PANews reported on March 15 that SlowMist Yuxian posted a message on the X platform to remind the community of browser extension security issues. He said that if an extension wants to do something malicious, such as stealing the target page's cookies, privacy in localStorage (such as account permission information, private key information), DOM tampering, request hijacking, clipboard content acquisition, etc., it can be configured in manifest.json. If the user does not pay attention to the extension's permission application, it will be troublesome, but if an extension wants to do something malicious and wants to directly attack other extensions, such as well-known wallet extensions, it is still not easy... because the sandbox is isolated... For example, it is unlikely to directly steal the private key/mnemonic information stored in the wallet extension.

If you are worried about the permission risk of a certain extension, it is actually very easy to judge this risk. After installing the extension, you can not use it first, look at the extension ID, search the local path of the computer, find the manifest.json file in the root directory of the extension, and directly throw the file content to AI for permission risk interpretation. If you have an isolation mindset, you can consider enabling Chrome Profile for unfamiliar extensions separately, at least the malicious behavior can be controlled, and most extensions do not need to be turned on all the time.