Browser extensions and what they can provide to the user experience while using a modern web browser seem to be fairly common these days. Just looking at the Firefox extension possibilities as I write this, recommended extensions are currently at 116. But if I expand that to any extension, recommend or not? 86,484. That’s a lot of software add-ons to a browser. Just like with anything, it is important to understand the trade off associated with adding an extension into your browser. Before I explore the topic of browser extensions though, let’s get a foundation down of what extensions are and what they provide.
What is a browser extension?
A browser extension is a software module that integrates directly into your web browser to provide a new function or service. It “extends” the capability of your browser, allowing you to customize how your browser behaves. This could be related to the viewing experience of the pages you visit, to more privacy-focused extensions that make it easier to manage or delete browsing data. There are also a number of browser extensions that provide services like a free VPN, directly into the browser. You can generally install them through your browser’s settings.
Browser extensions can be extremely cool, but it is important to understand that those software modules are pieces of software code, generated by a developer, with likely no direct oversight or support from the browser itself. For example Mozilla, the maker of the Firefox browser, provides the following warning when looking at browser extensions that are not directly recommended by Mozilla: “This add-on is not actively monitored for security by Mozilla. Make sure you trust it before installing.“
Understanding the permissions
Since a browser extension integrates directly into your browser, it has a lot of power and influence over the pages you visit. This includes the ability to inject things into a page, or read things from a page you visit. Permissions of the extension set boundaries on what the extension is allowed to do and not do. They are extremely important to understand and acknowledge.
As an example, there is a browser extension for Firefox that allows you to screenshot the page you are on and save it directly to your desktop. The required permissions for this extension?
- Input data to the clipboard
- Download files and read and modify the browser’s download history
- Display notifications to you
- Access your data for all websites
The two bold permissions are worth taking a look at. For the first permission, according to Mozilla, the extension would be allowed to, “save a file from the web or one created in the extension using the browser’s download manager. The extension could also access and update details of downloaded files stored in the download manager.” This is likely necessary for the screenshot to be saved onto your Desktop. However, it also allows the extension to download things outside of that, including from other locations (like a remote server).
The second permission is even more broad allowing the extension to, “read the content of any web page you visit, as well as data you enter into those web pages, such as usernames and passwords.” Let that sink in a moment. You are giving an extension the ability to read anything from pages you visit, and the data you enter into those pages.
Just because an extension has broad permissions, some of it might be required to do the job you are asking it to do. For example, a password manager probably needs to enter a username and password into a website, and know where the login spaces are to put that username and password. However, extensions asking for that permission that have a much more narrow focus might be a red flag. Ask yourself, are the permissions this extension are asking for absolutely needed? Mozilla (Firefox) provides an easy to get to location that explains how their permission system works. You can access it here. Google (Chrome) on the other hand, I had difficulty locating anything that was not for developers.
Spotting risky extensions
Just having a high user count is not an indication of a safe browser extension. High ratings are also not an indication of a safe extension. Fake reviews and fake users, or worse, users who do not know they are using a malicious extension do not make an extension safe. Risky extensions are those providing “free” services that clearly have a cost to them (looking at you “free” VPNs – example), brand new extensions, extensions from unknown or new developers, and extensions that are not reviewed by the browser developer (i.e. “Recommended” in the case of Mozilla).
Even trusted extensions can turn dangerous over time. When a browser extension is sold to a new developer, that developer may have harmful intentions, quietly pushing malicious updates to everyone who already has it installed. Because the extension was safe when you first added it, most people never think to check it again. That’s why it’s worth taking a few minutes every so often to review the extensions you have. Ask yourself: do I still use this? Has it recently changed hands or behaved differently?
Good rules to follow
A good rule of thumb is to avoid browser extensions entirely if you don’t need them. Any time you introduce new software into your browser or computer, you are trusting another party. If you do need to use them, try and limit how many you use. From there, ask yourself a few questions. First, is the extension recommended or supported by the browser’s developer? Second, do you know who the developer is and is the developer a trusted company or party? Minimizing what you install and the answer to those two questions will mitigate a lot of the risk. Just remember, a browser extension should be a deliberate decision to install. Stay safe in your online adventures!