As Always, Be *Extremely* Cautious About Installing Browser Extensions

Browser extensions are fraught with danger — which is why I rarely use them — especially those extensions that request your permission to:

• Access your data for all websites
• Access browser tabs
• Access recently closed tabs
• Read and modify bookmarks
• Download files and read and modify the browser’s download history
• Input data to the clipboard
• Display notifications to you
• Read and modify browser settings.

I mean…seriously!?! There is not a snowballs-chance-in-Hell that I would ever give permission to a browser extension to rummage around in my browser and change things, possibly add malware code in to my computer or device’s memory (i.e., the clipboard), as well as essentially look over my shoulder while I use that browser!

Brian Krebs

As you may have already guessed, I’ve been wary of browser extensions for a long time. I wrote about how dangerous browser extensions are back in 2011: Why We Need a Google Condom for Chrome Extensions and again in 2017: Why Browser Extensions Are Dangerous but there are an increasing number of security experts now recommending caution on your use of browser extensions. One such expert is the cyber investigator Brian Krebs who writes the excellent Krebs on Security blog. His latest post was just published on March 3, 2020 and gives great advice and reasoning behind limiting the browser extensions you install: The Case for Limiting Your Browser Extensions.

Add to that my specific intention to limit (or completely stop) tracking as best I can — which is why I’ve moved from Google’s Chrome to Firefox as my default browser — is why I am not just concerned about malware and rogue extensions, I’m more concerned about third-party trackers and the companies that enable them to flourish to our detriment.

A CRACKDOWN ON EXTENSIONS

Fortunately there is a move by major browser companies (i.e., Google with Chrome and Mozilla with Firefox) to crack down on rogue and dangerous extensions. Ars Technica had this article published January 30, 2020: More than 200 browser extensions ejected from Firefox and Chrome stores:

The crackdowns highlight a problem that has existed for years with extensions available from both Mozilla and Google. While the vast majority are safe, a small but statistically significant sample engage in click fraud, steal user credentials and install currency miners, and spy on end users—in at least one case, millions of users, some of whom were inside large companies and other data-sensitive networks.

WHAT IF THE EXTENSION IS FROM A TRUSTED COMPANY?

Even trusted companies can give you a useful browser extension but you need to decide if you’re willing to make tracking you easier. For example, there is a long-time webpage capture browser extension which boasts “millions of users” and comes from a trusted company, Nimbus Web. Though I routinely need to capture long web pages, I would never install their extension and instead I capture page sections manually. Why wouldn’t I just install Nimbus Web’s extension? Because of the following from their privacy policy which allows them to collect and use our user data from the installed extension, combine it or leverage aggregator’s data, and facilitate advertising to us:

“When you use the Websites or Products, we automatically gather information made available by your web browser (such as Microsoft Edge or Google Chrome), Internet service provider (such as Comcast or Time Warner), and device (such as your computer, phone, or tablet), depending on your settings for each. For example, we may collect your IP address, information about the operating system or type of device you use, the date and time you access the Websites or Products, and the location of your device.

Generally, the information addressed under this section is anonymous and does not, standing alone, directly identify you; however, it could possibly identify you when associated with other information. For example, if a third party were to see your IP address, they would not automatically know your name—yet your name could be associated with your IP address by your Internet service provider if you are the named accountholder.“

You could argue that the above is boilerplate and all organizations do some form of this type of data aggregation. But when that data is has specific intents like the following, it shows how they intend to use your data AND allow it to be shared by third parties:

“To Advertise to You. We also use Cookies and web beacons, including those placed by Third Parties, to deliver advertising that may be of interest to you. For example, we use the Facebook web beacon to better target and retarget users and potential users of the Websites by advertising to them on Facebook. Twitter, Google Analytics, Google Adwords, and other Third Party Cookies may also be used in our advertising endeavors. We may also use a web beacon in email messages sent to track your response. Cookies and web beacons also help us and our Third-Party advertising partners ensure you do not see the same advertisements over and over and to identify and block unwanted ads.”

“What about Third Party practices? 

Third Party Cookies and Web Beacons: Advertising agencies, advertising networks, and other companies (together, “Third Parties”) who place advertisements on the Websites and on the Internet generally may use their own cookies, web beacons, and other technology to collect information about individuals. Except as expressly provided herein, we do not control Third Parties’ use of such technology and we have no responsibility for the use of such technology to gather information about individuals. It is up to you to familiarize yourself with the privacy practices of such Third Parties.”

Remember this quote when something like this useful extension is free, “You are not the customer. You are the product.”

WHAT EXTENSIONS CAN YOU SAFELY INSTALL?

In my main browser Firefox, I have only one extension installed: the Electronic Frontier Foundation’s (EFF) Privacy Badger. EFF describes Privacy Badger as:

“…a browser add-on that stops advertisers and other third-party trackers from secretly tracking where you go and what pages you look at on the web. If an advertiser seems to be tracking you across multiple websites without your permission, Privacy Badger automatically blocks that advertiser from loading any more content in your browser. To the advertiser, it’s like you suddenly disappeared.“

Though Firefox’s new privacy and anti-tracking capabilities are excellent, Privacy Badger completes the capability I seek to make tracking and surveillance even harder for the hundreds of third-party trackers out there. Firefox’s creation organization, Mozilla, also has a rigorous vetting process for extensions and has a short list of verified extensions that do not violate their Recommended Extensions program guidelines.

Here is the best article from Mozilla that I’ve seen yet on how to determine whether or not a browser extension is worthy of (and safe to) install. but if you already know these tips (or have read Brian Krebs’ article above), at least pay attention to wise advice like this from Dan Goodin, the writer of the previously linked-to article from Ars Technica:

“There’s no sure-fire way to know if an extension is safe. One general rule is that there’s safety in numbers. An app with millions of installs is likely to receive more scrutiny from researchers than one with only a few thousand. Another guideline: apps from known developers are less likely to engage in malicious or abusive behavior. The best rule is to install extensions only when they truly provide value. Installed extensions that are used rarely or not at all should always be removed.”