How to tell if a browser extension may be up to no good

There’s an adage that has developed in the digital age which states that if an online service is free, chances are, you are the product. While there is some debate as to how true this is, one would be forgiven for assuming it is based on ad revenues from the tech giants that offer free search, social networks, and video platforms.

It’s already quite well known within the tech industry that many free browser extensions inject advertising into the browsing experience in exchange for practical browser enhancements. We also now know, as of last month, that there is at least one extension that was hacked to turn end-user devices into crypto-mining terminals. If this makes you feel somewhat uncomfortable, it probably should.

How can you tell if a browser extension is more trouble than it’s worth? We have a few tips to share.

TIP #1: Read the Terms of Service, or Privacy Policy

When was the last time you read the terms of use of the free software you are using on your desktop or mobile device? According to a study conducted last year at Michigan State University, 74% of people ignored the privacy policy of a fake social network. By agreeing to the privacy policy without reading it, users unknowingly agreed to “immediately assign their first-born children to Namedrop, Inc.”

The biggest lie on the internet — “I have read and agree to the Terms of Service”

Before downloading an extension, scroll to the “Additional Information” section of the extension overview to see if there is a Privacy Policy. Clicking on the Privacy Policy link will allow you to read about your the extension manages your privacy.

The Developer Privacy Policy is normally found in the bottom right-hand area of extensions in the Chrome Store

Generally speaking, extensions that are not looking to sell your data to third-parties will be quite explicit about it.

Now compare the succinct statement above to an excerpt from a different extension’s Privacy Policy (color and emphasis included for demonstration):

Having read both Privacy Policies, it’s pretty clear which one is going to be a higher risk to your browsing privacy. Make sure to understand what you are agreeing to when you install any software on your device.

TIP #2: Understand the permissions required for the extension (or app) to be installed

As extensions have become more sophisticated, so have the resources required to run them. Depending on the functionalities of the extension, you may be required to authorize certain permissions for the extension to run properly.

While many simple extensions can function without requiring any additional permissions, the more complex ones will need to access areas of your browser that, in the wrong hands, could be used unethically.

Complex extensions require complex permissions

Giving permissions to an extension is similar to giving someone access to your house. You want your gardening service to have access to your yard, but there’s no reason they need a key to your bedroom. If they were to ask, you might be suspicious of their motives — the same should apply with extensions requesting permissions in your browser.

The key to being safe with permissions is common sense. An ad-blocker, for example, will require access to the data on websites you visit. Is there any reason though, for an ad-blocker to need to modify your copy and paste data, or access your bookmarks? Ask your self this question before installing any extension. If you cannot think of a reason why an extension should require a certain permission, try looking at similar extensions and see if they all require similar permissions.

TIP #3: Read the reviews

Reviews are often an excellent way to find out if an extension is worth the trouble of installing it. While reviews tend to focus on the efficacy of the extension, reviewers will generally out any extension that is misbehaving.

This particular extension has a 4 star rating, but on closer inspection, we see it includes malware.

As can be seen in the image above, even extensions with seemingly good star ratings can be hiding malware that will impact your browsing experience and potentially put your browsing data in the hands of third-parties without your explicit permission.

In conclusion:

Browser extensions have revolutionized the way users experience and interact with the web. Many free extensions offer enhanced functionality in exchange for a user’s trust. Others seek to take advantage of users by inserting malvertising or spyware into extensions.

In order to protect yourself from installing a malicious extension, we recommend that you always:

  1. Read the terms and conditions, specifically sections that focus on data privacy and third parties
  2. Make sure the permissions required for the extension to be installed do not step out of the boundaries of intended functionality
  3. Read user reviews to understand if other users have identified malicious activity originating from the extension
One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.