Browser extensions are small software programs that offer features like filters and controls to change the way a user views web pages and services. They run inside web browsers and enable users to tailor the functionality of a browser.
Although these features are useful, they can also potentially pose a threat to privacy and security. Browser extensions are available from browser entities as well as third-parties – and cybercriminals have found ways to publish malicious browser extensions that perform illicit activities, including spying, data theft and more.
Are Browser Extensions Worth the Risk?
Most extensions are free. Some operate in the background and automatically perform specific tasks, while others appear as options/icons on the menu or next to the address bar. Extensions are commonly downloaded to: create toolbars, block ads and pop-ups, change appearance of web pages, optimize memory usage to improve browser efficiency, compare shopping sites and look for coupons, change search engine options, start page, or new tab page.
However, recently, several extensions have been found to be malicious. They are set up to: track every page visited, read and/or write all data in browsing sessions, download passwords and personal information, or install malware, adware, or viruses.
Hackers develop their own malicious extensions or hijack legitimate ones. Most malicious extensions originate from third-party websites; however, they’ve also been known to slip into official web browser stores. Over 65% of Google Chrome Web Store extensions require some type of permission, and Chrome issues a warning to “watch out for extensions that require permissions that are irrelevant to the core purpose of the extension”.
Additionally, it’s difficult for anti-virus programs to identify malevolent extensions. Because they update automatically, an extension may change from being harmless to dangerous without your knowledge.
There are few opportunities for developers of these extensions to monetize extensions. As their customer base grows, maintaining and providing support proves difficult. Hence, some sell anonymized data they’ve collected to third parties, which is generally legal; however, the data may not be fully anonymized thus creating privacy issues. Developers sometimes also accept payment from hackers to include hidden nefarious code in their extensions. A recent Krebs on Security article spotlighted a company that was paying to embed its code in browser extensions for the purpose of masking the real IP address of its own customers for possibly unscrupulous purposes.
Security Best Practices to Mitigate Browser Extension Risks
While installing a browser extension on your device, take into consideration the protection of your online activity. Forego installing browser extensions unless they are essential. If you choose to install them, exercise caution:
- Limit them – only install what you need and will use.
- Install from official browser websites where they will have undergone some scrutiny.
- Verify that extensions are actively supported.
- Read the description and reviews. Be suspicious if the description has spelling or grammar errors, the extension is relatively new or not widely used, all reviews are five stars or similarly worded.
- Do not agree to update an extension if it requests more permissions than the previous version. If this occurs with an extension you trust, consider removing it.
- Never download and install an extension because a website indicates it is needed to view content.
- If an opportunity to install an extension appears and you weren’t looking for it, do not install it. Hackers can try to scam consumers via pop-ups or phishing emails.
- Disable or remove unused extensions. Visit ComputerHope.com for their guide.