The other day, a friend called me and said that his Google Chrome browser is acting weirdly and may need reinstalling. According to him, every time he searched for something on Google some unknown website appeared with suspicious results. I asked him to remove every Chrome extension and only add those few that he really needs. But it occurred to me that this friend of mine will probably be hit by more scams brought by other malicious Chrome extensions unless he looks out for a few things.
And I can assure you my friend is not alone.
According to statcounter.com, Chrome has become the de facto standard of browsers with nearly 60 percent of market share across all platforms as of June 2018.
Aside from its speed, ease of use, clean interface, and security, one of the main selling points of Google Chrome is the vast arsenal of tens of thousands of extensions that virtually cover every niche and need. Chrome extensions are fun and make you more productive at the same time. You don’t need to order tailored software for your needs because you’ll find similar ones on Chrome Web Store. Right?
What are Chrome extensions?
Why can Chrome extensions be dangerous?
Chrome extensions are small plugin apps that reside within your browser. Therefore, they could potentially have full access to all your data in your browser, such as the websites you visit, the content of these websites, what you enter in forms (e.g. passwords), and more.
Chrome extensions have a layered permission system that could potentially narrow an individual extension’s access to your data to what the extension really needs. But such a system is only as effective as the people who are using it. If you accept every permission a Chrome extension asks for without a second thought nothing can be done.
While Google scans every Chrome extension that is submitted to Chrome Web Store, there are still some malicious ones that slip through the net. And as if things are not bad enough, Google Chrome allows extensions to be installed from third-party websites through something called the inline install API. The good news is that the search behemoth has announced that this functionality will be gradually phased out. From Chrome 71 in early December 2018, the inline install API for Google Chrome will be completely removed from developers’ options.
But that’s not the whole story. Chrome extensions are automatically updated. So, even if you took the necessary precautions and did your research before installing, the extension could be turned around at a later phase. The extension can also change hands. The developer may sell their extension to another company or it may even get compromised and become the target of a supply chain attack.
All in all, there are a lot of scenarios that could make an extension dangerous, even after it has been installed. So you have to keep an eye on your Chrome extensions, not only when installing, but also after they have been installed.
Things you should check before installing a Chrome extension
Make sure you really need the extension
This one is not about the extension you intend to install but rather proper security hygiene. Every functionality that you add to your system will increase your possible attack surface. There are a lot of cool and funny things out there but if you don’t really need it don’t install it.
Create a dummy Chrome profile to check out possible extensions first
If you are like me, you can’t always adhere to the previous rule. Checking new software is not only fun but may be part of your day-to-day work. After all, how would you know if a Chrome extension will help you increase your productivity without installing it? Creating a new dummy Chrome profile for testing purposes is a reasonable precaution that can help prevent a lot of tears. Separate your real business browser, where you have all your accounts open, from the testing profile and you have added an additional layer of security.
Never install an extension from outside of the Chrome Web Store
Google has already enforced this policy for Chrome extensions that are published after June 12th, 2018. But if you have previously installed an extension from somewhere outside of Chrome Web Store, uninstall it now and look for an official alternative on Chrome Web Store.
Google says that by September 12, it will disable this functionality for existing extensions. Regardless of where you click for installing an extension, you will be led to Chrome Web Store and that is a good thing. According to Google, the inline install API that is necessary for installing extensions outside Chrome Web Store will be removed from Chrome 71 altogether in early December 2018.
Google says that the descriptions and feature lists in the Chrome Web Store are vital to help users make informed decisions on whether or not they really need a particular extension.
Please note that developers will still be able to locally install their extensions for testing by enabling developer mode.
Make sure you are installing the right extension
This may sound too easy but it isn’t. Earlier this year AdGuard, a company that offers ad blocking products, revealed a list of five malicious Chrome extensions that in all had compromised over 20 million users. Here’s the list of the malicious extensions:
- AdRemover for Google Chrome™ (10M+ users)
- uBlock Plus (8M+ users)
- Adblock Pro (2M+ users)
- HD for YouTube™ (400K+ users)
- Webutation (30K+ users)
Now have a look at the following list of legitimate extensions:
- AdBlock (10M+ users)
- Adblock Plus (10M+ users)
- AdBlocker Ultimate(750K+ users)
- uBlock (500K+ users)
- uBlock Origin (10M+ users)
- uBlock Plus Adblocker (800K+ users)
- And many, many more…
As you can see, it’s really important to make sure you install the extension you intend to install. It is really difficult to tell the first list from the second. Don’t rely on something you vaguely remember.