Browser extensions: Why they are a security nightmare and how to protect yourself

Browser extensions often have access to all your online activities and fraudsters keep trying to exploit this fact. Therefore, you should carefully consider whether and which add-ons you use.

Björn GreifEditor

Browser extensions are useful, but they can also involve dangers – often bigger ones than users may suspect. The little programs are often able to monitor everything you do online. For example, assuming they have the appropriate permissions, they can access personal information, log your website visits, capture your passwords, record all your keystrokes, insert ads into websites you visit, or misuse your computer’s processing power for cryptocurrency mining.

Malicious extensions in official stores

Even if you install extensions only from official sources like the Chrome Web Store or the Firefox Add-ons Store, it’s not guaranteed that they are safe. For example, despite allegedly strict security checks, Google is regularly forced to remove malicious extensions from its store.

In April, AdGuard discovered several fake adblockers in the Chrome Web Store that added computers to a botnet. In May, Radware reported that several Chrome extensions copied passwords, committed click fraud or mined cryptocurrencies without user’s knowledge. And in early June, Kaspersky warned of a data-thieving extension spread across the Chrome Web Store that was targeting users’ bank data. In the end, fraudsters repeatedly succeed in abusing official stores as a distribution platform for their malware.

Fake adblockers discovered by AdGuard in the Chrome Web Store (Source: AdGuard).
Fake adblockers discovered by AdGuard in the Chrome Web Store (Source: AdGuard).

How harmless extensions can transform into malware

Besides extensions that don’t do any good right from the start, there are also harmless add-ons that suddenly become malicious due to various reasons. On the one hand, developers can lose control over their software, for example, if they fall for a phishing attack. This happened last year to the developers of the Web Developer and the Copyfish extensions. Fraudsters “hijacked” the Chrome add-ons and modified them to insert ads into web pages their users viewed.

On the other hand, developers of popular browser extensions regularly receive purchase offers from shady companies. The developers of the Chrome extension Honey report on Reddit that they got corresponding offers from malware, adware, and data collection companies, all of which they rejected. But not every developer resists the temptation of money: About a year ago, for example, the Chrome add-on Particle (formerly YouTube+) changed hands, and the new owner immediately turned the extension into adware. Another example is the Stylish extension, which was updated after several owner changes to include tracking capabilities for logging the browsing history of its users.

What makes browser extensions so dangerous?

Most extensions require extensive permissions during the first installation, for example, to read and change your data on websites you visit – regardless of whether or not this is necessary for their smooth operation. If you have granted such a permission to an extension, it can theoretically do all of the bad things mentioned above without you noticing.

Therefore, you should be aware of one thing: browser extensions are not just harmless little tools, but programs with a huge level of access to your browser or even your entire computer. That’s why they are so dangerous!

How to minimize the risks associated with extensions

In general, you should keep the list of installed extensions as short as possible. If an add-on is not indispensable or you don’t trust the developer, uninstall it. Furthermore, always pay attention to the requested permissions and, in case of doubt, rather do without a specific add-on. This minimizes the risk that one of your installed extensions may cause trouble.

Users of the Cliqz Browser do not have to worry about the add-on problem. In order to protect them in the best possible way, we only allow extensions for installation in our browser which we have thoroughly checked ourselves. Currently we support HTTPS Everywhere (pre-integrated), Ghostery and the password managers LastPass and Bitwarden.

The Cliqz Browser supports only audited extensions like LastPass, Bitwarden or Ghostery.
The Cliqz Browser supports only audited extensions like LastPass, Bitwarden or Ghostery.

With anti-tracking, ad-blocking and a video downloader Cliqz offers many built-in features that are only available as extensions for other browsers. We are also constantly working towards new solutions to make the most popular add-on features available in the Cliqz Browser in a secure way.