The other day, a friend called me and said that his Google Chrome browser is acting weirdly and may need reinstalling. According to him, every time he searched for something on Google some unknown website appeared with suspicious results. I asked him to remove every Chrome extension and only add those few that he really needs. But it occurred to me that this friend of mine will probably be hit by more scams brought by other malicious Chrome extensions unless he looks out for a few things.
And I can assure you my friend is not alone.
According to statcounter.com, Chrome has become the de facto standard of browsers with nearly 60 percent of market share across all platforms as of June 2018.
Aside from its speed, ease of use, clean interface, and security, one of the main selling points of Google Chrome is the vast arsenal of tens of thousands of extensions that virtually cover every niche and need. Chrome extensions are fun and make you more productive at the same time. You don’t need to order tailored software for your needs because you’ll find similar ones on Chrome Web Store. Right?
What are Chrome extensions?
Why can Chrome extensions be dangerous?
Chrome extensions are small plugin apps that reside within your browser. Therefore, they could potentially have full access to all your data in your browser, such as the websites you visit, the content of these websites, what you enter in forms (e.g. passwords), and more.
Chrome extensions have a layered permission system that could potentially narrow an individual extension’s access to your data to what the extension really needs. But such a system is only as effective as the people who are using it. If you accept every permission a Chrome extension asks for without a second thought nothing can be done.
While Google scans every Chrome extension that is submitted to Chrome Web Store, there are still some malicious ones that slip through the net. And as if things are not bad enough, Google Chrome allows extensions to be installed from third-party websites through something called the inline install API. The good news is that the search behemoth has announced that this functionality will be gradually phased out. From Chrome 71 in early December 2018, the inline install API for Google Chrome will be completely removed from developers’ options.
But that’s not the whole story. Chrome extensions are automatically updated. So, even if you took the necessary precautions and did your research before installing, the extension could be turned around at a later phase. The extension can also change hands. The developer may sell their extension to another company or it may even get compromised and become the target of a supply chain attack.
All in all, there are a lot of scenarios that could make an extension dangerous, even after it has been installed. So you have to keep an eye on your Chrome extensions, not only when installing, but also after they have been installed.
Things you should check before installing a Chrome extension
Make sure you really need the extension
This one is not about the extension you intend to install but rather proper security hygiene. Every functionality that you add to your system will increase your possible attack surface. There are a lot of cool and funny things out there but if you don’t really need it don’t install it.
Create a dummy Chrome profile to check out possible extensions first
If you are like me, you can’t always adhere to the previous rule. Checking new software is not only fun but may be part of your day-to-day work. After all, how would you know if a Chrome extension will help you increase your productivity without installing it? Creating a new dummy Chrome profile for testing purposes is a reasonable precaution that can help prevent a lot of tears. Separate your real business browser, where you have all your accounts open, from the testing profile and you have added an additional layer of security.
Never install an extension from outside of the Chrome Web Store
Google has already enforced this policy for Chrome extensions that are published after June 12th, 2018. But if you have previously installed an extension from somewhere outside of Chrome Web Store uninstall it now and look for an official alternative on Chrome Web Store.
Google says that by September 12, it will disable this functionality for existing extensions. Regardless of where you click for installing an extension, you will be led to Chrome Web Store and that is a good thing. According to Google, the inline install API that is necessary for installing extensions outside Chrome Web Store will be removed from Chrome 71 altogether in early December 2018.
Google says that the descriptions and feature lists in the Chrome Web Store are vital to help users make informed decisions on whether or not they really need a particular extension.
Please note that developers will still be able to locally install their extensions for testing by enabling developer mode.
Make sure you are installing the right extension
This may sound too easy but it isn’t. Earlier this year AdGuard, a company that offers ad blocking products, revealed a list of five malicious Chrome extensions that in all had compromised over 20 million users. Here’s the list of the malicious extensions:
- AdRemover for Google Chrome™ (10M+ users)
- uBlock Plus (8M+ users)
- Adblock Pro (2M+ users)
- HD for YouTube™ (400K+ users)
- Webutation (30K+ users)
Now have a look at the following list of legitimate extensions:
- AdBlock (10M+ users)
- Adblock Plus (10M+ users)
- AdBlocker Ultimate(750K+ users)
- uBlock (500K+ users)
- uBlock Origin (10M+ users)
- uBlock Plus Adblocker (800K+ users)
- And many, many more…
As you can see, it’s really important to make sure you install the extension you intend to install. It is really difficult to tell the first list from the second. Don’t rely on something you vaguely remember.
Read the extension’s description on Chrome Web Store carefully and read it to the end. One of the reasons Google insists on installing extensions only from Chrome Web Store is that providing a transparent description is mandatory. There may be extensions that aren’t outright malware and pass Google’s security scans but still follow dubious security and privacy procedures like tracking info or data sharing. When you read the extension’s description you’ll be able to assess whether it makes sense to trade off some of your privacy and security for its added functionality.
Check out the extension’s website
Not every Chrome extension has a website. There are some popular ones that are programmed and maintained by individual developers. A professionally made website for a bogus extension is also something that malicious actors can create. But checking the website of an extension gives you a more informed picture and can help you make a better decision. Look out for telltale signs of unprofessional work like spelling mistakes or bad English.
Check the extension’s user number
Avoid extensions which have only a few users. They may be good and innovative projects but if you don’t have the skills or time to thoroughly investigate the extension, don’t bet on that. For common functionalities, there are normally a bunch of extensions for Chrome that vaguely do the same thing. In these cases go with the more popular ones.
Read the extension’s reviews on Chrome Web Store
Malicious actors can and have created good reviews on Chrome Web Store to make their piece of malware look good. If you just see reviews that declare their love for an extension without giving specific use cases and every review gives a five-star rating, think twice before installing. Here are some of the reviews you would have found on AdRemover’s page on Chrome Web Store before it was removed by Google:
Jowanna S. – ★★★★★
“Nice adblocker! Highly recommended for chrome users!”
Ruand S. – ★★★★★
“My favorite ad blocker.”
Lewis A. – ★★★★★
“I hated theese facebook ads so much, so installed ad blocker. Thank you”
Cecilia – ★★★★★
“Excellent Adblocker !! Blocked all the unwanted & irritating pop ups! Never without Adblock.”
Patricia D. – ★★★★★
“Not pestered by anymore unwanted ads. Great app. The best adblock.”
Alden D. – ★★★★★
“I love AdRemover Adblocker. It’s brilliant! It’s also the best. No more ads. User other adblocker but this is good.”
There are always a few users that think they’ve found the next best thing since the invention of the internet, but all in all, citizens of the cyberspace are more tech-savvy than that.
Check the permissions when installing
The permissions an extension asks for should make sense and be as narrow as possible (e.g. a screen capture extension doesn’t need read access to all your data). Keep the extension’s description in mind. If it claims to add functionality to a specific service like Gmail but wants access to all your data on all the domains you visit, don’t install it.
Check the extension’s code
An open infrastructure where you can build on well-known technologies for a software product that is used by over a billion users spurs innovation and diversity. But it’s also a double-edged sword. Google Chrome’s huge user base, ease of extension building, and the relatively liberal guidelines and checks Google has put in place, draw also bad actors to get on for a quick buck.
Don’t get me wrong, but Chrome Web Store is a jungle full of wonders, both good and bad. So if you go out exploring, go prepared and if you decide to take something extraordinary home with you, think twice. It could be a deadly Autumn Crocus flower you’ve picked instead of a Crocus.