Whenever you install an extension in the Chrome browser, you see a prompt that you have to confirm before the extension gets installed. This prompt highlights the rights of the extension and may include the ability to access data on specific websites, access browsing data such as tabs, browsing activity or bookmarks, or other data.
It is likely that many Chrome users who install extensions in the browser do not pay lots of attention, if any, to the prompt. This is the same behavior of many users when they install applications on the operating system. Instead of making sure that the extension does not install toolbars and other third party offers, they simply click next next next to complete the installation as fast as possible.
Research scientists at Barracuda Networks recently discovered malicious extensions in the Chrome web store that fooled more than 90,000 users of the browser. The researchers noticed that three of the six Facebook Timeline Remover extensions requested more rights than they should. Instead of just requesting access to Facebook.com properties, these extensions requested access to all websites. This does not really make sense, as Timeline profiles are only visible on Facebook and not on third party websites. In addition, users were redirected to a web page after installation that displayed a survey to them.
The two dangers here are tracking of the user through use of the extension, and leaking information to the survey company.
The creators of the extension have used Facebook to create hype for their extensions. This was done by automatically posting contents to user profiles after installation of the extension, and events on Facebook.
Chrome extension authors can request a variety of permissions for their extensions in the browser:
For end users, it is often not really clear what a permission is needed for. The Facebook Timeline extension shown on the screenshot at the top for instance requires access to bookmarks as well as windows and tabs. There is not really a reason why it should be able to access the bookmarks, but what about the browsing activity and tabs? Is that needed to manipulate the Facebook profile? It seems so, if you look at the Chrome Tabs information over at Chrome Developer. This can for instance be used to detect if a tab has been updated or changed.
You do not have options to block specific permissions in the browser, so that you either accept all if you continue with the installation, or are left with the option to block the installation if permissions are not looking right. You may find a similar extension sometimes in the store that requires less rights and use this one instead.
How are you handling Chrome extension installations?
Oh, and if you have installed one of the Facebook Timeline extensions for Chrome, now would be a good time to uninstall it.
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.