Back to articles

Extension email access explained: what browser add-ons can really see in your inbox

Over 200 extensions silently extract email data from Gmail and Outlook. Here's how DOM access works and how to check which add-ons can read your inbox.

Maxim Kosterin
7 min read

You probably check your inbox a dozen times a day. Your browser extensions might be checking it too — and forwarding what they find to servers you've never heard of. I've been tracking extension permission abuse for a while now, and email access is one of the most underappreciated privacy risks I see. Over 200 extensions have been caught extracting email data from Gmail and Outlook, and the mechanism they use is simpler than you'd think.

How extensions read your email (without hacking anything)

When you open Gmail in your browser, the email content is rendered as HTML on the page. Browser extensions with page access permissions can read anything the page displays — no password cracking, no API exploitation required. It's just DOM access.

DOM stands for Document Object Model. It's the structured representation of everything your browser renders on screen. When you see an email, the sender name, subject line, message body, and even attachments are all part of the DOM tree. Any extension with the host_permissions for mail.google.com — or the broader "Read and change all your data on all websites" permission — can parse that DOM and extract whatever it wants.

This isn't a bug or an exploit. It's how the extension platform is designed. The same mechanism that lets a grammar checker fix your typos in a compose window lets a malicious extension read every email you open.

What DOM access actually lets extensions see

An extension with access to your email domain can extract:

  • Sender and recipient addresses — who you're emailing and who emails you
  • Subject lines — the topic of every conversation
  • Full message bodies — the complete text of your emails
  • Attachments and file names — documents shared through email
  • Thread metadata — timestamps, labels, read status, conversation structure

Even without reading message content, metadata alone reveals a lot. Your work schedule, communication patterns, key contacts, and rough location all become visible from email metadata alone. According to Georgia Tech researchers, more than 3,000 browser extensions automatically collect user-specific data of this kind.

Here's the 2026 twist: AI-powered extensions that summarize emails, draft replies, or categorize your inbox have a legitimate reason to process email text. But when these tools invoke their AI features, they often transmit the extracted content to external servers for processing. Some of the flagged extensions described none of this automated data collection in their privacy policies or Chrome Web Store descriptions.

Over 200 extensions caught extracting email data

This isn't theoretical. According to SecurityWeek, over 200 extensions were found directly uploading sensitive information extracted from webmail services — including Gmail and Outlook — to external servers.

In the latest wave, 15 extensions specifically targeted Gmail through DOM scraping. When users visited mail.google.com, these extensions silently read email content from the page and transmitted it to third-party infrastructure. The research, also covered by The Hacker News, found that none of the flagged extensions disclosed this behavior.

The Georgia Tech study puts the scale in perspective: the researchers identified more than 3,000 extensions that automatically collect user-specific data across the Chrome Web Store. And here's a stat that explains why nobody notices — reading all the privacy policies a user encounters in a year would take 76 working days. Nobody's doing that. The extensions exploiting email access know it.

What email exfiltration actually looks like in practice

The pattern is nearly always the same once you've seen it a few times. The extension waits until you load mail.google.com (or another webmail domain), then runs a content script that walks the DOM tree and pulls structured data — typically subject lines, sender addresses, snippets of the body, and timestamps. That data gets serialized to JSON and shipped over fetch() or XMLHttpRequest to an endpoint that's hard-coded in the extension or — more sneakily — fetched from a remote configuration file at runtime.

The remote-config trick matters: it lets the extension's developer change collection behavior after Chrome Web Store review has signed off on the original code. The extension that passed review reads emails benignly. Two weeks later, a config update flips a flag and the same extension starts shipping every subject line you read to a third-party endpoint. There is no Chrome Web Store re-review for this kind of behavior change, and there is no notification to you. From your side, nothing visibly changes.

Network traffic is the only reliable detection signal once an extension is installed. If you open Chrome's DevTools, switch to the Network tab, and load Gmail, anything talking to a domain that isn't Google's is suspect — especially for an extension whose stated function has nothing to do with email. Practical telltale: requests to obscure analytics or "telemetry" subdomains immediately after a page load are how most of the recently disclosed Gmail-scraping extensions were initially caught.

When email access is okay — and when it isn't

Not every extension that touches email content is malicious. The permission itself is neutral — what matters is how the data gets handled.

Probably fine:

  • Email productivity tools (like read trackers or scheduling assistants) that need DOM access to function and process data locally on your device
  • Extensions that clearly disclose their data access in their privacy policies and limit collection to what's necessary
  • Tools that request access only to specific email domains they actually need, rather than all websites

Worth questioning:

  • Extensions that request "all sites" access when they only need a few specific domains. Why does a coupon finder need to read your Gmail?
  • AI-powered email tools that send your message content to cloud APIs for processing. Even if the extension itself isn't malicious, your email data is now on someone else's server
  • Any extension that has the permissions to access email but doesn't mention email data handling in its privacy policy

The key question is simple: does this extension need to send my email data off my device to work? If an email summarizer ships your messages to a remote server, that's a trade-off you should at least know about. Personally, I'd think twice about any AI email extension that doesn't explicitly describe how it handles your data.

How to check which extensions can read your inbox

Here's a quick audit you can run right now:

1. Review your installed extensions. In Chrome, go to chrome://extensions and click "Details" on each extension. In Firefox, go to about:addons. Look at the permissions section for each one.

2. Look for broad host permissions. Any extension with "Read and change all your data on all websites" can access your email pages. Extensions with specific access to mail.google.com, outlook.live.com, or outlook.office.com can too. If an extension doesn't need email access for its core function, that's a red flag.

3. Audit AI email tools separately. If you use extensions for email summaries, smart replies, or inbox categorization, check whether they process data locally or transmit it externally. Their privacy policies should state this clearly — though as we've seen, many don't bother.

4. Use Extenshi to scan your extensions. The Extenshi catalog shows detailed permission breakdowns for Chrome extensions. You can see exactly which permissions each extension requests and identify any with unnecessary access to sensitive domains. For extensions you're not sure about, search the catalog by name to see their full permission profile before deciding whether to keep them.

If you find extensions with email access that you don't recognize or that don't need it for their stated purpose, remove them. A minor convenience isn't worth having your inbox quietly forwarded to an unknown server.

Check your extensions' permissions on Extenshi →


This article is based on publicly available security research and news reporting. Extenshi does not independently verify all claims made by third-party researchers. References to specific companies or products reflect the findings of cited sources and do not constitute accusations of intentional wrongdoing. If you believe any information is inaccurate, please contact us at [email protected].

Related Articles