Browser Extensions Are Not Safe- Security Enhancements To Data Privacy
Often users add extensions to their browsers to help them ease out tasks of visualizing various formats like PDFs or modifying user interfaces, blocking advertisements and many others. However, such extensions can prove to be a source of data leak and breach of privacy as even the user credentials may also not be safe in many cases. Nefarious cybercriminal activities thrives their involvement with such extensions as they gain access to your system through hijacked URL redirecting or exfiltrating user information.
Malicious codes in such browser extensions works to enable users in sharing their personal information for some serious issues as they may find useful. However, such information are used by the attackers which are either sold out to companies or use them to gain unauthorized access to a system.
Security experts suggests to check before installing a browser extensions from unknown developers and allowing them to have control of major features as in Microphones, Camera or others. As per an Avast Researcher, Jan Rubin,
Our hypothesis is that either the extensions were deliberately created with the malware built in, or the author waited for the extensions to become popular and then pushed an update containing the malware. It could also be that the author sold the original extensions to someone else after creating them and then his client introduced the malware afterwards.
In a research by AVAST, 28 browser extensions, at the latest report, have been found malicious, affecting a large portion of the online community. In past few years, a total of around 4 Million user data has been compromised widely as a cause of the browser extensions which collected browsing data and also redirected to fake phishing websites or ad sites. Various personal information as in - Email addresses, Date of Birth, Device ids, Login details, Browser details, IP addresses, are being traced by these extensions mainly on Google Chrome and Microsoft Edge. AVAST specified further on the extensions as,
The researchers have identified malicious code in the JavaScript based extensions that allows the extensions to download further malware onto a user's PC.
Google On Web Browser Extensions
Google is currently determining to impose penalties on InterActive Corp. (IAC) for deceptive marketing strategies and misleading users with the browser extensions. As per a latest report, google has removed many such extensions due to policy violations and are reviewing into other options. As per the statement by a Google spokesperson to Reuters,
We continue to have conversations with IAC related to Chrome Web Store policies and we have already removed a number of their extensions for violating our policies. We're reviewing the remaining extensions and our enforcement options, and have not made a decision regarding IAC's status on the store.
Google is further updating their policies and rules providing full rights to the users to decide on whether an extension would have user data access to websites or not. Previously the extensions were enabled to have access to all surfing data and monitor over the websites visited with information shared. As an improvement in 2021, Google browser would not allow any extensions to access user data unless the same has been granted by the user, providing a preference on whether to allow such for all websites or to a specific domain.
Apart from such, Google Safe Browsing would allow to check on the extensions prior to their entry in Chrome Web Store. It would also check if the user have any harmful extension already installed, potentially blocking malicious activities within the browser in safeguarding data security and privacy. Noted in Google blog by the Product Manager, Chrome, Alexandre Blondin,
We've also been improving our developer policies to make extensions more transparent. Starting January 18th, every extension will publicly display its "privacy practices" which will use clear visuals and simple language to explain the data they collect and use.
Microsoft Edge On Browser Extensions
Microsoft has removed 18 malicious browser extensions after detailed investiations. As a chromium based web browser, Microsoft Edge has updated their browser extensions with the latest Manifest V3 API as a part in representing the biggest shift with enhancements in security, privacy and performance.
The Extensions blocked by Microsoft Edge are listed as:-
NordVPN
Adguard VPN
TunnelBear VPN
Ublock Adblock Plus
Greasemonkey
Wayback Machine
The Great Suspender
Floating Player - Picture-in-Picture Mode
Go Back With Backspace
friGate CDN - smooth access to websites
Full Page Screenshot
One Click URL Shortener
Guru Cleaner - cache and history cleaner
Grammar and Spelling Checker
Enable Right Click
FNAF
Night Shift Redux
Old Layout for Facebook
If you were using any of these extensions installed directly from the Microsoft Edge Addon store, we suggest removing them from edge://extensions
Manifest V3 is available for use beginning with Chrome 88 and Chrome Web Store as they would be modfying their extension rules from January 2021. As a part of the feature summary added in Chrome Developer, a key security improvement in Manifest V3 would be that the extensions cannot Remotely Host Codes as for safety and security policies, the same would be require to be included in the extension's package.