You are probably familiar with browser extensions, which most of us use on a daily basis. They add a lot of useful features to browsers, but at the same time, they post threats to both privacy and security. Let’s see what’s wrong with the browser extensions and how to minimize the privacy problems.
What are browser extensions and why do we need them?
For example, extensions are used to block ads on Web pages, translate text from one language to another, or add pages to a third-party bookmark service such as a pocket.
Almost all popular browsers support extensions. You can find them for Chrome, Safari, Opera, Internet Explorer and Edge. They are widely available, and some of them are quite helpful, so many people end up using several extensions.
Examples of Browser extensions
- AdBlock – enables content filtering and ad blocking
- HTTPS – provides another layer of security by making websites that support the extension automatically connect through HTTPS
- StayFocusd – limit the amount of time the user is allowed to spend on designated websites
- Highly – allows the user to highlight webpage text and share it through social media, email, Slack or iMessage
What can go wrong with extensions?
There are three ways in which an extension can get dangerous.
- Malicious extensions
- Hijacking and buying extensions
- Not malicious but dangerous
Extensions can be downright malicious. This happens mostly extensions that come from third-party websites, as in cases with Android and Google Play and malware sneaks into official markets as well.
For example, a few years back, security researchers recently uncovered four extensions in the Google Chrome Web Store that posed as innocuous sticky notes apps but were caught generating profits for their creators by secretly clicking on pay-per-click ads.
How can an extension do something like that?
To do something, an extension needs permission. The problem is, of the browsers people commonly use, only Google Chrome prompts the user to grant these permissions. Other browsers allow extensions o do anything they want by default, and the user doesn’t have a choice but to accept it.
Even basic extensions usually require permission to “read and change all your data on the websites you visit,” which gives them the power to do virtually anything with your data. And if you don’t provide them with that permission, they won’t be installed.
Hijacking and buying extensions
Browser extensions are an interesting target for crooks because a lot of extensions have massive user bases. They are updated automatically, which means that if a user had downloaded an innocuous extension, it could be updated to become malicious. That update would be pushed to the user right away, and the user won’t notice anything at all.
Their account can be hijacked, and a malicious update can be uploaded to the official store on their behalf. That’s what happened when crooks used phishing to get the access credentials of the developers of a popular plugin called “Copyfish.” In that case, the plugin, which originally performed optical character recognition, was used by crooks to serve additional ads to users.
Extensions are usually hard to monetize, which is why developers are frequently eager to agree to buy extensions from companies that offer extensions for a rather tidy sum. After the company purchases the extension, it can update it with malicious features, and that update will be pushed to users. For example, that’s exactly what happened to Particle, a popular Chrome extension for customizing YouTube that was abandoned by its developers. A company bought it and immediately turned it into adware.
Not malicious, but dangerous
Extensions that are not malicious are also can dangerous. The danger arises since most of the extensions collect a lot of data about users (remember the permission “Read and change all your data on the website you visit”). Some developers sell anonymized data they have collected to third parties.
Sometimes that data is not anonymized enough, which leads to some serious privacy issues. The parties that purchase the data can identify the users of the plugin.
For example, this happened to Web of Trust – a once-popular plugin for Chrome, Firefox, internet explorer, Opera, Safari, and other browsers. The plugin was used to rate websites based on crowdsourced opinions. Aside from that. The extension collected the full browsing history of its users
How to use extensions safely?
It might be safer not to use the extensions which have the permission “to read and change” and other malicious ones. But that’s inconvenient.
So, here’s how you can use the extensions safely:
- Don’t install too many extensions, because they can reduce computer performance and also a potential attack vector.
- Install extensions from only official Web stores.
- Pay attention to the permissions that extensions require, and if an extension already installed on your computer requests a new permission, something is probably going on.
- Use a good security solution.
Example: Kaspersky Internet Security
The extensions can be dangerous, but some are really useful, so we probably wouldn’t want to abandon them altogether. When deciding whether or not to install an extension, always keep in mind the type of resources the extension can access and where it will send the data it collects.