When I searched for the folder, I found it was 6.4 GB. That is shockingly large and may explain much of the browser PC issues that I was experiencing (new PC installed late summer 2025, issues started occurring in December, which coincidentally was when the folder shows as installed).
I was talking with my husband this morning when I started reading this. He was also pointing out that we as tax practitioners should be careful of our extensions and add-ons. Do you have an ad-blocker? It has to look at the content of every site you go to - banking sites, tax portal, IRS.gov, tax prep software (if you are online), etc. Do you have other extensions and what is their security?
Katie, your husband is exactly right, and this is the half of the conversation that does not get nearly enough attention. Browser extensions sit inside your browser's trust boundary. They can read every page you visit, capture form fields, intercept clipboard data, modify what gets sent to servers, and in some cases observe authentication tokens. An extension is not a passive add-on. It is software running with your privileges, on every site you load, including IRS sites, bank logins, tax software, document signing platforms, and email.
A few things worth thinking through:
The extension you install today is not necessarily the extension you have next month. Extensions auto-update through the browser store, and the developer who shipped a clean v1 can sell or transfer the extension to someone else, who pushes a v2 that is now scraping form data. This has happened repeatedly with ad blockers, screenshot tools, PDF utilities, and shopping helpers. The extension keeps the same name, same icon, same install base, and silently changes what it does.
Even legitimate extensions have permission scopes most users never read. "Read and change all your data on all websites" is the most common permission tier, and once granted, the extension can do exactly that. Including on http://irs.gov.
For ad blockers specifically, uBlock Origin (open source, well-audited, and run by a developer who has publicly refused multiple acquisition offers) is the one I trust. AdBlock and AdBlock Plus have both gone through ownership changes and accept payments from advertisers to whitelist them. Privacy Badger from EFF is another reasonable choice. Anything else, I would audit before installing.
A practitioner-grade extension hygiene checklist looks something like this:
Quarterly review of every extension installed across every browser on every machine. If you cannot remember why you installed it, remove it.
Read the permissions before installing. If a flashlight app needs access to your contacts (so to speak), that is the signal.
Prefer open-source extensions with active maintenance and a public commit history.
Avoid extensions that have changed ownership recently. Browser stores often hide this, but the extension's GitHub or developer page usually tells the story.
Use separate browser profiles for client-data work and general browsing. Extensions installed in one profile do not run in the other.
Disable extensions in incognito or private windows by default, and only enable specific ones when needed.
One thing worth adding here. Some browsers reduce how many extensions you need in the first place. Brave, for instance, ships with built-in ad and tracker blocking (Brave Shields), HTTPS upgrading, fingerprinting protection, and script controls, all native to the browser rather than added on through third-party extensions. That matters because every extension you do not need is one less piece of software with read-and-change access to every page you visit. I have been using Brave more and more lately for exactly this reason. The fewer extensions in the trust boundary, the smaller the attack surface.
The deeper answer is that extensions deserve their own piece. I will put one on the calendar. Thanks for raising it.
When I searched for the folder, I found it was 6.4 GB. That is shockingly large and may explain much of the browser PC issues that I was experiencing (new PC installed late summer 2025, issues started occurring in December, which coincidentally was when the folder shows as installed).
I was talking with my husband this morning when I started reading this. He was also pointing out that we as tax practitioners should be careful of our extensions and add-ons. Do you have an ad-blocker? It has to look at the content of every site you go to - banking sites, tax portal, IRS.gov, tax prep software (if you are online), etc. Do you have other extensions and what is their security?
Katie, your husband is exactly right, and this is the half of the conversation that does not get nearly enough attention. Browser extensions sit inside your browser's trust boundary. They can read every page you visit, capture form fields, intercept clipboard data, modify what gets sent to servers, and in some cases observe authentication tokens. An extension is not a passive add-on. It is software running with your privileges, on every site you load, including IRS sites, bank logins, tax software, document signing platforms, and email.
A few things worth thinking through:
The extension you install today is not necessarily the extension you have next month. Extensions auto-update through the browser store, and the developer who shipped a clean v1 can sell or transfer the extension to someone else, who pushes a v2 that is now scraping form data. This has happened repeatedly with ad blockers, screenshot tools, PDF utilities, and shopping helpers. The extension keeps the same name, same icon, same install base, and silently changes what it does.
Even legitimate extensions have permission scopes most users never read. "Read and change all your data on all websites" is the most common permission tier, and once granted, the extension can do exactly that. Including on http://irs.gov.
For ad blockers specifically, uBlock Origin (open source, well-audited, and run by a developer who has publicly refused multiple acquisition offers) is the one I trust. AdBlock and AdBlock Plus have both gone through ownership changes and accept payments from advertisers to whitelist them. Privacy Badger from EFF is another reasonable choice. Anything else, I would audit before installing.
A practitioner-grade extension hygiene checklist looks something like this:
Quarterly review of every extension installed across every browser on every machine. If you cannot remember why you installed it, remove it.
Read the permissions before installing. If a flashlight app needs access to your contacts (so to speak), that is the signal.
Prefer open-source extensions with active maintenance and a public commit history.
Avoid extensions that have changed ownership recently. Browser stores often hide this, but the extension's GitHub or developer page usually tells the story.
Use separate browser profiles for client-data work and general browsing. Extensions installed in one profile do not run in the other.
Disable extensions in incognito or private windows by default, and only enable specific ones when needed.
One thing worth adding here. Some browsers reduce how many extensions you need in the first place. Brave, for instance, ships with built-in ad and tracker blocking (Brave Shields), HTTPS upgrading, fingerprinting protection, and script controls, all native to the browser rather than added on through third-party extensions. That matters because every extension you do not need is one less piece of software with read-and-change access to every page you visit. I have been using Brave more and more lately for exactly this reason. The fewer extensions in the trust boundary, the smaller the attack surface.
The deeper answer is that extensions deserve their own piece. I will put one on the calendar. Thanks for raising it.
I just uninstalled Chrome. I primarily use Google. However, I have found that some IRS apps work only on Firefox. Check this out, Josh.
Which ones are only working with Firefox?