Why you should avoid most Chrome extensions !

Most of Chrome extensions have full access to your emails 📧, banking information 💰, family photos 🖼 and browser history! In this story, I will explain to you why you should pay attention to Chrome extensions. Most extensions abuse permissions by asking you for full access to your data

Why this 3 extentions have full access to my Netflix account… ??

Extensions can access everything !

Most of the Chrome extensions you installed on your browser can read all of your browser data 😦. Because you enter your credentials to access to confidential websites (like gmail, or your bank account). Each extension can read this data like you. What you see 👀, and what you write ⌨️ can be read by most of your extensions.

So when you are writing an email, connecting to your banking account, planing a trip or viewing the results of your last health check… Extensions are allowed to access this data. You can imagine someone behind you, who can look at your screen!

Why do Chrome extensions have full access to my data?

It’s possible only because you accept it ✅. (but you don’t really have the choice). Look at this screen below.

To install this extension you have to give permission to access your clipboard, and all your data on the websites you visit.

Google reviews each extension but an extension can load dynamic code. That means the code inspected by Google cannot be shown by the Chrome validation teams and can change without any validation from Google.

Google asks for an honor declaration about extension permission… So you have to trust the publisher…

To the bottom, the information is read and stored by the extension. This information is only a declaration from the publisher. You have to trust him 🙏🤐 — Look at the “Keystroke logging”, → the publisher can record your keyboard even when you are typing your password.

You think it is only a few extensions that abuse permission? Take a look on the Chrome Store and try to install some extensions. You will be really surprised

Here are some extensions that ask you the permission to access to every website you visit…

Of these four extensions chosen randomly on the Chrome Store, can you explain to me why they need access on each website I visit? There are a lot of articles on the web that tell story about malicious extensions, here or here.

How to recognize safe extensions ?

You can find safe extensions on Chrome Store but it’s a little more difficult 🥴. I will help you to recognize safe extensions with this example below.

Here are 4 safe extentions, because they ask only what they really need

To recognize safe extensions you have to pay attention to the permissions, and try to understand why they need this permission.

Weet case

On the top left you have Weet, a really good screencast recorder 😍. This extension asks to access only on one website, and if you look at the url it’s the website of the app (https://app.weet.co) ✅. That means the extension is really safe and cannot view other website.

Zoom case

Everyone knows Zoom takes some “shortcuts” with security, but their extension is good. It asks to access more than the website but if we analyze the features of the app we can understand why they need this access:

• zoom.com, like Weet the extensions need to communicate with the publisher website. ✅
• calendar.google.com, this extension wants to schedule zoom meeting, so it’s normal for Zoom to request access to your calendar ✅
• www.google.com and www.gstatic.com, I suppose Zoom sends some statistics to Google 🤩 but it stills safe. ✅

⚠️ Be careful if a website ask for *.google.com that means the extensions can access all Google services (gmail, meet, drive … ) and in this case you have to find a strong justification for that 😀

Screencastify and Giphy

Screencastify, another screen recorder, asks to capture your screen, which we can consider as normal for a screen recorder 😝 ✅.

Giphy for chrome asks to manage your downloads but we can consider as normal to quickly download a GIF for example ✅.

How can I manage that?

1 — Pay attention to which extension you install(ed) and always ask the question “why does this extension needs this authorization?”. If you can’t justify the authorization, don’t install it and check the concurrency. The Chrome Store has a lot of extensions and I’m sure you will find an extension with fair permissions 😀.

2 — There is a hidden option on chrome to restrict access by an extension. These options give authorization to an extension only when you click on it. You just need to copy paste this url in your browser “chrome://extensions/” and click on the extension. On the middle of the page you can change the authorisation to “click only”.

How to restrict extension access to my data on chrome

3 — Use incognito mode. By default extensions are disabled when you are in incognito mode, so you can manage your sensitive data with this strategy. Or like me, you can just use a second browser without extention for your sensitive data.

Deactivate an extension in incognito mode (This is the default option) 🙈

Conclusion

Google tries to make some efforts to avoid “malware extensions” but without real engagement 🤷‍♂️. Most of the time, extensions ask for full permissions to avoid some technical issues because the list of authorizations isn’t accurate enough.

Let me show you some examples:

• If I want to develop a video downloader extension : I would like to access to the video on a webpage. But for that I have to ask the Google Chrome Store access to the full content😦. @Google Developers an authorization, to access video only, can be a good idea?
• If I want to develop a spellchecker: I would like to access only the editable content of a webpage. Also for that I have to ask the Google Chrome Store for access to the full content 🤯. @Google Developers an authorization, to access to editable content only, can be a good idea?

So I recommend to paying attention when you install Chrome extensions. Especially if you give permissions and don’t really know why your data is grabbed by this extension. The best protection🛡is to avoid installation 😀 or allow authorization only on click.