Are Google Chrome Extensions Safe? What You Need To Know Before Installing
From changing Chrome's theme to checking your grammar, Chrome extensions wear many hats. They're so useful that many would consider them among the tips, tricks, and shortcuts every Chrome user should know about. You can use these small software programs to customize your browsing experience and improve its functionality. So, if you want to up your productivity game, you might download an extension that helps you get organized and automate repetitive tasks. Or, if you need to improve your communication with coworkers, you might choose an extension that sends you an alert when you receive a new email to ensure you never miss an important message. If you've browsed the Chrome Web Store, you've probably noticed that there are extensions for just about everything, even one that lets you play a 3D box-jumping game to help you break up the monotony during your workday.
As helpful as all of these extensions are, installing them on Chrome raises some serious questions about just how safe they are. After all, according to Google, there are over 250,000 extensions available in the Chrome Web Store. A wide range of developers and large software companies design these extensions, and the Chrome store has a review process that helps to ensure they're safe. However, as with all things on the internet, malicious extensions can slip through the cracks from time to time, making it important for users to proceed with caution when adding extensions to Chrome.
What are the risks of Chrome extensions?
While Chrome extensions are generally safe, whenever you allow a third party to install something on your browser, there's a risk that it'll introduce security vulnerabilities. One of the beauties of the Chrome Web Store is the number of extensions available from different developers, but this is also one of its biggest problems. As much as Google tries to keep tabs on the various extensions in its web store, Spin.ai estimates that nearly 51% of all browser extensions from Google and Microsoft are high-risk. Spin.ai bases its assessment on extensions being able to access high levels of content, which in turn allows them to capture sensitive data or execute potentially harmful JavaScript code.
The biggest problem with Chrome extensions is the permissions you grant them to access and modify website data, including sensitive information like passwords or credit card data. Researchers at the University of Wisconsin found that 17,300 or 12.5% of extensions available for Chrome had permissions that could allow them to extract this sensitive data from websites. If you download one of the essential extensions every Google Chrome user should have, and it says it needs permission to "read and change all your data on the websites you visit," if you install it, it might be able to access your personal details, login credentials, and more. However, just because an extension requires this permission doesn't mean it's up to no good. Sometimes, it's as simple as the extension needing this information to do its job.
Hidden threats: Malicious extensions
Besides keeping an eye out for the permissions the Chrome extensions you're considering require, you also should pay close attention to whether the extension you're about to download is even legit. Bad actors sometimes disguise extensions as legitimate tools but then use them to do things like steal data or inject ads into the websites you're visiting. As you can imagine, these malicious extensions can compromise your security in several ways, including harvesting your personal information, keylogging, or executing man-in-the-middle or other types of cyberattacks. As these malicious extensions have become more sophisticated, they've become much harder to detect.
You should also keep an eye out for clone extensions that look like popular extensions but contain malicious code. Since they look just like the real thing, these extensions can be especially hard to detect. While having a large user base and high ratings is usually a good sign that an extension is legit, that's not always the case. In 2023, cybersecurity researcher Wladimir Palant discovered the extension "PDF Toolbox" was loading arbitrary code from suspicious websites onto each and every website its users viewed. Google removed the problematic extension following the Palant study, and another group of experts published a paper on the topic. However, what happened with "PDF Toolbox" serves as an important warning about the possible pitfalls of downloading Chrome extensions.
How to vet Chrome extensions before installing
After reading this, it may seem like nothing good can come from installing Chrome extensions; however, that's not always the case. While you should do your homework and exercise some healthy skepticism before installing extensions, there are many extensions that are perfectly safe to use. To keep yourself safe before installing an extension, you should verify the developer's credibility. You can do this by checking the product description and looking for things that suggest they might share your data or track browsing activity. You should also check out their website and never install extensions from unknown developers.
Although reading user reviews isn't a foolproof way to avoid malicious extensions, as we learned from the "PDF Toolbox" example above, they can be a valuable tool for vetting extensions before you install them. If users have had a negative experience with an extension, they'll often write a review to warn others. If you notice that the extension you're thinking about downloading has several negative reviews or mention anything about it using data in inappropriate ways, it's best not to download it. Instead, you should search for a similar extension with better ratings.
You should also pay close attention to the permissions an app requests. If they seem excessive or irrelevant to how the app functions, that could be a sign of potential misuse. For example, if an extension for managing bookmarks requests access to all of your browsing data, that's a red flag.
Best practices for using extensions safely
If you've decided to use extensions for Chrome, one of the most important steps you can take to keep yourself safe is to only install them from trusted sources like the Chrome Web store. Doing so ensures the extensions you choose have undergone at least some security checks, something that can't be guaranteed when you install extensions from a third-party website. You shouldn't just install Chrome extensions and forget about them. Instead, you should review the extensions every now and then to make sure you still need them, review their permissions, and check for suspicious behavior. You can do this through Chrome's extension menu where you can look for any unfamiliar or unnecessary extensions. When you remove extensions you're not using, you reduce your browser's attack surface, which can help keep you safe while browsing the web.
If you still have questions about a Chrome extension after checking out the developer and their website, you can use security tools like CRXcavator to gather more information on whether it might be a security threat. Depending on how many extensions you use, there's a chance you might run into one that appears harmful. When that happens, you should report it to Google. Doing this allows Google to investigate the extension in question and remove it from the Chrome Web store if necessary.