/ Technology

How safe are web browser extensions?

Web browser extensions can generate discount codes for retail sites, add features to your email app of choice and help you scribble down a to-do list in a couple of clicks. But are they safe to use?

Helpful add-ons sound great, but when you consider that you’ll have to part with your data to install many of them, It raises some very interesting questions over privacy

What can they do?

There are thousands of web browser extensions out there, and most of them are free to download. They’re supported by all the popular browsers, such as Microsoft Edge, Firefox and Google Chrome.

The Editor’s Picks section on the Google Chrome web store is updated every so often with some new options to take a peek at. This month, we’ve spotted:

LastPass – a password manager that saves your passes and logs you in automatically when you visit certain sites.

Save to Pocket – quickly save a web page or news story so you can revisit it on your smartphone, even without an internet connection.

My Cats – get treated to an adorable cat picture every time you open up a new tab!

Just recently, a coder shared his progress on an ‘experimental’ Chrome extension called FacePause, which uses your webcam to pause videos when you look away from your screen.

Would you be happy giving your web browser access to your webcam? I’m not sure I would.

Sharing your personal data

Every time you install a browser extension, you give that app permission to access your information.

By installing free grammar-checking app ‘Grammarly’, for example, you agree to the group’s terms and conditions, which means the following information will be collected: your username, email address, contact preferences, payment information (for paying users only), geographic information, ‘any user content you add to your account’, activities you perform within your account and the type of hardware and software you use.

That sounds like a lot of data, but it’s pretty typical for a Google Chrome extension to request these things.

Extensions and malware

With browser extensions getting increasingly popular, malware makers are getting creative. We’ve seen countless cases where a malicious Chrome extension has made its way onto Google’s download page, disguised as a legitimate tool when it’s actually stealing personal data without permission.

Earlier this month, cybersecurity group Radware reported on a damaging extension that managed to infect more than 100,000 users in over 100 countries.

Dubbed “Nigelthorn”, unsuspecting users on Facebook were lead to a URL supposedly linking to a YouTube video. However, the website was a fake, encouraging users to install a Chrome extension to play the video on the page. Once installed, the extension hijacks the user’s PC and uses its processing power to mine cryptocurrency, thus slowing down the PC to the point where it’s practically unusable.

Have your say

I’ve used my fair share of browser extensions in the past, with one of my favourites, Evernote, letting me quickly share files between my mobile and my PC, but should I rely less on apps that require so many data permissions?

What are your thoughts on sharing data with developers if it means having access to a genuinely useful browser extension? I’d love to hear your thoughts.


As the Regulars here know this is my favourite subject , over the years I have gone through more browsers than people have had hot dinners , trust them ? not in this world . Of course browser extensions gather data from you anybody who,s added one gets the warning box shoved straight in your face . I dont have Google anything on my PC ,as the biggest tracker in the world after our security services its known as “the world default tracker ” as most computers have Google something in them and as for Google Maps well install it and say goodbye to your location Now some popular web browsers are “banning ” extensions under the heading of “security ” which sounds great but deeper investigation finds that what they are doing is blocking your blockers from stopping them tracking you and selling your data to third parties . As the convo article says “approved ” browser extension websites are hacked continually I keep getting all the info on malware planted on them and virus infested extensions/fake websites and its continuous, never-ending. I only have three extensions but I had to fight to install them , my default browser is Yandex but even it tracks you like Google and visiting git hub to install their new extension I was greeted with Yandex telling me “its not compatible and CANT be installed , ignoring convention is my middle name I was able to install it anyway . I keep FF as a spare but use the stripped down version without all the tracking/blocking -Waterfox and two other small browsers . Dont think for a minute that unticking boxes on browsers stops them tracking you ,it doesnt , even FF “phones home ” on power up and they all tell you its for your protection ” bull ! its for their profit. So yes extensions ( normal ones ) do track you and could be unsafe but they pale into insignificance in relation to what the actual browser gathers unbeknown to you.

Firefox doesn’t track you!

[Sorry, your comment has been edited to align with our community guidelines. Please keep comments polite. https://conversation.which.co.uk/commenting-guidelines/. Thanks, Alex.]

