Browser extensions are much more dangerous than most people realize. These small tools often have access to everything you do online, so they can capture your passwords, track your web browsing, insert advertisements into web pages you visit, and more. Popular browser extensions are often sold to shady companies or hijacked, and automatic updates can turn them into malware.
We’ve written about how your browser extensions are spying on you in the past, but this problem hasn’t improved. There’s still a constant stream of extensions going bad.
Why Browser Extensions Are So Dangerous
Browser extensions run in your web browser, and they often require the ability to read or change everything on web pages you visit.
If an extension has access to all the web pages you visit, it can do practically anything. It could function as a keylogger to capture your passwords and credit card details, insert advertisements into the pages you view, redirect your search traffic elsewhere, track everything you do online—or all these things. If an extension needs to scan your for receipts or other small things, it probably has permission to scan your email for everything—which is extremely dangerous.
That doesn’t mean that every extension is doing these things, but they can—and that should make you very, very wary.
Modern web browsers like Google Chrome and Microsoft Edge have a permission system for extensions, but many extensions require access to everything so they can work properly. Even an extension that just requires access to one website could be dangerous, however. For example, an extension that modifies Google.com in some way will require access to everything on Google.com, and therefore have access to your Google account—including your email.
These aren’t just cute, harmless little tools. They’re tiny programs with a huge level of access to your web browser, and that makes them dangerous. Even an extension that only does a minor thing to web pages you visit may require access to everything you do in your web browser.
How Safe Extensions Can Transform Into Malware
Modern web browsers like Google Chrome automatically update your installed browser extensions. If an extension requires new permissions, it will temporarily be deactivated until you allow it. But, otherwise, the new version of the extension will run with all the same permissions the previous version did. This leads to problems.
In August 2017, the very popular and widely recommended Web Developer extension for Chrome was hijacked. The developer fell for a phishing attack, and the attacker uploaded a new version of the extension that inserted more advertisements into web pages. Over a million people who trusted the developer of this popular extension ended up getting the infected extension. As this is an extension for web developers, the attack could have been a lot worse—it doesn’t appear that the infected extension functioned as a keylogger, for example.
In many other situations, someone develops an extension that gains a large amount of users, but doesn’t necessarily make any money. That developer is approached by a company that will pay a large amount of money to purchase the extension. If the developer accepts the purchase, the new company modifies the extension to insert advertisements and tracking, uploads it to the Chrome Web Store as an update, and all the existing users are now using the new company’s extension—with no warning.
This happened to Particle for YouTube, a popular extension for customizing YouTube, in July 2017. The same thing has happened to many other extensions in the past. Chrome extension developers have claimed they constantly receive offers to buy their extensions. The developers of the Honey extension with over 700,000 users once ran an “Ask Me Anything” on Reddit, detailing the kind of offers they often receive.
In addition to the hijacking and sale of extensions, it’s also possible that an extension is just bad news, and secretly tracks you when you install it in the first place.
Chrome has been under attack due to its popularity, but this problem affects all browsers. Firefox is arguably even more at risk, since it doesn’t use a permission system at all—every extension you install gets full access to everything.
How to Minimize the Risk
Here’s how to stay safe: Use as few extensions as possible. If you don’t get much use out of an extension, uninstall it. Try to pare down your list of installed extensions to just the essentials to minimize the chance one of your installed extensions goes bad.
It’s also important to only use extensions from companies you trust. For example, an extension for customizing YouTube created by a random person you’ve never heard of is a prime candidate for becoming malware. However, the official Gmail Notifier created by Google, OneNote note taking extension created by Microsoft, or LastPass password manager extension created by LastPass will almost certainly not be sold to a shady company for a few thousand bucks.
You should also pay attention to the permissions extensions require, when possible. For example, an extension that only claims to modify one website should only have access to that website. However, many extensions need access to everything, or access to a very sensitive website you want to keep secure (like your email). Permissions are a nice idea, but they’re not too useful when most things need access to everything.
It’s a fine line to walk, of course. In the past, we might have said that the Web Developer extension was safe because it was legitimate. However, the developer fell for a phishing attack and the extension became malicious. It’s a good reminder that, even if you could trust someone not to sell their extension to a shady company, you’re relying on that person for your security. If that person slips up and allows their account to be hijacked, you’ll end up dealing with the consequences—and they could be a lot worse than what happened with the Web Developer extension.