The Dark Side of Browser Extensions: Unveiling the Hidden Malware Threats
Discover the alarming truth behind browser extensions turning into malware: A single developer's betrayal can expose your valuable browsing data to wide-spread sharing Stay informed and protect yourself
Web browser extensions have the capability to transform from being helpful to becoming risky with just one update. This can potentially expose your browsing activities and personal information to an unfamiliar third-party developer or company. Unfortunately, this situation has occurred repeatedly despite the diligent efforts made by Google, Microsoft, and other browser developers. To shed light on this issue and provide guidance on safeguarding yourself, we present this article as part of Cybersecurity Awareness Week, in partnership with Incogni.
Browser extensions are mostly free to install, with paid extensions being incredibly rare. In fact, Google closed down the payment system for the Chrome Web Store in 2020, leading developers to explore alternative payment methods. The few premium extensions that do exist often offer some free features or are part of a larger paid service. Take Microsoft Editor, for example, which provides free error correction and grammar suggestions but requires a paid Microsoft 365 subscription for advanced checking and writing tips. ProtonVPN, on the other hand, offers the extension as an additional client option alongside native apps for desktop and mobile platforms.
Free browser extensions typically rely on donations, open-source contributions, or affiliate revenue to cover the development costs and time involved. However, at times, developers may seek ways to generate additional revenue without charging the user, which can lead to complications.
The Downward Descent
Various extensions generate revenue through third-party analytics and advertising platforms. Developers have the option to integrate these platforms into their extensions, enabling them to gather user data (such as browsing behavior) or display advertisements within the browser. The developer then receives compensation based on the number of users and the amount of collected data. This arrangement guarantees a consistent income for the extension creator, albeit at the cost of user privacy. Occasionally, the extension may be outright sold to an advertising or data company.
I have been engaged in the development of browser extensions for more than ten years. Throughout this time, I have regularly received emails requesting the inclusion of tracking code in my extensions or even offers for outright sale. Astonishingly, I just received another such email as I was writing this article. Absolutely true.
I am not alone in this issue. Oleg Anashkin, the developer of Hover Zoom+ extension, has created a comprehensive list on GitHub documenting all the requests made to take over their extension. Many of these offers involve adding code that inserts affiliate links into webpages or gathering user information. One such request claims to have developed a new technology for data collection, which can seamlessly record users' internet browsing habits. Some messages even attempt to reassure the developer that their code will not lead to the removal of the extension from the Chrome Web Store. However, such reassurances are usually a red flag.
Google does not explicitly forbid this data-gathering behavior for extensions listed on the Chrome Web Store. However, extensions with advertisements are prohibited from simulating browser or computer-level popups, and they are required to disclose the source of the ads (for example, an injected ad must indicate that it is "From SuperCoolVPN Extension"). Additionally, extensions that collect data must have a Privacy Policy that clearly explains what data is being collected and with whom it is shared. Moreover, when developers submit extensions to the Chrome Web Store, they must provide explanations for each permission requested. Generally, as long as an extension is transparent about collecting data on behalf of third parties, it is typically permitted.
However, all those policies require some level of enforcement, which means it's possible for malicious extensions to collect some user data before Google or another browser vendor notices and takes action. In 2019, Avast and AVG's Online Security extensions were caught recording website visit data and selling it to Home Depot, Google, Pepsi, and other companies through Avast's subsidiary Jumpshot. In 2016, the popular Web of Trust browser extension was selling identifiable user data after claiming it was anonymous.
Why Extensions Are Different
Browser extensions go beyond other types of software that may invade our privacy by being particularly difficult to protect against. This is due to the fact that many extensions require access to every page you visit in order to function. This enables them to add features like popups, new menus, grammar checks in text fields, and other actions. Although some extensions can be limited to certain websites or activated only when necessary, most of them require broad access in order to operate as intended.
To ensure your privacy, it is crucial to only install browser extensions from trusted developers or companies. Additionally, consider supporting your preferred extensions through donations, premium features, or other available means. By doing so, you can help them cover their development costs without resorting to potentially unsafe analytics companies.