Your opinion isn’t supported by scientific fact Larry but conjecture and belief on the advertising by Mozilla , it “phones home ” on startup which is not publicized for a start . You do know that ticking the box DO NOT TRACK is only voluntary and websites can ignore it —dont you ? and why put that there if ,as you say, FF doesn’t track you ?

[Sorry, your comment has been edited to align with our community guidelines. Please commments polite. https://conversation.which.co.uk/commenting-guidelines/. Thanks, Alex.]

I dont usually reply in that nature but the rudeness of the remark left me no option.

If you look at FF T& C,s you will find they admit they track you.

Removing both discourteous comments seems the best solution. Has that happened between USA and N. Korea?

More or less, I think, Malcolm. Both sides were posturing for home consumption and the fundamentals are strong so neither side wanted to be the one to pull the plug on a dialogue. Trump might have his eye on a peace prize one day – such is his ego it knows no bounds. Be funny if the other man got it.

The only browser extension I have installed is one to auto-refresh browser pages in Safari. I often leave Which? Convo on the Latest comments page and get on with other jobs. A glance at the screen shows new posts. I started to use this with the previous version of this website, where only the three most recent posts could be seen without checking individual Convos.

I’m afraid that, while I agree 100% with everything technical Duncan has put, I’ve decided life’s too short – the effort required to keep clear of the browser trackers is substantial – and one slip… So I’ve decided that I accept most. Foolhardy? Possibly. Time saving? Probably – although I am surely grateful for a decent spam filter.

I have IE – remember that? And a few plugins for it to allow local viewing and setting tweaks for my plethora of IP-based cameras.

I’m with you on that Roger. I use several browsers and do clear them many times a day but I really can’t be bothered to manage them.

But what GDPR has highlighted, is the unimaginable extent of the minefield of abuse these companies inflict on our computers and personal data.

DerekP says:
28 May 2018

Software and internet services that are free to acquire and use have to be paid for somehow. So for many legitimate e-commerce (etc.) applications, e.g. Which? Convo, the offer is “you can use our site for free, but only if you are content to share data with us (and our partners)”.

Like free copies of the Metro newspaper, advertising (and related activities) pay for much of the free stuff on the net. So long as the offers are open and honest, then we can all make informed choices about what we use.

I’ve seen various unwanted browser attacks that replace things like sensible choices of search engine, presumably to cream off data and sales traffic, but I’ve never seem examples of “widely recommended” add-ons doing that.

In principle, decent internet security apps ought to help prevent such attacks.

The attacks I’ve seen occurred on family members’ PCs, running either Windows (presumably with security software) or ChromeOS (as supported by Google) or generic linux (presumably without any security software). Of those three, the simplest to clean up after a malware intrusion seems to be ChromeOS, using its factory refresh option.

Indeed. At one time it seemed likely that users might have to pay for web browsers, but the free versions proved compelling and now we have advertising and tracking. Perhaps it will become so bad that positive action will be taken to control this. Back in the 80s I thought that people would stop watching commercial TV because of the amount of advertising, but I’m one of the few who seems to have done this.

DerekP says:
28 May 2018

I’m stupidly still paying for a TV licence, even though my aerial cable has been disconnected for a few weeks now. Thanks to YouTube and Netflix, I can get by without any terrestrial TV.

Sometimes the advert breaks are an opportunity to slip out to the brain and check on emails and latest comments, make a cuppa, load the dishwasher, read a bit of Private Eye, go to the…., but I would not miss one of the good programmes on a commercial channel just to spite the adverts. Just ignore them. I expect with a modern tv, AI will know when I’m avoiding my duty and penalise me in some way?

DerekP says:
28 May 2018

Malcolm, if you watch terrestrial TV via a PVR, then you can just press the pause button anytime you need a break.

My technology is not up to scratch, Derek.

I see that Which? are giving me advice on “How to buy the best TV for the 2018 World Cup
Read more: https://www.which.co.uk/news/2018/05/how-to-buy-the-best-tv-for-the-2018-world-cup/ – Which?

One day I’ll need a new tv, no doubt with pause technology, but I hope it might also have a “no-football” button as well.

