Grammarly and QuillBot Are Among Widely Used Chrome Extensions Facing Serious Privacy Questions

The 2026 Incogni privacy risk report surveyed 442 AI‑powered Chrome extensions, revealing a systemic exposure that extends far beyond niche tools. Every extension required at least one permission, many granting the ability to read page content, monitor tab activity, or inject scripts. Such capabilities give the extensions visibility into emails, internal dashboards, and cloud applications, effectively turning a simple browser add‑on into a potential data conduit. With 52 % of the extensions collecting user data, the study underscores a broader industry blind spot: users rarely understand the depth of access they grant.

The report singled out two household names—Grammarly and QuillBot—as the most potentially damaging in terms of privacy. Both services harvest website content, keystrokes, navigation events, and even location data, while relying on the powerful scripting and activeTab permissions that let them modify pages in real time. For enterprises, this creates a hidden attack surface: confidential documents or proprietary code typed into web‑based editors can be captured and transmitted to external servers. The low malicious‑use likelihood score does not mitigate the risk posed by the sheer volume of users and the breadth of data accessed.

Categories such as programming assistants, meeting transcribers, and translators exhibit similar permission profiles, combining broad script access with modest declared data‑collection policies. Organizations can reduce exposure by enforcing extension whitelists, conducting regular permission audits, and educating employees about the trade‑off between convenience and privacy. Regulators are beginning to scrutinize AI‑driven browser tools, and future legislation may require more transparent disclosures and stricter data‑handling standards. Until such safeguards become mandatory, the onus remains on both developers to limit unnecessary permissions and on users to stay vigilant.