Not All Browser Extensions Are Safe
Be careful what you install on your browser.
If you find your internet browser is missing a feature you want, you can install an extension to add it. You might want an intelligent proofreader like Grammarly in Google Chrome, for example. If so, you can simply download and install it from the Chrome Web Store.
However, not all extensions are what they claim to be. While you would think Google would thoroughly vet an extension before it was allowed to be hosted on its web store, there are far too many malicious programs purporting to be legitimate, just waiting for someone to install them to their browser.
This has been a problem for some time: Every now and then, you hear about a number of users affected by a malicious Chrome extension, or a formerly legitimate extension that was bought and turned into a malicious program without anyone’s knowledge. However, it’s not often we get a glimpse at the full scope of the problem.
Last year, researchers discovered that, over a three year period, there were more than 280 million installations of extensions on Chrome that contained malware. They found an additional 63 million installs of extensions that violated Google’s policies, and another three million that contained “vulnerable code,” raising the total number of compromised installations to over 346 million.
These researchers discovered that malicious extensions tend to ask for more permissions that normal extensions, which makes sense: Malicious extensions want access to your device and its data, so requesting as many permissions as possible (especially permissions that don’t make sense for the extension’s purported function) is part of the plan.
They also found that these extensions were typically not caught quickly. You might hope that anytime a malicious extension started engaging in shady behavior, Google would shut it down right away. However, researchers discovered that malicious extensions stayed on the web store for an average of 380 days at a time. That means the average extension containing malware can hang out on the web store for over a year, infecting the computers of unsuspecting users, before Google finally put a stop to it.
These reports continue to be published. In late December, researchers found more than 30 malicious Chrome extensions on the Chrome Web Store—of those, 20 used malicious code to steal credentials. This month, researchers found even more.
For Google’s part, the company admits that extensions, like all software, are a target for malware and bad actors, and that there’s no way to prevent it entirely. That said, the company points to built-in safety checks users can take advantage of to protect themselves: When reviewing an extension, be on the lookout for a safety check panel, which will tell you if that extension potentially carries malware. If there’s no safety panel, Google thinks the extension is totally safe.
Besides this, you should be vigilant with your extensions, no matter which browser you use: Carefully review the entire extensions page and be sure everything looks legit. Don’t let an extension have more permissions than absolutely necessary. Finally, make sure to remove extensions from your browser you don’t use anymore, as bad actors sometimes acquire existing extensions to take advantage of the established user base.
Share This