I always watch TV via the PVR so that I can pause TV programmes and listen again to something interesting. I have a radio with the same facilities.

I hate when they change te homepage! My Grandma’s homepage used t change constantly! Turns out Windows Embedded was the answer to that

Agreed on LastPass which I have used for years on many devices.
WoT is the second addon for me.
As an Apple user I am happy to pay a small monthly amount to have iCloud backup on all my devices which means I can store any file there for access whilst connected and recent battles between Apple and the CIA gives one hope that they are reasonably confidential.
Using an iPad which has the equivalent of sandboxing of programs can be further enhanced by using TOR.
This message sent via VPN.

I only use AdBlock Plus and Rapport (from IBM). I not convinced others are vetted enough before appearing on an app store to risk downloading any more.

I detest Rapport but use it on on the computer I use for online banking. I don’t know about the PC version but the Mac version slows has slowed down every Mac I’ve tried it on.

Without giving too much away, I’ve recently become the owner of some water transport. The signal here is hit and miss, so my postings –when here – are also hit and miss. This might explain why I am more often in the breach than the observance in matters conversational. That and musical demands plus a massive felling and logging at home (where do blunt chainsaws go to die? I shall write the ballad of the handsaw in due course. ) Enough personal boring ephemera.
Oh for the days of innocence when the internet was simple and exciting and new. Now every click has to be thought about and every visit backed by a check to see if someone or something has slipped in unnoticed. I don’t have any web extensions that I know of, just simple browser connections and an E.mail address. This does all I need to do on line, so see no point in adding anything else. My anti-virus and firewall seem to work though there is no way of knowing if they do, other than the computer behaving as it should without any sign of malware in the background. It’s difficult to see what else there is to do without becoming technical and spending time going round computer. I suspect Duncan would disagree with this as his technical knowhow and internet savvy are light years ahead of mine. My motto is “keep it simple and keep it backed up”

Each to their own Vynor , I believe in secrets that adversely affect the public being “outed ” , there again I hold radical beliefs of a non-conformist nature knowing what goes on “behind the scenes ” Look at my post on Apple Mail I have just posted , nothing is impenetrable , any system can be got at , look how long the US Congress and Military Establishment is taking to decide whether Amazon/Google / etc can win the contract for their very secure Cloud Storage contract to hold all US military secrets. ordinary Cloud Storage isn’t up to its advertising in security for the public , its already been hacked.

Vynor – I recall you told us about the buying of Amanda Louise, in the Rhyming Room. I do read your contributions. A quick guess suggests that you are now the proud owner of a yacht.

Yes – I think Sir Philip Green had one for sale recently.

I’m just booking my berth in Cannes for lunch with * *!

🙂 Keep in touch on your travels then.

You must install AdBlockPlus, YouTube+ and Hide Twitter Guff

Not if you dont want to be tracked.

Which one tracks then??

I wasn’t going to answer you due to your post but in case anybody thinks I am dodging something in not replying to you lets just take ONE of your apps you quoted –Hide Twitter Guff not only does this app track you but my new blocking app completely blocked access to the owners website – which is ocadia even though its related to git hub its not good . I will give you the URL but NOT as a click on in Which convo as I would be letting down the British public’s web protection , most browsers wont spot it or stop access to it so be warned ! Do NOT try to use this URL -its https—www–huge—domains.com/ domain –PROFILE –cfm?d=OCADIA &e=com Wavechange- Roger – Derek do NOT join this URL up its dangerous !!! By the way when I used Yandex to reach the download website of the maker the websites AI BLOCKED one of my apps to stop it blocking its tracking and downloading . Not so my better browser which is real open source which showed it as it really is a powerful tracking app that gathers all your info. Now I have TWO browsers that have blocked the makers download website with the same details and tracking server.

Here,s one for Win 10 users , MS “broke ” the deny web search facility so that they can track your use of Windows more easily as the Windows search facility has to refer directly to Microsoft -Redmond for search terms inputted by you on a browser of theirs . It can be changed but requires reprogramming three different types of tracking and work in Windows main programming.

Tony says:
2 June 2018

I use Firefox which is not run by Google, Apple or Microsoft, and I use DuckDuckGo as my default search engine. This goes some way to anonymising me – I hope.

