[jatone]

that's a user problem. they granted the extension permission to access the data. that's on them. You will never be able to solve that problem. after all a user can just hand out their credentials if they want to.

Facebook's issues stems from the fact they allowed apps in their market to access data they didn't need to function / hide exactly how much access these applications are granted.

the reality here is auth is the solution; for browser extensions we need better UX. if a extension is asking for access to your navigation / page data that needs to be flagged and warned about during the setup flow.

many of these auth systems make the risky API access grants appear extremely benign.