Google has yanked 200 extensions from the Chrome store, after they were revealed to be stealing sensitive data from millions of users.
The move follows two reports about browser extensions, the small, often free tools that can be installed in Chrome and Firefox to add specific features.
The first report was from the University of California at Santa Barbara, which worked alongside Google to measure the extent of the problem, analysing more than 100 million visits to its pages.
The research found that 5 per cent of everyone visiting a Google page have at least one malicious extension, and most of those affected have multiple dodgy add-ons.
Researcher Alexandros Kapravelos said the problem is hard to fix because malicious extensions use the same techniques to collect data as legitimate tools.
"Even when we have a complete understanding of what the extension is doing, sometimes it is not clear if that behaviour is malicious or not," he told the BBC. "You would expect that an extension that injects or replaces advertisements is malicious, but then you have AdBlock that creates an ad-free browsing experience and is technically very similar."
Indeed, the extension that's the focus of the second report denies it's acting malicously. Web firm ScrapeSentry analysed Chrome extension Webpage Screenshot, finding it collects data from users and sends it to a server in the US.
While the purpose of the tool is, as the name suggests, to take screenshots of webpages, the extension also copies all your browsing data, sending it to an IP address registered in the US.
"The repercussions of this could be quite major for the individuals who have downloaded the extension," said ScrapeSentry security analyst Cristian Mariolini. "What happens to the personal data and the motives for wanting it sent it to the US server is anyone's guess, but ScrapeSentry would take an educated guess it's not going to be good news. And of course, if it's not stopped, the plugin may, at any given time, be updated with new malicious functionality as well."
However, a spokesperson for Webpage Screenshot told the BBC that the data wasn't gathered for malicious reasons, but to understand who was using the extension.
Google doesn't appear to believe full browsing history is required for that, and the extension has been removed from its Chrome Web Store.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.