If you’re a PC user of a certain age, you probably remember when security focused on apps. What you downloaded and installed was the biggest danger. But even with many services having moved online, that advice still holds true—and that includes browser extensions, too.
Unfortunately, not everyone knows to be careful when expanding Chrome, Edge, Firefox, and other browsers’ capabilities. In the last six months, more than one person has told me about a feature they wanted in Chrome. They were going to add it by installing the first extension they found in the Chrome Web Store, without knowing anything about the add-on.
One person thought the extensions came directly from Google, Microsoft, and Mozilla. The other person assumed that all extensions were vetted and trustworthy. Everyone was surprised to learn sketchy browser add-ons existed, much less that they could be programmed to spy on the unsuspecting. And while browser developers could eventually pull malicious extensions, the speed of discovery wasn’t always fast or predictable.
But why would they be dangerous? It has to do with how they access your PC’s system resources. For insight, I reached out to Mike Danseglio, an ethical hacker and cybersecurity instructor, for his perspective. He’s the kind of guy who goes to Def Con for fun. (That’s the famous annual hacker and security conference in Las Vegas.) He also knows better than almost anyone the kind of hijinks a bad actor can get up to in Windows—he used to work for Microsoft on the operating system’s security features.
His take:
“Browser extensions are strange little beasts. They really are little apps that live in the browser—they have their own API, mini storage allocation, tiny registry, etc. They are typically isolated from raw memory/filesystem/other-app access by the browser itself acting as a barrier. There have been exploits where an extension ‘escapes’ its browser-imposed boundaries and accesses other stuff, like the file system or raw memory [to steal data].”
To explain this a little further: When everything works correctly, a browser keeps everything self-contained. (In fact, traditional modern browsers even isolate individual tabs from another—what happens in one tab should not be viewable by another.) Anything happening within the browser should not be able access to your PC’s broader system resources or other installed apps. If it manages to do so, a bad actor can use that opportunity to spy on other activity on your computer, like capturing your passwords, rifling through your files, and more.
Accordingly, Danseglio gave me this advice:
“Ultimately, this is the way I look at it: A browser extension is software, like any other. I assume all browser extensions can communicate with other apps, access memory, and do whatever a standalone app can do. So I’m just as careful installing and using a browser extension as I am with any other app.”
Ballistix
If it helps you wrap your brain around it—think of Windows, browser, and browser extensions as a set of nesting dolls. Your browser is an app within Windows; your extensions act like apps within the browser. Those add-ons are not supposed to escape their confines, but they sometimes can because the browser’s code accidentally allows it.
That’s why you see so many articles on the web, including some from me, recommending caution when installing browser extensions. The tips often cover the same ground: You should only ever install from the official extension or add-on “stores” (e.g., Chrome Web Store), check for reviews from trusted publications (not just user reviews), look at the number of users, and so on.
But I actually go one step further, and keep my installs to an absolute bare minimum. (I literally have just two for the browser I’m using to write this story.) Because even when you download from the Chrome Web Store or the equivalent, even when the add-on has hundreds of thousands of users, even when the extension performs as advertised, you can still end up falling prey to malware. Heck, legit add-ons can become scummy overnight—taken over by hackers and updated with dirty code.
The only way to be sure an extension can’t mess with you or your PC is to just never install it at all. You don’t have to be as minimalist as I am, but consider your lineup carefully. And be regular about uninstalling anything you’re no longer using.
