The majority of extensions are not malicious, dangerous or privacy invading. Some extensions are, however as malicious actors find new ways to take advantage of certain loopholes. The last years have seen a rise of an industry that monetizes browser extensions, often in the form of collecting and selling user data.
Companies contact extension developers to either purchase successful extensions (based on users) outright, or broker a deal with the developer to include scripts used to monetize the extension or track users of it.
This seems to happen more on Chrome than on Firefox, and one of the reasons why that is the case is that Chrome extensions get updated automatically, often without the user even noticing that this is happening or happened.
So what can you do to prevent this from happening to you?
1. Check the source
The most reliable way of verifying an extension for third-party content is to check its source. This works best before it gets installed on the user system.
You can use Chrome extension source viewer for that for example (tip: it is also available for Firefox). The add-on for the browser displays a button in the main toolbar that you can click on to display the source right in the browser or download the extension as a zip file instead to analyze it locally.
You can filter by type, for instance images, so that only code is displayed right away. While that is the best option, it only works if you understand the code. If you don't, it won't do you any good unfortunately.
2. Check the reviews
This is again something that you do before you install the extension. User reviews may reveal that the extension is monetized or is behaving in shady ways.
If you see lots of low score reviews there you may want to stay away from the extension regardless of what it promises to do. The method has its flaws as it relies on user input; new extensions may not have that many comments and if an extension was purchased or compromised, there may not be comments that reveal that fact yet.
3. Check the permissions
Whenever you hit the install button on the Chrome Web Store the permissions that the extension requires are displayed first.
You may be able to use the information to determine whether an extension requests permissions that are not required for its core functionality.
If you have an extension that improves the readability on Yahoo but requests permissions to manipulate all web pages you visit, then it is something that you need to consider before you install the extension.
It may not always be as easy to determine whether the permissions requested are required for its functionality or not.
You can check Google's support page that lists and describes all extension permissions.
The most important permissions that you need to look out for are the following ones:
4. Other tips
Once you have installed an extension it may be updated at any time without you having a say in it. You can install an extension such as
Chrome Update Notifier Plus or Extensions Update Notifier to receive information whenever extensions were updated in the browser.
Another option is to disable all auto-updates in Chrome using system policies on Windows.
Now You: Have another tip on how to handle this? Feel free to share it in the comments below.Advertisement
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.