One of the most common complaints from users when browsing the internet on a Smartphone or Tablet is the lack of extensions. And we can’t blame them because the browsing experience can improve when you have them enabled: don’t want to see ads? uBlock. Looking for a discount code? Honey. Want help managing passwords? LastPass (or Vaultwarden). Need to surf from another country? VPN. There’s literally millions of them.

The usefulness of browser extensions is undeniable: you can work faster, be more productive or improve attention, but have you ever asked what sort of data these extensions collect? Do you know which browser components the extension needs to interact with? The Tweet below got me thinking:

Harsh Makadia @MakadiaHarsh

8 Google Chrome extensions nobody told you about ( but you needed them badly at work ) :

12:30 PM ∙ Oct 1, 2022

---

21,343Likes5,812Retweets

More than 21’000 likes is no joke: this interests a lot of people.

Let’s take a quick look at one of the the top extensions: Honey. Owned by PayPal, this extension is made to “Automatically find and apply discounts when you shop online”. Below what the Privacy Tab from the Chrome Store looks like:

This is a lot of data being collected to give you just a discount code.

An open window to your browser

By design, extensions plug into your Browser and require access to different functionalities so they can replace and interact with items on a page, access settings or use local features (like the camera or microphone). When an extension is enabled, it can do what you expect it to do and other things it has access to but you just don’t know - this is where it becomes shady.

In total, there’s 42 different permission types that a extension can request, for example:

• webRequests - Allows app or extension to observe and analyze web traffic. It also intercepts or modifies in-progress requests.

• system.network - Allows app or extension to query metadata about the system's network.

• geolocation - Allows app or extension to get the user's current location.

• clipboardRead - Allows app or extension to read the contents of the clipboard at any time.

• desktopCapture - Allows app or extension to capture screen, window, or tab content.

This makes it possible for extension developers, if given the right permissions, to capture the content of the pages you open, regardless of the extension being in use, as long as it’s enabled.

A privacy nightmare

In 2019, North Carolina State University researchers tested how many of the 180,000 available Chrome extensions leak data. They found 3,800 such extensions — and the 10 most popular alone had more than 60 million users.

Selling data to third-parties

According to Alexandros Kapravelos, a computer science professor who worked on the study referenced above, “Not all of these companies are malicious, or doing this on purpose, but they have the ability to sell your data if they want”.

If an extension is used widely enough, very useful data is being collected during it’s usage such as time on site, pages per user, location, page views, etc. Alone, this is just regular statistics, but it’s extremely valuable for companies like SimilarWeb, that allow you to display estimated traffic for a multitude of websites. Ever wondered where all their data come from? Now you know (worth the read, it’s very shady).

Moreover, even if the extension today confirms they don’t sell data, it can very well happen that they sell to another company and thus inherit all your data.

They can inject affiliate IDs into your links

Because extensions can manipulate pages to do certain functionalities, including things you’re not even aware of, they can do stuff like this:

Researchers at McAfee have discovered five Chrome browser extensions that track users’ browsing activity. The developers of these five extensions were discreetly inserting affiliate IDs into cookies of eCommerce sites to earn affiliate income based on user purchases.

This means that if you had one of these extensions installed, every time you clicked on an Amazon link, it would inject the Affiliate ID of the extension developer. The DOM manipulation would have been as simple as adding a ?affiliate_id=malicious to the URL:

https://www.amazon.com/product-name?affiliate_id=MALICIOUS_ID

For the user there was absolutely no change. For the developer, if done at scale, it was a very profitable business.

Extensions make browser fingerprinting easier

One of the (many) ways to achieve reliable browser fingerprinting is through the extensions installed on your browser. This technology is used to uniquely identify you amongst many other users without using Cookies and the single usage of certain extensions can contribute to a more accurate identification (we will write more about Browser Fingerprinting in the future)

In Chrome’s defense, there have been improvements and extra security measures to make sure that developers follow the minimum privacy and security standards. However, to the question «  Do you sell your data to third-parties? » the answer can be just « No ».

The problem is that in an environment full of small companies and independent developers, there’s really no way to confirm the allegations are true, specially when specially when a lot of the developers are small companies or individuals that don’t really make any revenue from this. Moreover, it can be that they are not selling the data, but it doesn’t mean they are not seeing it.

Confirm the source and enable it only for a short period of time

It’s perfectly understandable that you want to use an extension to assist you with some task but before, consider if:

• You really need it

• If you need it, should it be always activated?

• The source of the extension is known and reputable

• The extension developer privacy policy clearly states they are not selling your data, even if anonymous.

Privacy issues with browser extensions is not a topic we see written about every day but it’s a much more serious problem than it seems. Use them carefully and your privacy will thank you.

Sources:

• My browser, the spy: How extensions slurped up browsing histories from 4M users (Ars Technica)

• Malware in open-source web extensions (lwn.net)

• What is Browser Fingerprinting? What It Is And How To Stop It. (Pixel Privacy)

• "Stylish" browser extension steals all your internet history (Robert Heaton)

• I found your data. It’s for sale. (Washington Post)

• Five Chrome Extensions Found Collecting User Data Discreetly: Remove Them Now! (Spiceworks)