1. Browser extensions can read password fields and exfiltrate data
“Browser extensions have much looser security than you would think: any extension, even if it just claims to change a style of a website, can see your input type=password fields” – mentalgear
“Even scripts within the page itself cannot read the value of password input fields. This is less of an issue than you are presenting it as.” – drdec
2. Trust is built on auditability and open‑source code
“I only run open source extensions that I can actually audit.” – singularfutur
“Open source at least gives you a chance to see what you're installing before it starts exfiltrating your data to some server in a country you've never heard of.” – singularfutur
“Extensions are local files on disk… Diffing it vs what's released in its open source repo would be a quick way to see if anything has been adjusted.” – nickjj
3. The extension ecosystem is vulnerable to supply‑chain attacks and buy‑outs
“I have a 100k+ user extension… I've probably received hundreds of emails over the years asking me to sell out in one way or another.” – mcjiggerlog
“If someone would like to replicate, a good approach would be to reduce the cost by removing a full‑chromium engine.” – captn3m0
“The same modality is used by gamers to sell off their high‑level characters… The same pattern is used by malicious actors to buy legitimate extensions.” – RupertSalt
4. Users are encouraged to minimize extensions, disable auto‑updates, or use built‑in browser features
“Installing new extensions is sometimes appealing, but the risk is just too high.” – stevekemp
“I only trust uBlock Origin, Bitwarden and my own extensions.” – mcjiggerlog
“I have a password manager, Privacy Badger and Firefox Multi‑Account Containers… The only one of these I feel should actually be a plugin is my password manager.” – mrweasel
These four themes—security risk, trust & auditability, supply‑chain threats, and user‑side mitigation—dominate the discussion.