Its a good start Tony try Waterfox ONLY download from here –I guarantee ZERO trackers / malware etc one of the few websites on the web with NO trackers https://www.waterfoxproject.org/en-US/waterfox/new/ but have to tell you the built in app in both refers to Google automatically that warns you of bad websites –you can disable it of course . Google run a “safe browsing app” service for lots of browsers and don’t enable ANY FF account because it goes to Salesforce MARKETING cloud which has its own policy DONT enable sync -dont enable website notifications either . Dont take this as very bad a lot of browsers are much worse.

Tony if you want a very small but lightning fast web browser without any “bells + whistles ” than can block Jscript , HTTPS compliant , cookie manager , history will not be stored if you zero day it, works on ancient computers , won best non commercial project at RISC -OS awards -2012/3 then click on http://www.netsurf-browser.org -designers website DONT download anywhere else positively zero trackers. Wont “phone home ” .

DerekP says:
3 June 2018

Duncan, thanks you those links. I was able to download NetSurf 3.2 from the Debian repository but, never mind being “lightning fast”, it would not even function with Which? Conversation.

WaterFox does not seem to be in the Debian repos, but the download you linked to includes an executable that (mostly) seems to work here. (It has crashed once, so far…). I did note that Waterfox comes with Bing (hello Redmont…) as its default search engine, so I changed that to DuckDuckGo. And, as evidenced by this, it seems to work for W?C.

You need to exercise caution when using Firefox-forks like Waterfox.

Netsurf is also something that needs care.

Derek NetSurf -3.2 is out of date , thats one of the good points of Pacman in Arch Linux it keeps up to date due to the complete constant system renewal every month of so (except for the core ) so there is never a “new version ” . Its now NetSurf 3.7 Which wont work without you ticking the Jscript box the boxes dont come filled in in Preferences . I dont use it for Which as no Jscript stops a lot of malware. Yes I use Duck-Duck Go too as Bing is just handing MS your data on a plate. On Saturday I got another system renewal including the Kernel being updated only took minutes but I have found a major problem on Sunday I got a Waterfox “rebuild ” as it didnt like the one from the Pacman repository . Normally in any other system its a 2 minute job (apart from Windows ) even a new version is done in double quick time but I was not expecting it to be a real rebuild –from scratch –but it was . I watched in amazement as a whole new Waterfox was constructed as if the designer was building it from his mind -bit by bit by bit –over half an hour it took never came across that before.

I dont agree with them Ian I know you always go for the “status quo ” I dont You picked the website in the USA I was kicked off for criticising their FINANCIAL backers , of course they will be defending FF they get PAID to defend MS/Fox “News ” / and a host of others. I criticised MS and another —Gooten Tag -Duncan – Verboten for their website . They neglected to mention that FF does gather your info –SECRETLY which Waterfox doesnt , In FF you need to go into-about:config to change just one tracker , I have already posted on this . NetSurf ? as I said to Derek Update to 3.7 and tick a few boxes and NO Ian it isnt “an old system” -latest version November -2017.

DerekP says:
3 June 2018

Funnily enough, I was just reading that website when you posted the link to it. I note some of the comments there challenge the veracity of the article text though…

As regards WaterFox, I didn’t relish the fact that I couldn’t download it from my linux repository ( “App store” ), because directly downloading 3rd party code eliminates the security barrier provided by those responsible for repository maintenance. Hence, this places more emphasis on trusting the software vendor (and any other available advocates).

Personally, if I were really paranoid about being “spied on” whilst on the ‘net, I’d start out by using a completely free and libre OS, e.g. one of the actual GNU/Linux versions like Tisquel and then work onwards from there. By doing that I coud be sure that I wasn’t vulnerable to any sneaky code in closed source apps or device drivers. That said, the common problem of unintended vulnerabilities in other code would still be present.

But, even I never personally logged onto the ‘net at all, it would still end up containing data about me.

DerekP says:
3 June 2018

Ian, I think the NetSurf hijacker and browser are probably not the same beast…

DerekP says:
3 June 2018

Duncan, having tried NetSurf 3.2 and found it to be essentially useless as released via Debian, I really don’t see any point in trying a later version.

