Browsers’ true powers are unlocked when they are used alongside services such as extensions. Extensions are popular because some of them are genuinely useful. Don’t like YouTube ads? Extensions can help you with that. Want to deal with excessive website ads and popup ads? There are extensions for that. There are thousands of other use cases too, and extensions have been developed to ensure that that function is met.
Data removal company Incogni reports it has analyzed the risk profiles of 1,237 Chrome extensions available on the Chrome Web Store.
The study reveals that 1 in 2 Chrome extensions (48.66%) has a High to Very High-Risk Impact, asking for permissions that could potentially expose Personally Identifiable Information (PII), distribute adware and malware, and log everything users do, including the passwords and financial information they enter while online.
- 1 in 2 (48.66%) Chrome extensions have a High to Very High-Risk Impact
Risk Impact is defined, first and foremost, by the permissions a given extension requires at installation.
- 1 in 4 (27%) Chrome extensions collect data.
- Chrome extensions used for writing: are the most data-hungry (79.5% collect at least one data point); collect the most data types on average (2.5); are also the riskiest, asking for the most permissions, with one of the highest average Risk Impact scores (3.7/5.0).
Almost half of the 1,237 Chrome extensions analyzed score highly on Risk Impact, a measure of the potential consequences of an extension being or turning malicious.
While just over 1 in 4 (27%) of all Chrome extensions examined collect user data, almost 4 in 5 (79.5%) writing aid extensions do so.
Writers, bloggers, and language learners need to pay particular attention to how they augment their browsers. Writing extensions collect the greatest number of data types (2.5 on average) and have the highest average Risk Impact scores (3.7/5.0).
Drilling down into the types of data writing extensions collect, we see that 56.4% collect PII (Personally Identifiable Information) and 33.3% collect location data. That’s a lot of trust to place in a company that’s looking to monetize its interactions with you.
According to Aleksandras Valentij, Information Security Officer at Surfshark:
“[Users should] be extremely cautious with browser extensions that require the following permissions: read and change all your data on all websites you visit, audio capture, browsing data, clipboard read, desktop capture, file system, geo-location, storage, and video capture.
The general advice in such cases is to use common sense when granting permissions to browser extensions. For example, why would an ad blocker need audio capture access or access to your file system? If you have doubts, simply don’t use that particular add-on. There are plenty of alternatives for each add-on out there.”
Although installing extensions only from trusted developers with a history of ethical software development and high user ratings provides some level of protection, it doesn’t guarantee it. Extensions, like any other proprietary software, can change hands without notice.