It’s also important to only use extensions from companies you trust. Try to pare down your list of installed extensions to just the essentials to minimize the chance one of your installed extensions goes bad. If you don’t get much use out of an extension, uninstall it.
Here’s how to stay safe: Use as few extensions as possible. RELATED: How to Uninstall Extensions in Chrome, Firefox, and Other Browsers ( Update: This statement was true when we wrote the article back in 2017, but Firefox does now have a permission system like Chrome.) How to Minimize the Risk
Firefox is arguably even more at risk, since it doesn’t use a permission system at all-every extension you install gets full access to everything. In addition to the hijacking and sale of extensions, it’s also possible that an extension is just bad news, and secretly tracks you when you install it in the first place.Ĭhrome has been under attack due to its popularity, but this problem affects all browsers. The developers of the Honey extension with over 700,000 users once ran an “Ask Me Anything” on Reddit, detailing the kind of offers they often receive.
Chrome extension developers have claimed they constantly receive offers to buy their extensions. The same thing has happened to many other extensions in the past. This happened to Particle for YouTube, a popular extension for customizing YouTube, in July 2017. If the developer accepts the purchase, the new company modifies the extension to insert advertisements and tracking, uploads it to the Chrome Web Store as an update, and all the existing users are now using the new company’s extension-with no warning.
That developer is approached by a company that will pay a large amount of money to purchase the extension. In many other situations, someone develops an extension that gains a large amount of users, but doesn’t necessarily make any money. As this is an extension for web developers, the attack could have been a lot worse-it doesn’t appear that the infected extension functioned as a keylogger, for example. Over a million people who trusted the developer of this popular extension ended up getting the infected extension. The developer fell for a phishing attack, and the attacker uploaded a new version of the extension that inserted more advertisements into web pages. In August 2017, the very popular and widely recommended Web Developer extension for Chrome was hijacked. But, otherwise, the new version of the extension will run with all the same permissions the previous version did. If an extension requires new permissions, it will temporarily be deactivated until you allow it.
Modern web browsers like Google Chrome automatically update your installed browser extensions. How Safe Extensions Can Transform Into Malware Even an extension that only does a minor thing to web pages you visit may require access to everything you do in your web browser. They’re tiny programs with a huge level of access to your web browser, and that makes them dangerous. These aren’t just cute, harmless little tools. For example, an extension that modifies in some way will require access to everything on, and therefore have access to your Google account-including your email. Even an extension that just requires access to one website could be dangerous, however. Modern web browsers like Google Chrome and Microsoft Edge have a permission system for extensions, but many extensions require access to everything so they can work properly. That doesn’t mean that every extension is doing these things, but they can-and that should make you very, very wary. If an extension needs to scan your for receipts or other small things, it probably has permission to scan your email for everything-which is extremely dangerous. It could function as a keylogger to capture your passwords and credit card details, insert advertisements into the pages you view, redirect your search traffic elsewhere, track everything you do online-or all these things. If an extension has access to all the web pages you visit, it can do practically anything.