Are Chrome Extensions Safe?

Chrome extensions gather a lot of user data and while most are safe, one leak can be catastrophic. So, how do you spot unsafe extensions?

Published Categorized as Apps & How-to's
Are Chrome Extensions Safe?

How often do you think about the security of the Chrome extensions you use? Hardly at all, sometimes, or often?

While most extensions are nothing to worry about, just one bad extension is enough to do some major damage.

We take a look at how safe Chrome extensions are, which extensions are most at risk, and what you can do to stay safe.

How Safe Are Chrome Extensions?

Chrome extensions are not as safe as you’d like to think, according to a recent blog post by Federico Morelli for Incogni which revealed some startling research.

Incogni’s “researchers analyzed 1,237 Google Chrome extensions available on the Chrome Web Store” from a wide range of uses, “from writing to gambling.”

They discovered that more than half of all Chrome extensions could be a security risk. On top of that more than a quarter of all Chrome extensions collect user data.

For some of us, it’s not a huge surprise that data is being collected, but it’s worth considering the scale at which is happening and questioning if that data needs to be collected.

Unnecessarily collected data is super risky because if the extension is attacked, we could see significant personal information leaked.

Can Google Chrome Extensions Be Dangerous?

If personal information is leaked, yes, Chrome extensions can be pretty dangerous.

Chrome extensions for writing turned out to be one of the biggest risks, according to Incogni. (A big concern for me as I write for a living!)

Though, it should be said that if an extension was to suddenly turn rogue or compromised by attackers with malicious intent, they’re going to not interested in stealing my articles.

They’re going to be interested in sensitive data like bank details, for example, or other data that could be used to their advantage.

Writing extensions collect the most types of data and often require the most permissions. This is because they often need to read and sometimes change the information you enter.

Permissions are what accesses you give to the extension to your browser or even your laptop. To view or even change something.

After writing extensions, shopping extensions are the second most risky, with almost 65% collecting user data.

Shopping extensions are significantly riskier as they have access to potentially more harmful data.

Can Browser Extensions Steal Data?

Malicious or compromised browser extensions can indeed steal your data if they have access to it.

But it is important to clarify the difference between stealing data and collecting data that the extension needs to operate.

It’s important to remember that many of the extensions you use are likely ‘freemium content.’ So of course, they are collecting data—it’s what they get in return for you using the service.

In the end, it depends on what kind of data they are collecting. An extension might just collect error reports.

The types of data an extension collects should be specified in the terms and conditions which you likely accepted without reading.

On top of that, make sure you understand the types of permissions they require before jumping to the conclusion that they’re stealing your data.

The data or permission type may sound suspicious but is quite commonly required.

Can Chrome Extensions Steal Passwords?

Extensions with permission to read keystrokes or access to your clipboard could theoretically steal your password. But many don’t have access to sensitive fields. They’re usually shielded.

Grammarly, one of the most popular writing tools (and co-incidentally one of the largest data-collecting extensions), says it doesn’t have access to sensitive fields.

They add that the user can always see when the extension is working. And to be fair, it would be hard for Grammarly to function without the required permissions.

However, let’s not forget that sensitive data is not always entered into special fields. What about data written in plain text fields, like an email, Google Doc, or on a messaging app?

If that’s something that concerns you, you should look into limiting what sites writing extensions like Grammarly can access.

Option to change Grammarly's site access.
Site access for Grammarly can be changed to specific sites or on click.

Can a Chrome Extension Be a Virus?

Users can be tricked into installing a virus in the form of a Chrome extension or hackers can hijack an existing extension and turn it into a virus.

Less tech-savvy users can be too trusting and download an extension because they are told they must in order to access content or a service.

Elsewhere there are untrustworthy extensions out there pretending to be real extensions.

On the topic of ad blockers, Throttlenet explains, “Hackers will simply copy the code from a legitimate ad blocker and create their own app with the added bonus of malware code.”

It then becomes all too easy for someone to mistake the fake version for the real thing and install malware on their computer.

And sometimes hackers uncover weaknesses in extensions already available on the Chrome Web Store, take over, and inject malware.

In 2018, Radware uncovered that a Chome extension called ‘Nigelify’ was attacked and had installed malware on approximately 100,000 users’ computers.

The malware forced users’ computers into crypto mining, fraud, and credential theft. Thankfully, though, once Google was aware, they put a stop to it all

How to Tell if a Chrome Extension Is Safe?

First and foremost, get your extensions from a safe, reputable place like the Chrome Web Store and even then, you should check reviews and make sure Chrome trusts them.

Secondly, don’t download extensions from sites you don’t trust! (If that wasn’t obvious enough already.)

Morelli says you can check the risk factor of a Chrome extension by using ChromeStats, a site that analyzes Chrome extension data, including how risky they are to the user.

On this platform, you can search the extension you are considering and then go down to ‘risk impact’ and ‘risk likelihood.’

Below is an example of Ad-Blocker, the highly popular extension for blocking unwanted ads. Interestingly, it has a very high-risk impact, but the risk likelihood is low.

'Risk impact' and 'Risk likelihood' for the Ad-Blocker Chrome extension.

While the two seem contradictory, could interpret this as saying, if Ad-Blocker was hacked, a lot of data and permissions could be at risk, but the chances of this happening are low.

So, Ad-Blocker is still safe to use. We trust that the developers have good intentions and that it is well-developed. There are likely not many flaws attackers can take advantage of.

Avoid extensions with a high-risk likelihood and high-risk impact, these are the most unsafe to use.

In the end, the fewer Chrome extensions you have the better as it’ll decrease the chance of your data being leaked. So, start by removing the ones you don’t need.

How to Restrict Chrome Extensions?

If the idea that your Chrome extensions are watching you gives you the creeps, you can easily restrict or remove them with little hassle.

Click on the “Extensions” button in the top right (it looks like a puzzle piece) to see a full list of all the extensions that you have installed on Chrome.

At the bottom of the list of extensions, you will see the option “Manage extensions”—click on it.

The "Mange extensions" button.

From this dashboard, you’ll be able to toggle on or off extensions with the option to the right, or if you prefer, you can remove them by clicking ‘Remove’ to the left.

'Remove' and toggle on and off buttons for extensions.

You may even find that you had some extensions installed you didn’t even know about.

By Craig Britton

Jack of all trades on writing-related topics with extensive experience in copywriting.

Leave a comment

Your email address will not be published. Required fields are marked *