How secure are extensions in browsers?

Also I guess you should read the extension's privacy policy if available. Like this:

Trace - Privacy

Extensions are tricky because of all the rights they have, however As long as you are downloading an extension that is either open sourced, (code viewable on github), or a extremely popular extension you "should" be fine.

Keeping an eye on the permissions is also key just like android. An extension that refreshes all the tabs in a window, what reasonable permission does that need? When you think about it, it does not need access to read site data, as it only need to refresh the page. It shouldn't need any special permissions at all since it is simply clicking refresh in each tab.

Example, this extension wants to read my browsing history, which does not make sense:
Reload All Tabs - Chrome Web Store

Where as this one does not and requires no extra permissions to work and works just fine:
Refresh 'Em All - Chrome Web Store

Could be the creator of the first extension is not as skilled as the other, requiring the unnecessary permission, or perhaps they are stealing and capturing your browser history. It's hard to say.

Using a little common sense with what permissions would be strictly necessary to allow them to work makes sense.

Just like you would not install a game on android and let it read your contacts or browsing history, it works the same with browsers. If that game has a facebook friend share feature, then it makes sense it would need that permission. But do you trust it to not read your contacts whenever it wants? This is why I would love it browser extensions were given permissions just like android where certain ones can be denied or allowed. That would be a very welcome feature. However, most extensions you can right click and block reading and changing site data unless clicked on, or only on certain sites, or on all sites. So that is nice. I would like to see this be taken further.

Any "security" extensions in your browser are all pretty much useless and just spy on you. Browsers these days have more protection built in then people give them credit for.

I will say though, if your worried about the privacy angle, this is kind of already a lost cause. Browsers themselves can be fingerprinted even without cookies or supercookies. Doesn't matter the browser. So you can still be tracked everywhere you visit. Your isp tracks you and knows every site you visit. Your router tracks you and knows all traffic going in and out from it, and some cloud routers are highly suspicious in there privacy policies. Unless you pay for a vpn and find an actual vpn that is secure itself that you can trust, (which is no guarantee) you're pretty much tracked no matter what you do.

If you want to put a lot of effort into preventing tracking, that is up to you. For most people, this is too much hassle and takes too much time.

As for how secure the extensions are as to compromising your browser security, most of these extensions are built on a sandbox layer for each tab they are activated on. So if an extension is exploited by a website, closing the tab will cause the exploit to be discarded in most cases. However, there is certainly still a risk. In short, installing them from the official store, using extensions that are extremely popular or made by firefox or google themselves is way less of a risk then installing a third party extension from an unknown party. Open source extensions are ones I put my trust in the most, as they lay there code out on github for anyone to look at and review. These are less likely to have issues or problems.

As already mentioned, going incognito or a private browser window does disable all extensions by default, (usually) though I would double check to make sure none were allowed in that mode by accident. Then you can do banking etc or whatever you are concerned about being tracked.

Just my thoughts.

-Andrew