Whenever you sign in to your bank account, your browser extensions watch. They can see your account balances, your transactions, and your online banking password. They see everything in your browser: passwords, credit card numbers, private messages, and the websites you visit.
Extensions Have Access to Everything in Your Web Browser
Have you ever paid attention to the message you see when installing a browser extension in Chrome, for example? For most browser extensions, you’ll see a message stating that the add-on can “Read and change all your data on the websites you visit.”
This means that the browser extension has full access to all the web pages you visit. It can see which web pages you’re browsing, read their contents, and watch everything you type. It could even modify the web pages—for example, by inserting extra advertisements. If the extension is malicious, it could gather all that private data of yours—from web browsing activity and the emails you type to your passwords and financial information—and send it to a remote server on the internet.
So, when you sign in to your online banking account, your browser extensions are right there with you. They can see your password as you log in and view everything you can see on your online banking account. They could even modify the online banking page before you view it.
There’s a Permission System, but Most Extensions Get Everything
We’re oversimplifying things here, but just a little bit: Not every extension can see your online banking account. There is a permission system for browser extensions in modern web browsers like Google Chrome, Microsoft Edge, Mozilla Firefox, and Apple Safari. Some browser extensions use much fewer permissions.
For example, they may only run when you click the browser extension’s button, which means that they can’t actually watch anything on a web page until you click that button. They may only run on specific websites—for example, a browser extension that affects Gmail might only run on Google’s website and not on other websites.
However, the vast majority of browser extensions that most people use have permission to run on every website the browser loads.
In Google Chrome and Microsoft Edge, you can control an extension’s “site access” permissions and choose whether it runs automatically on all websites you open, only when you click it, or just on specific websites you list.
Is It a Real Risk?
What we’re saying here is that most (or all) of the browser extensions you use can see your bank account information, just as they can see everything else that you do on the web.
If a browser extension is totally trustworthy and reliable, that’s fine. The browser extension can behave responsibly and not capture any data or interfere with your banking information.
If a browser extension isn’t trustworthy and wants to abuse this access—well, it can.
This isn’t just a theoretical problem. It has happened many times before. Even if all your extensions are fine right now, we have long discussed the danger: A safe extension could transform into malware overnight. A developer might sell the extension to another company, and that company might add tracking code, keyloggers, or anything else. This sort of thing is big business. An extension could display more ads in the web pages you load and track you to better target ads, or criminals could capture your passwords, personal information, and credit card numbers.
Your browser will automatically install the update and the new, malicious version of the extension will get to work. Hopefully, your browser’s developer will notice the problem and disable the extension—for example, Google might remove it from the Chrome Web Store—but this can take some time.
And yes, some extensions have been caught capturing banking data.
Only Install Extensions from Developers You Trust
We’re not telling you you need to uninstall every single browser extension you have. Instead, just realize the immense access you’re giving to the browser extensions you install, and act accordingly.
If you trust an extension’s developer, then by all means, install that extension. For example, if you use a password manager and already trust that organization with your passwords, feel free to install your password manager’s browser extension. (If you don’t trust that organization to install a browser extension, you definitely shouldn’t trust it to manage your passwords!)
On the other hand, if you want a nifty feature and you find an extension that offers it, but you’ve never heard of the developer and aren’t sure how much you should trust them—consider skipping the browser extension.
You might also want to limit the access that the extension has. For example, you could install an extension and configure it to only run on specific websites in Chrome or Edge, or you could use a separate browser that doesn’t have any potentially dangerous extensions installed to do your online banking.
But think about it: If you don’t trust the extension, maybe you shouldn’t be running it in the first place.
Ultimately, browser extensions have access to everything you do in your web browser. When you’re thinking about installing a browser extension, ask yourself this question: Would you install a Windows desktop application from the creator of the browser extension and let it run in the background on your computer? If not, consider skipping the browser extension, too.
Extensions may look like small programs, but they’re more powerful than they might seem. A mobile app on iPhone or Android can’t see everything you do on your phone, but a typical browser extension can see everything you do in your web browser.