Are Browser Plugins a Necessary? Evil?
Aaron Birnbaum
Security Savvy Speaker | vCISO | TRaViS ASM Founder | Cybersecurity Whisperer | CISSP | MBA Thoughts, opinions, rants, etc. are my own and are in no way affiliated with any employer/partner/contractor/babysitter/relative
This weekend, I was doing a little 'housekeeping', and went through an old machine. I was looking at my Google Chrome Browser, and pulled up all the plugins. What to my surprise did I see on a VPN plug in: A red triangle with an exclamation point and the words, "This extension contains malware." ..............(Yessss the Irony is strong with this one).
My mind immediately thought several things at the same time:
- Who does quality/screening for plugins in the store? What does this process look like?
- How can you know enough about my browser to feed me this warning (I am pretty sure I wouldn't have downloaded this if the warning had been there previously)?
- What else do you know about my plugins? My browsing history?
- Why didn't Elton John go with 'John Elton'?
- Where's my Adderall?
So I started to review a few other plugins, and saw something that I found 'concerning'. Many/most plugins were asking for a LOT of permissions to install, so they could 'function properly'.
What exactly is 'a lot'? Well, take a look at the screenshot above from this VPN Chrome extension:
- Read and change all your data on the websites you visit
- Display notifications
- Manage your apps, extensions and themes
WHY would I ever give a plugin the ability to read and CHANGE my data on the sites I visit?! Or manage my other apps, extensions and themes (keep in mind that this particular plugin was supposed to keep my communications private and secure)?
The answer is.....Because apparently we don't get a choice. Any extension that interacts with websites will almost always require “Read and change all your data on the websites you visit” permission.
Our good friends over at howtogeek.com also explained that Chrome is one of the few browsers that asks for your permission, instead of just blindly installing it.
Chrome has a permission system for its extensions, while Firefox and Internet Explorer don’t. Every Firefox and Internet Explorer extension has full access to the entire browser, and can do anything it wants.
OK...so Explorer, Firefox, all Chromium based browsers, etc. are just installing extensions without even asking me for my permission or telling me what they are able to do. Huh, good to know. Time to go dig out my Netscape 3.0 floppy disk.
So what should you do when faced with this scary warning? Theoretically, don't worry (LMAO). Any 'store' that offers browser extensions should have a screening criteria monitored by the company, and the ability to remove bad extensions. Obviously, the reality is different.
(One day, when I get around to telling how hard it was to get my Zombie Scanning App approved by the Apple Store, you'll really appreciate this irony. I was rejected several times for making false promises that the hardware was not really capable of scanning a person to see if they were a zombie. It took numerous emails to explain the history of zombies, and that they were, in fact, not real. It's a good story, but back to the show).
The 'best practice' is the usual when installing software. Ask if you really need it, is there an alternative? And is it worth the risk? May want to run some anti-virus/malware scans on your device after installing it - just to be safe.
Something to think about when you're not freaking out about all the others...