There’s a great article from Geoffrey Fowler at The Washington Post on the massive security problems with browser extensions:
Jadali tested the links between extensions and Nacho by installing a bunch himself and watching to see if his data appeared for sale. We did some of these together, with me as a willing victim. After I installed an extension called PanelMeasurement, Jadali showed me how he could access private iPhone and Facebook photos I’d opened in Chrome, as well as a OneDrive document I had named “Geoff’s Private Document.” (To find the latter, all he had to do was search page titles on Nacho for “Geoff.”)
…
After we disclosed the leaks to browser makers, Google remotely deactivated seven extensions, and Mozilla did the same to two others (in addition to one it disabled in February). Together, they had tallied more than 4 million users.
(Emphasis mine.)
These extensions can literally see anything you look at or type on a web page, and can send this information to a third party’s server without your knowledge.
The only browser extensions I run are from highly trusted developers, namely 1Password and MarsEdit. Everything else that needs a browser extension (mostly reference management services) lives only in a separate user profile in Chrome where I don’t open anything sensitive.
