Is DuckDuckGo Search & Tracker Protection safe to use?

DuckDuckGo Search & Tracker Protection has a risk level of CRITICAL with an overall risk score of 9.7/10. Our scan detected 186 security findings. This extension has significant security concerns — review the full report before installing.

What permissions does DuckDuckGo Search & Tracker Protection request?

DuckDuckGo Search & Tracker Protection requests the following permissions: activeTab, alarms, contextMenus, declarativeNetRequest, declarativeNetRequestFeedback, scripting, storage, tabs, webRequest, webNavigation, cookies, browsingData. It also requests host access to: *://*/*, .

What is DuckDuckGo Search & Tracker Protection's risk score?

DuckDuckGo Search & Tracker Protection has an overall risk score of 9.7/10 (CRITICAL). Breakdown: Permissions 10.0/10, Code 10.0/10, Combinations 10.0/10, CSP 7.0/10.

ExtSafe

DuckDuckGo Search & Tracker ProtectionSecurity Analysis

Chromev2026.1.12MV3February 16, 2026 at 03:09 PM

9.7CRITICAL

9.7 CRITICAL

This extension shows critical risk indicators. It requests highly sensitive permissions combined with suspicious code patterns. Proceed with extreme caution.

Based on 14 permissions including high-risk ones, 176 code findings, 4 dangerous combinations.

Dangerous Combinations(4)

CRITICALCookie access + external network

Extension has cookie access and sends data to external servers — potential session token theft.

cookies+external network request

HIGHTab tracking + external communication

Extension tracks open tabs and communicates with external servers — potential browsing surveillance.

tabs+external network request

CRITICALNetwork interception + external communication

Extension intercepts network traffic and sends data externally — potential man-in-the-middle behavior.

webRequest/webRequestBlocking+external network request

CRITICALAll-sites access + keyboard capture

Extension has access to all sites and captures keyboard input — behavior consistent with a keylogger.

<all_urls>+keylogger_pattern

Permissions

10.0/10

Code

10.0/10

Combinations

10.0/10

Manifest/CSP

7.0/10

Permissions(14 analyzed)

Code Findings(30 patterns, 176 total)

Libraries(1 detected)

1 library detected, 1 with known vulnerabilities

Content Security Policy

CSP Present(1 issue)

LOW

object-srcobject-src not restricted

object-src is not set to 'none'. Plugins like Flash can be embedded, which may allow code execution.

Manifest Analysis(3 findings)

Resolved from __MSG_* i18n placeholders:

Name: DuckDuckGo Search & Tracker Protection

Description: Actively protects your data in your current browser.

MEDIUM

web_accessible_resources.matchesOverly broad match patterns

Web-accessible resources use <all_urls> or wildcard patterns, exposing resources to every website.

MEDIUM

web_accessible_resources.matchesOverly broad match patterns

Web-accessible resources use <all_urls> or wildcard patterns, exposing resources to every website.

HIGH

content_scriptsAggressive content script injection

Content script runs at document_start in ALL frames on ALL URLs. This gives the extension deep access to every page load, including iframes.

External Domains(40)

${dom${targeturl**.duckduckgo.com0.0.0.1accounts.google.comapp.asana.combit.lybugs.chromium.orgcaniuse.comconnect.facebook.netdevelopers.google.comduckduckgo.comduckduckgo.github.ioen.wikipedia.orgexample.comexample.duckduckgo.comgithub.comhelp.duckduckgo.comhtml.spec.whatwg.orgimproving.duckduckgo.comjquery.comjquery.orgmathiasbynens.bemozilla.orgother.compromisesaplus.comquack.duckduckgo.comsearchfox.orgstaticcdn.duckduckgo.comtc39.estinyurl.comunicode-org.github.iowebtransparency.cs.princeton.eduwww.apache.orgwww.emailregex.comwww.facebook.comwww.simoahava.comwww.youtube.comyoutu.be