Browser extensions are pieces of code that run in your web browser. They can do malicious things like display ads, track your browsing, and capture your passwords and private data. A safe extension could automatically update and become malware.
Chrome highlights this with its permissions request dialogs when you install extensions, but this is a problem for all browsers. All Firefox add-ons have the access they need to cause trouble.
The Problem With Browser Extensions
When you install a browser extension from a website like the Chrome Web Store or Mozilla Add-ons, you’re installing a piece of code that runs inside your web browser.
Chrome tries to warn you about this with a permissions system, but even small, simple add-ons often need a lot of permissions. For example, if an add-on wants permission to modify web pages in a tiny way, it needs the ability to “access your data on all websites.” This is because the add-on runs by injecting code into the web pages you visit.
There’s no getting around these problems. The ability to capture passwords is essential so extensions like LastPass can function, for example. Without the ability to transform web pages, many extensions couldn’t work at all — but this access to web pages allows them to insert ads and tracking scripts, too.
Mozilla Firefox and other web browsers won’t necessarily warn you that an add-on has access to everything you visit on the web, but add-ons you install in these browsers do have that access. Every add-on you install in Firefox runs as part of the browser and can do nasty things, if it chooses to.
Safe Add-ons Can Transform Into Malware
Many add-ons aren’t produced by big companies. They’re often small tools an individual person makes to scratch their own itch and releases to the public. These add-ons may be perfectly safe when you install them.
However, there are companies that offer purchase add-ons from their creators for a few thousand dollars. This can be tempting to a person who isn’t making any income from the add-on and may not even care about it anymore. The company then takes control over the add-on and modifies it to add tracking scripts, advertisements, and whatever else they like. Your web browser automatically updates the add-on to the latest version and the add-on starts abusing its access to your browser. If an extension has already asked for these permissions before, it won’t need to ask for any new permissions after such an update.
We covered a variety of Chrome extensions that were purchased and altered to insert additional advertisements into web pages. Some of these malicious extensions are still on the Chrome Web Store today. If a more malicious company acquired the extensions, they could have altered them to capture passwords from online banking websites and credit card numbers from online shopping sites.
Reducing the Risk
Installing a browser extension is similar to installing an application on your computer. You should evaluate how trustworthy the extension is just as you would if you were installing a program. Of course, these extensions can automatically update and be sold to less trustworthy owners, so an extension could turn bad even if it’s fine now.
Official extensions made by companies associated with a service should have less risk. In other words, Google’s extensions are probably safer than extensions made by someone you’ve never heard of. For another example, let’s say you use Pocket and want an extension that can add web pages to Pocket in one click. You should install the official Pocket extension rather than a third-party one.
You may also want to consider using bookmarklets instead of add-ons. For example, two of the Chrome extensions discovered to contain malware were “Add to Feedly” and “Tweet This Page” buttons. You don’t need a full extension for this — you could easily use bookmarklets to get this functionality by clicking a button on your browser’s bookmarks bar. Bookmarklets are made of a tiny bit of code you can inspect, they can’t automatically update, and they’ll only run on a page when you click the bookmarklet to load it.
Pay attention to the number of installs and reviews an extension has received. An extension with very few users, few reviews, or negative reviews is something you should probably avoid. On the other hand, an extension with a large number of users, positive reviews, and good word of mouth is safer.
This doesn’t always work, unfortunately. The Hover Zoom extension for Chrome contains nasty code, but it has a 4-star rating and over a million users. It has many positive written reviews that seem unaware of the problems with it, although you’ll find the reports of malware if you skim through the reviews.
One thing’s for sure: You should exercise caution over the browser extensions you install. If you have 30 extensions installed and never use many of them, you should get rid of as many as possible. Each extension you install increases the odds you’ll have some trouble later. That doesn’t mean you shouldn’t install extensions if they’re useful to you, but keep the risks in mind when you do.
Extensions can also slow down your web browsing, so using a minimal collection of add-ons will also help speed up your browser.