A browser extension wallet is a small program that lives inside your web browser — Chrome, Firefox, Brave, or Edge — and holds the keys to your crypto. You install it the same way you install an ad blocker: from the browser's add-on store, with one click. Once it is there, a wallet icon sits next to your address bar, ready whenever you visit a website that needs to handle crypto.
This guide explains how that kind of wallet actually works, what its security model looks like, and where the real risks are. If you are brand new to wallets, start with what a crypto wallet is and then the broader comparison of a software wallet versus a hardware wallet — this article zooms in on the browser-based kind specifically.
What an "extension" actually is
A browser extension is software that adds features to your browser. The browser is the host program; the extension is a guest that the browser lets run inside it. Extensions can read and change the web pages you visit, show their own pop-up windows, and store data on your computer. That power is exactly what makes an extension wallet convenient — and exactly what you need to understand before you trust one with money.
An extension wallet uses that power to do three jobs. It stores your keys in the browser's local storage, usually protected by a password. It shows you a pop-up when you need to approve something. And it talks to web pages through a technique called injection.
How injection works
Injection means the wallet places a small piece of code into every web page you open. Think of it as the wallet leaving a phone on the table of every site you visit. When a website wants to do something with crypto — connect to your wallet, show your balance, or ask you to send a transaction — it picks up that phone and makes a request.
Your wallet receives the request and does not act on it silently. It opens a pop-up and asks you. "This site wants to connect." "This site wants you to sign a transaction sending 0.2 ETH." Nothing moves until you click approve. The website can ask; only you can agree. That approval step is the single most important habit in using any browser wallet: read the pop-up before you click.
This design is what lets a decentralized application — a dApp, meaning a website that runs on a blockchain — work straight from a normal browser tab with no extra software. It is genuinely useful. But because the wallet is reachable from every page, every page is also part of the picture when we talk about safety.
The attack surface
"Attack surface" is a plain term for every place a thing can be attacked. A front door, a back door, and an open window are all part of a house's attack surface. A browser wallet has a few of them.
Malicious or compromised web pages. Because the wallet injects into every site, a hostile site can send it requests. The wallet still asks you first, so a malicious page cannot move funds on its own — but it can craft a confusing request and hope you approve without reading it.
Phishing dApps. A phishing site is a fake built to look like a real one. A copycat of a popular exchange or NFT marketplace can ask you to "verify your wallet" and present a transaction that actually drains it. The pop-up is honest about what it will do; the website lied about why.
Over-broad permissions. When you install any extension, the browser lists what it can access. Many wallets request permission to read and change data on all websites — they need it to inject everywhere. The cost is that a wallet with broad reach is a bigger prize if it is ever turned against you.
Supply-chain risk. This is the subtle one. A supply-chain attack targets not you, but something you depend on. Modern software is built from hundreds of smaller open-source building blocks called dependencies. If an attacker slips bad code into one of those building blocks — a poisoned dependency — or hijacks the update that pushes a new version of the extension to your browser, the malicious code arrives through a channel you already trust. You installed a safe extension; a later update, or a buried component inside it, was not.
For a deeper, vendor-neutral look at how browser extensions are built and secured, Mozilla's MDN web-extensions documentation is the authoritative reference, and the OWASP project publishes general guidance on the web threats above.
How SSP reduces the risk
None of this means browser wallets are unsafe to use. It means a well-built one has to plan for the attack surface instead of pretending it does not exist. SSP does this in two concrete ways.
LavaMoat runtime sandboxing. A sandbox is a confined space where something can run without being able to reach the rest of the system — the way a real sandbox keeps the sand in one place. LavaMoat applies that idea to those hundreds of dependencies. Each dependency runs in its own sealed compartment with access only to what it genuinely needs. So if a poisoned dependency does slip in through a supply-chain attack, it is boxed in: it cannot quietly reach across the wallet to read your keys, because the walls of its compartment do not let it. The attack is contained instead of catastrophic. We cover this in detail in the newsroom post on LavaMoat coming to SSP.
A 2-of-2 design. This is the bigger structural protection. Most browser wallets hold the whole key — approve a bad pop-up and the funds are gone. SSP splits signing across two devices: the browser extension holds one key, and the SSP Key app on your phone holds the second. A transaction is only valid when both sign it. The extension on its own cannot move a single coin.
That changes the math completely. Even if a malicious page tricks the extension, even if a compromised update reaches it, the attacker controls only one of two required keys. Your phone — a separate device, with a separate screen showing you the transaction details — still has to approve. An attack that would empty an ordinary browser wallet stalls at a wall it cannot cross.
So, are browser wallets safe?
A browser wallet is safe enough for everyday use when two things are true: the wallet is built to contain the failures described above, and you treat the approval pop-up as a real decision rather than a reflex. Install extensions only from official stores, keep the wallet to itself in a browser you trust, and slow down whenever a site asks you to sign something.
A browser wallet's biggest weakness — that it lives in a busy, internet-connected browser — is real. SSP's answer is not to ignore it but to assume the browser can be compromised and make that survivable: LavaMoat contains a bad dependency, and the 2-of-2 design means the extension alone is never enough to lose your funds. Up next in this series, mobile crypto wallets looks at the other half of that pairing — the phone that has to co-sign.