Are browser extensions still safe to use?

Get a free Techzine subscription!

Browser extensions have been around for years now, both Chrome, Firefox and Safari support browser extensions. Since a few weeks, Microsoft Edge joined as they switched to Chromium, the same browser engine as Google Chrome. The number of security issues, fraud reports and privacy risks with browser extensions are increasing and suddenly seems to be a real danger, are browser extensions still safe to use?

Over the past few weeks, both Mozilla and Google have taken action against various browser extensions. Both Firefox and Chrome have a rich database with browser extensions. When developers add or update extensions to the extension stores, some security checks are applied, but it seems to be a minimal security check.

What are browser extensions?

Browser extensions are mini-applications within a browser that add functionality. Commonly used extensions are for example Adblockers, Colorpickers, CRM integrations, Microsoft Office (Word, Excel, Powerpoint editing in your browser), Password Managers, Screenshot creators and translators. They add functionality within one or two clicks. Extensions are very useful, but if the developers have wrong intentions or extensions fall into the wrong hands, it is also very dangerous.

Mozilla recently removed almost 200 extensions

Mozilla recently deleted nearly 200 different browser extensions because they are “in violation of Mozilla policies”. Of those almost 200 extensions, 129 were from the same company, 2Ring. According to Mozilla, these extensions executed code on an external server, which is against the policy. Other extensions have also been removed for the same reason. Mozilla removed other browser extensions for different reasons; for performing malicious behaviour on certain third party websites, collecting and transmitting user data, manipulating the user’s search behaviour or because of using obfuscated source code, making it impossible to determine the true nature of the extension.

Google sees a spike in fraudulent transactions with paid Chrome extensions

Google decided last week to block the addition and updates of paid extensions temporarily. The security team at Google saw a huge spike in fraudulent activity. These activities were detected among paid extensions only, where you have to pay once in advance or pay a monthly fee to use the extension. These fraudulent activities would exploit users.

This block has been active for a week now, and Google has not released any further news. Companies with paid extensions are getting impatient because they can’t update their extensions and solve possible security problems. They, in turn, get complaints from their customers that problems are not solved because they cannot update the extension.

Are browser extensions safe to use?

The problems and security risks with browser extensions seem to be getting bigger. So concerns are not unjustified. The security checks around browser extensions simply haven’t been good enough for years. The browser extension web stores now contain malicious extensions. Extensions that do not comply with the policies.

Browser extensions that work statically and don’t connect to external servers are generally safe. Extensions that need to connect to a server to retrieve data are more sensitive because they can also unwittingly fall victim to cybercriminals. The server used to communicate with can be taken over by criminals, or the domain name can be hijacked.

If you don’t need browser extensions, the safest choice is not to use them at all.

Many endpoint security solutions do look at browser extensions, but they can’t offer complete security either. It is extremely difficult to monitor and secure browser extensions externally because their behaviour corresponds to normal browser behaviour. The browser itself is an approved application and opening, loading and sending data to web addresses is normal behaviour. Stealing usernames and passwords or collecting user data is, therefore, difficult to detect and block.

Which extensions are safe?

A hundred per cent safety cannot be guaranteed. Most extensions will be safe. It is a small number of extensions that have the wrong intention and use malicious code. The safety is in the numbers, that is the best advice we can give. Browser extensions that are extremely popular and have thousands of reviews and millions of users are safe to use. Those extensions attract attention, also from security researchers and have usually been tested. If there are vulnerabilities in those extensions, they will probably be fixed fast, because there are better maintained. You can also take a good look at which companies have developed the extensions, extensions from Google and Microsoft are generally safe and in any case well maintained. Extensions that are rarely used or developed by unknown companies should be ignored.

If you don’t need browser extensions, the safest choice is not to use them at all.