Why you should be careful with browser extensions

Browser extensions are handy, but they can also be really dangerous. Here’s what can go wrong and what you can do about it.

You are probably familiar with browser extensions, which most of us use on a daily basis. They add a lot of useful features to browsers, but at the same time, they pose threats to both privacy and security. Let’s discuss what’s wrong with browser extensions and how you can minimize the chances of one of them running amok on you. But first let’s go through what exactly a browser extension is.

What are browser extensions, and why do you need them?

A browser extension is something like a plugin for your browser that adds certain functions and features to it. Extensions can modify the user interface or add some Web service functionality to your browser.

For example, extensions are used to block ads on Web pages, translate text from one language to another, or add pages to a third-party bookmark service such as Evernote or Pocket. Extensions are plenty — there’re hundreds or even thousands of them, for productivity, customization, shopping, games, and more.

Almost all popular browsers support extensions — you can find them for Chrome and Chromium, Safari, Opera, Internet Explorer, and Edge. They are widely available and some of them are quite helpful, so a lot of people end up using at least several extensions, and sometimes their number on one PC extends to several dozen. But, as we’ve mentioned, extensions can be both convenient and dangerous.

What can go wrong with extensions

Malicious extensions

First of all, extensions can be downright malicious. That happens mostly with extensions that come from third-party websites, but sometimes — as in cases with Android and Google Play — malware sneaks into official markets as well.

For example, security researchers recently uncovered four extensions in the Google Chrome Web Store that posed as innocuous sticky notes apps but in fact were caught generating profits for their creators by secretly clicking on pay-per-click ads.

How can an extension can do something like that? Well, to do something, an extension requires permissions. Problem is, of the browsers people commonly use, only Google Chrome prompts the user to grant these permissions (or not); other browsers allow extensions to do anything they want by default, and the user doesn’t have a choice but to accept it.

However, even in Chrome that permissions management exists only in theory — in practice, it doesn’t work. Even basic extensions usually require permission to “read and change all your data on the websites you visit,” which gives them the power to do virtually anything with your data. And if you don’t give them that permission, they won’t be installed.

We stumbled upon another example of malicious extensions earlier — they’ve been used by crooks to spread malware in Facebook Messenger. Here’s a post about that.

Bulk messaging malware in Facebook Messenger

Hijacking and buying extensions

Browser extensions are an interesting target for crooks, because a lot of extensions have massive user bases. And they are updated automatically, which means that if a user had downloaded an innocuous extension, it can be updated to become malicious; that update would be pushed to the user right away — and the user won’t notice anything at all.

A good developer won’t do such a thing, but their account can be hijacked and a malicious update can be uploaded to the official store on their behalf. That’s what happened when crooks used phishing to get the access credentials of the developers of a popular plugin called Copyfish. In that case, the plugin, which originally performed optical character recognition, was used by crooks to serve additional ads to users.

Sometimes, developers are approached by companies that offer to buy their extensions for a rather tidy sum. Extensions are usually hard to monetize, which is why developers are frequently eager to agree to such deals. After the company purchases the extension, it can update it with malicious features, and that update will be pushed to users. For example, that’s exactly what happened to Particle, a popular Chrome extension for customizing YouTube that was abandoned by its developers. A company bought it and immediately turned it into adware.

Not malicious, but dangerous

Even extensions that are not malicious can be dangerous. The danger arises because most extensions have the ability to collect a lot of data about users (remember that “read and change all your data on the websites you visit” permission). To earn their daily bread, some developers sell anonymized data they’ve collected to third parties. That’s usually mentioned in the extension’s EULA, and generally it’s OK.

The problem is that sometimes that data is not anonymized enough, which leads to some serious privacy issues: The parties that purchase the data can identify the users of the plugin. That happened to Web of Trust — a once-popular plugin for Chrome, Firefox, Internet Explorer, Opera, Safari, and other browsers. The plugin was used to rate websites based on crowdsourced opinion. Aside from that, the extension collected the full browsing history of its users.

A German website claimed that Web of Trust was selling the data it collected to third parties without properly anonymizing it, which resulted in Mozilla’s pulling the extension from its store. The creators of the extension then removed it from all of the other browsers’ stores. However, a month later the extension was back in stores. Web of Trust is not a malicious extension, but it can harm people nonetheless by exposing their data to someone who is not supposed to see what websites users visit and what they do there.

How to use extensions safely

Despite the fact that extensions can be dangerous, some of them are really useful, and that’s why you probably wouldn’t want to abandon them completely. I continue to use about a half-dozen of them, and I know for sure that two of them have the aforementioned permission “to read and change.”

It might be safer not to use them at all, but that’s inconvenient, so we need a way to use extensions more or less safely. Here’s how:

  • Don’t install too many extensions. Not only do they affect computer performance, but they are also a potential attack vector, so narrow their number to just a few of the most useful.
  • Install extensions only from official Web stores. There, they undergo at least some scrutiny, with security specialists filtering out those that are malicious from head to toe.
  • Pay attention to the permissions that extensions require. If an extension already installed on your computer requests a new permission, that should immediately raise flags; something is probably going on. That extension might’ve been hijacked or sold. And before installing any extension, it’s always a good idea to look at the permissions it requires and think about whether they match the functionality of the app. If you can’t find a logical explanation for the permissions, it’s probably better not to install that extension.
  • Use a good security solution. Kaspersky Internet Security can detect and neutralize malicious code in browser extensions. Our antivirus solutions use a vast database of malicious extensions that is frequently updated — and we discover new malicious Chrome extensions almost every day.
Tips