Many extensions in the Chrome Web Store want to “read and change all your data on the websites you visit”. That sounds a little dangerous—and it can be—but many extensions just need that permission to do their jobs.
Chrome Has a Permission System, But Firefox and Internet Explorer Don’t
This may seem alarming, especially coming from something like Firefox. But you only see this warning because Chrome has a permission system for its extensions, while Firefox and Internet Explorer don’t. Every Firefox and Internet Explorer extension has full access to the entire browser, and can do anything it wants.
For example, when you install the Tampermonkey add-on in Firefox, you won’t see a permission warning at all. But that add-on gains access to your entire Firefox browser.
Unlike extensions for these other browsers, though, Chrome extensions must declare the permissions they need. When you install an extension, you’ll see a list of the permissions it requires and you can make an informed decision about whether to install the extension. It’s a bit like the permissions system built into Android.
To use the same example, when you install the Tampermonkey extension for Chrome, you’ll see information about the permissions the extension requires.
Very simple extensions don’t actually require any permissions. For example, the official Google Hangouts extension just provides a toolbar icon you can click to open a Google Hangouts chat window. Install it, and you won’t be warned about any special permissions it requires.
Why Extensions Need Permission to “Read and Change All Your Data”
Try to install most extensions, however, and you’ll be warned about the permissions they require. The most scary looking one is probably “Read and change all your data on the websites you visit”. This means that the extension can view every web page you visit, modify those web pages, and even send information about that over the web.
For example, Google offers a Save to Google Drive extension that allows you to right-click on any web page or link and save that page to your Google Drive. The extension requires the ability to “Read and change all your data on the websites you visit”. But it needs this permission because, when you try to save content, the extension must be able to access the current web page and view its data.
Extensions that need to interact with web pages will almost always require the “Read and change all your data on the websites you visit” permission. That’s why the Google Hangouts extension doesn’t ask for this permission: It has no features that interact with an open web page in your browser.
Click around and you’ll quickly realize that most browser extensions offer features that interact with the current web page, from password managers that need to fill passwords to dictionary extensions that need to define words. That’s why this permission is so common.
Extensions that only work on a single website may only require the ability to “Read and change your data” on a specific website. For example, the official Google Mail Checker extension requires the permission to “Read and change your data on all google.com sites”.
Sure, this level of access would let an extension capture your passwords and credit card numbers or insert additional advertisements into web pages. But Google doesn’t know whether an extension will use its permissions for good or evil. Many popular and legitimate extensions require this permission, as there’s no other way they can interact with open web pages.
But, it the permission warning makes you think twice before installing an extension you’re not sure about, that’s good. That’s why it’s there—it’s a reminder of how much access you’re providing to your personal data whenever you install a browser extension.
Some Extensions Have Even Broader Permissions
Extensions can request quite a few other permissions, too. For example, the AVG Web TuneUp extension installed as part of the AVG antivirus requires the permission to read and change all your data on the websites you visit, read and change your browsing history, change your home page, change your search settings, change your start page, manage your downloads, manage your apps, extensions, and themes, and communicate with cooperating native applications on your computer.
We don’t recommend using your antivirus’s browser extensions, and Chrome’s permissions system does a good job of showing why in this case. This extension is very invasive and requires access to almost every part of your browser. The permissions window helps warn you of the permissions you’ll be granting, so you can make an informed decision.
Even the scariest browser extension doesn’t have as much access to your computer as a desktop program would, though. Normal Windows applications have access to your keystrokes and files, including your web browsers. That’s why you shouldn’t run a desktop application you don’t trust, just as you shouldn’t install a browser extension you don’t trust.
Which Browser Extensions Should You Trust?
If you’re giving an extension access to all the websites you visit, that extension could potentially capture your online banking passwords and credit card numbers or insert ads in the pages you view. It’s just as dangerous for your web browsing data as installing a desktop program, so you should treat the decision just as carefully.
In theory, browser extensions available in the Chrome Web Store, Mozilla Add-ons website, and Windows Store are monitored by Google, Mozilla, and Microsoft, respectively. The company in charge of the store can remove an add-on from the store if it’s doing something bad.
In reality, though, browser makers don’t test every extension—or every update to a legitimate extension—to confirm it’s safe. A browser maker will often only get around to removing an extension after it’s caused problems for many people who have it installed.
If the extension requires quite a few permissions, you’ll have to evaluate it like you would a desktop program. If the extension is created by a company you trust—like the many extensions created by companies like Google, Microsoft, Twitter, Facebook—you know it’s likely safe. If the extension was created by someone you don’t know, be more careful. If the extension is established and has a large number of users, good feedback in the store, and positive reviews on other websites, that’s a good sign. If it has mixed feedback or much fewer users, that’s a bad sign.
If you’re ever in doubt, don’t install that extension. It’s best to use as few extensions as possible to keep your browser fast, anyway.
More browsers are adding permission systems, however. Microsoft Edge uses Chrome-style extensions and will warn you about the permissions the extensions require. Firefox will also move to Chrome-style extensions in the future.