The murky cybersecurity threat of browser extensions

• Extensions often have access to everything we do online, capturing passwords, tracking web browsing, insert advertisements into web pages we visit, and more.
• Browser add-ons for Chrome, Firefox, and probably other browsers are tracking every single page you visit and sending that data back to a third-party company that pays them for your information.

Anyone who uses web browsers like Chrome, Safari, Edge or Firefox probably has at least one extension installed. Whether it’s an adblocker or a download manager, extensions are meant to be helpful tools. The little-recognized truth, however, is browser extensions can actually be more threatening and dangerous than most users realize.

As most of us are aware, cybercriminals are always looking for new ways to get their malicious code onto your devices, and circulating them through web browser extensions are among the most common method to do so. If you think for a moment about how much of your workday is spent within a browser window, you can imagine how much of what you do could be tracked, snooped, breached, stolen and/or damaged by browser extension malware.

Why are browser extensions so dangerous?

One thing is certain; the internet accessed via a commercial web browser is not a private place. Ads try to learn as much about us to sell our information to the highest bidder. Emails register when we open them and which links we click and some of the biggest internet snoops include the likes of Facebook and Amazon, with cookies that follow us from site to site as we browse the web. They help advertisers target ads and measure the effectiveness of their marketing campaigns. They’ve become one of the central technologies underpinning the business model of publishing on the web.

As the name implies, browser extensions run in the web browser, and they often require the ability to read or change everything on web pages we visit. Whether the data collected are sold or hijacked by sketchy companies, popular browser extensions can be easily transformed into malware because of automatic updates.

Although modern web browsers like Google Chrome and Microsoft Edge have a permission system for extensions, many extensions require access to everything so they can work properly. Even an extension that just requires access to one website could be dangerous, however. In August 2017, the very popular and widely recommended Web Developer extension for Chrome was hijacked. The developer fell for a phishing attack, and the attacker uploaded a new version of the extension that inserted more advertisements into web pages. Over a million people trusted the developer of this popular extension and ended up with the infected extension. As this is an extension for web developers, the attack could have been a lot worse — it doesn’t appear that the infected extension functioned as a keylogger that tracked keyboard strokes, for example.

Google’s Chrome has been under frequent attack due to its popularity after cornering over 64% of the market, but this problem affects all browsers. Firefox was arguably even more at risk, since it doesn’t use a permission system at all — every extension installed gets full access to everything. Only recently Firefox has made available a permission system like Chrome.

How to minimize the risk

For starters, use the least amount of extensions possible. If you have an extension installed that you barely use, or does not perform as well as you thought, uninstall it. Stick with only the extensions you know that you need and actually work. It’s also crucial that you install extensions from names and brands that you can trust. Specifically, from credible web stores hosted by one of the big four browsers.

Users should also be paying closer attention to the permissions that some extensions require as well. Go with your instincts. If an extension asks for permission to access something that it shouldn’t need access to, you may want to dig deeper and find it’s true motives. When in doubt, walk away.