise, the extension itself can never steal your password because chrome try to encrypt your saved passwords and save it on your computer. To know how chrome saves your password, read here.


I strongly encourage you to set extensions that manipulate site data to on-click access level. That said, extensions that are compatible with manifest v3 may be unable to access credentials because of declarative net request:

This approach has advantages for both user security and privacy, as well as performance. With a declarative approach, Chrome does not need to expose any sensitive data to the extension. The browser can perform the action requested by the extension without sending it all the data associated with the network request, because the extension already specified the conditions under which different actions are taken. This enables the extension to perform content blocking without needing access to all of a user’s personal information.

You can check for manifest v3 compliance by looking at the extension budges. A featured badge means that the extension follows best practices, including manifest v3 compliance. See this:

Featured extensions follow our technical best practices and meet a high standard of user experience and design.

and this:

Manifest V3 is the current version of the Chrome extension platform and all High Quality extensions should use it.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .