Browser Extensions for Grocery Delivery Timeslots Bring New Risks to Consumers

Cutting the Line for Online Grocery Delivery May Not Save You Time

Record numbers of grocery and food delivery apps have been downloaded so far this year. Securing a coveted grocery delivery timeslot using these apps is now a key challenge for many who are sheltering in place. Users have even become obsessed with finding a slot or a particular item and use multiple applications at once to increase their chances of success. Adding browser extensions or scripts to this game of roulette can certainly make that task easier, but these add-ons come with risks that many consumers might ignore in their quest to win a slot.

Today’s browsers offer consumers some protections against malware, such as limiting the data extensions can access, as well as requiring extensions to request permission to perform non-standard actions when installed. Unlike extensions that run within the framework of the browser, downloaded scripts can perform any task involving one’s files or execute other malicious code. In the long run, the time consumers spend fighting malware, and the potential damage and data loss it may cause, might not be worth the time they save finding a grocery delivery slot.

What You Need to Know About Extensions and Scripts

Browser extensions -even from reputable companies-will often perform tasks beyond the original reason you installed them. In some cases, they could be infected or malicious, harvesting your personally identifiable information (PII) for future use, or logging keystrokes to get passwords and account numbers that you don’t want to share. Extensions also could be injecting intrusive and not-safe-for-work (NSFW) ads into the sites you browse. These ads may promote alternate products or too-good-to-be-true offers on unfamiliar sites. These ads disrupt your path to purchase and are an annoyance that no shopper needs, especially now.

The same thing is true for scripts. While a script might be helpful to begin with as it secures a delivery slot, without reviewing the actual code, it’s impossible to know what else the script is doing. It could search and collect data from files stored on your hard drive, download malware and install it on your machine, or encrypt and erase your drive and hold it for ransom.

As tempting as these extensions and scripts may be, this is a classic case of “Buyer beware!” Consumers need to be extremely careful and check the permissions the extension requests when it is installed. An extension to help find delivery time slots on Amazon, for example, shouldn’t ask for permissions for every site you visit. Nor should it need data access or the ability to listen to keyboard events.

How to Prevent Browser Malware

Here are a few tips on what users should look for before installing extensions or scripts.

When installing browser extensions:

• Check their popularity, including number of users and reviews. Any extension with only a few hundred users, and few or no reviews, should be considered suspicious.
• Pay close attention to the permissions an extension requests. If it requires any privileged access, such as to read or change data, or access to a broad set of sites you visit, it might be best to pass.
• If you are using Chrome, consider setting up a new “identity” for unsafe browsing, which can be found under the “People” setting. The way Chrome implements identities is similar to different users, meaning that one identity will have no access to the personal information tied to your main Chrome identity, keeping safe your browsing history, passwords and auto-fill information you store on the main identity. If you need to install an untrusted extension, we recommend installing it under an identity that is different from your main one, and then be very selective about the information you provide when browsing with it. This is a much easier way to browse safely that does not require setting up a whole new OS user, or running it in a separate VM.
• Firefox identities are called profiles, and can be managed through the Profile Manager.

For scripts:

• If you don’t understand the scripting language and cannot verify the author and how trustworthy the author is, do not run the script.
• If you understand the scripting language, review the script carefully and verify that it does not access file system resources or make any unneeded network calls.

Cybercriminals follow the money, so with more people shopping online, you can expect to see more malware. Shoppers will need to remain vigilant. For information on how to remove unwanted extensions in Chrome, read this blog from Google.

Originally published at https://www.perimeterx.com on May 12, 2020.