In a recent study of 1,237 Chrome extensions with a minimum of 1,000 downloads, Incogni researchers found that nearly half ask for permissions that could potentially expose personally identifiable information (PII), distribute adware and malware, or even log everything users do online, including accessing passwords and financial data.
Almost half (48.66 percent) of all Chrome extensions have a High or Very High risk impact due to permissions required at installation, according to Incogni, and over a quarter (27 percent) collect user data.
“Some Chrome extensions have access to virtually everything you do in your browser, including all your keystrokes,” Incogni content manager Federico Morelli wrote in a blog post detailing the findings. “If an extension like this was to turn malicious or get compromised, a bad actor could spy on your every move and steal your login and payment details from any site you visit. These are the highest Risk Impact extensions.”
Accessing Sensitive Data
Much of that data is highly sensitive. Over 14 percent of the extensions studied by the researchers collect PII, more than 6 percent collect authentication data, 2.51 percent collect personal communications, and 1.21 percent collect financial and payment information.
Chrome extensions used to aid in writing are the most data-hungry (79.5 percent access at least one type of sensitive data), collect an average of 2.5 data types, and ask for the most permissions. Fully 56.4 percent collect PII, and 33.3 percent collect location data.
Still, writing isn’t the only risky category – 65 percent of shopping extensions collect user data, and 32 to 35 percent of productivity, search tools, and sports extensions do so.
Also read: Microsoft Warns of Surge in Token Theft, Bypassing MFA
The reliability of the developer offering a given extension factors into Incogni’s assessment of risk, though Morelli noted that while the potential impact of an extension can’t change without requesting additional permissions, the company behind that extension can change or be compromised without warning.
It is important to stick with extensions from trusted developers, Morelli wrote, but any trusted developer “can turn bad actor, reviews can be bought or faked and extensions can be compromised through no fault of the developer.”
Extensions can also be sold to malicious groups. “Adware vendors buying Chrome extensions and infecting them with adware and malware is a well-known practice,” Morelli wrote. “There are many examples of this, from the Particle extension takeover to smaller developers having their reputations dragged through the mud.”
It’s also crucial to watch out for malicious duplicates of popular extensions. “These are easy to fall for if you’re not very careful to match the extension and developer names exactly,” Morelli added.
How to Minimize Chrome Extension Risk
To protect yourself from risky Chrome extensions, Morelli said key mitigations include the following:
- Before installing, be sure you really need the extension
- Make sure the extension name, logo, and developer match your expectations
- Always check any new extension’s permission requirements and risk profile
And if you’re uncomfortable, look elsewhere.
“Don’t shrug off any red flags or lingering doubts – whatever your need, it’s bound to have been addressed by other developers,” Morelli wrote.
Read next: Top Endpoint Detection & Response (EDR) Solutions