6 Ways Browser Extensions Stole Your Data Over the Years
From last week’s bombshell of a report about browser extensions leaking data from Fortune 100 organizations to news of data brokers buying extensions, we take a small trip through the articles that have been warning us for years about the dangers of browser extensions. After reading this, let’s be honest, you’ll probably do nothing. But, if you’re alarmed by any of this (and you should be), let us help your organization get a handle on which browser extensions are running in your environment.
6: Web of mistrust
Back in 2016, an extension called Web of Trust was found to not only be selling the browsing histories of its users, but also taking no steps to ensure the anonymity of that data. Doubly infuriating to its users, the extension was meant to evaluate the trust and reputation of other parties on the web.
Security researchers were able to identify over 50 individuals from their browsing histories, showing us that “oh crap, URLs carry a lot of private information!” But if you took a look at their privacy policy, you’d find that they told you what they were doing.
Learned:
- Browsing history is not anonymous
- Always verify the privacy policy
Source: Web of Trust browser extensions yanked after proving untrustworthy
5: Selling out
An independent Chrome extension developer had built a useful extension to augment YouTube. The extension grew in popularity and served it’s users well until someone came knocking to buy the extension. The original developer sold the extension and on short order, it was updated with malicious code that sent browsing history back to its new overlords.
Because the extension had an existing install base and brand, the new owners were able to simply push an update to start collecting data. From the users’ perspective, the extension simply asked to be granted more permissions, a warning which most users likely ignored as they clicked “OK.”
Learned:
- Extensions can be sold, and it turns out there’s a market for them
- We can’t trust an extension from one version to the next. It could have changed owners, or the original developer could have been co-opted by the dark side.
Source: "Particle" Chrome Extension Sold to New Dev Who Immediately Turns It Into Adware
4: What’s in a name
If you wanted to publish a malicious, data-collecting, privacy-violating extension, why put in all the hard work of engineering a useful product and marketing it. Instead, just copy an open-source extension, add your malicious code, and...