For what I most need, Cromium works just fine…

Arch repository , as I said, holds Waterfox and Arch ,as I said, did a complete system REBUILD from SCRATCH ! over half an hour it took. I will ask a question if many here dont care about being tracked why then do they “care ” about the DATA being used as thats the way its obtained ??. I keep on saying I used my real name from the beginning as I knew it was a waste of time trying to hide it Google et al including all the security services in the West know all about us , you do know all our data is now sent to US servers including the latest medical records ? WE are foreigners in USA eyes but this never sinks in the same as GCHQ is used by the NSA/CIA to spy on US citizens because US citizen protection is better BY LAW than ours . Germany has now proclaimed “its copying the UK ” in massive snooping (no holes barred ) but its been sending German data to the NSA for many years .

Works okay in Arch Derek. Its very basic unlike Ian who likes the “big boys ” who constantly gather your data, small -CROWD FUNDED browsers dont I trust small groups of enthusiasts much more than devious major actors because the change the basic programming to stop snooping or design from scratch . This upsets many websites .

Your right Derek.

Duncan Lucas says:
Today 10:29

Works okay in Arch Derek. Its very basic unlike Ian who likes the “big boys ” who constantly gather your data,

Duncan, a lot of what you claim is unsubstantiated, but this is simply uninformed and wrong. You have no idea about which browsers I use or favour, and you have no idea why. So stop claiming you know things which you don’t and stick to what you can prove, please. Trolling in here is unacceptable and your post (above) is an example of that.

You sound like a company troll Ian trying trying to make the public believe that they can “trust us ” .You are also worried that confidence in HMG,s propaganda forcing the British public to “use the Web ” can be shown to be not safe . Fake news is unsubstantiated but the UK/US put it out all the time but what you are saying is they DONT — I am in utter disbelief at that suggestion , YOU are trying to control me by dissing me with YOUR unsubstantiated post . Go on Ian -report me and that will show the level of your willingness to suppress views other than YOUR OWN ! Reality backed up by technical bods well above me agree have shown I am telling the truth . Okay Ian PROVE me wrong ??

Your comment Ian brings into question the freedom to post technical engineering posts here I know you dont like that but the LOBBY comes under TECHNOLOGY/not cartoons/jokes yet it has been subverted . I have posted what a TROLL stands for from the Webster dictionary its to swear/ ridicule/ and use low intelligence comments to “bring down ” other posters that the TROLL doesn’t like NOTHING to do conglomerates/Big Business so you are totally wrong in your judgement . You spend your time protecting them by innuendo that I or others “cant substantiate ” what we say thats usual government “jargon ” when I posted links you weren’t happy and still arent . Your attack is a personal attack on me thats what trolls do IAN. I will not accept it –ever.

Duncan, if you calm down for a moment and read what I’ve written you will see that it’s postings of yours where you claim to ‘know’ what I think about things eg:

“unlike Ian who likes the “big boys ””

“You are also worried that confidence in HMG,s propaganda forcing the British public to “use the Web ” can be shown to be not safe”

“YOU are trying to control me by dissing me with YOUR unsubstantiated post”

which is where I take exception. Unless you’re possessed of psychic capabilities such as mind reading you cannot possibly ‘know’ what you claim about me. And when you make those comments which I’m sure you know are provocative, you are trolling: a Troll is a person who sows discord on the Internet by starting quarrels or upsetting people, by posting inflammatory, extraneous, or off-topic messages in an online community (such as a newsgroup, forum, chat room, or blog) with the intent of provoking readers into an emotional response.

It obviously upsets YOU IAN but many posters over the years agree with me and still do since I came here I said I was FOR the public not intrinsically “For ” anybody else although I have a high regard for Wavechange . I am not trying to provoke an emotional response but a REBUTTAL of what technical points I have posted , .Try to contradict the technical points and then we can intercommunicate normally . You say they are all safe –PROVE IT ??? I have never been part of a “group ” although I could have joined the Mason,s I dont hold to their philosophy of “giving a helping hand to each other ” –nod-nod -wink -wink. when I lived in London I was asked to join an “Order of the Elephants ” or a name like that , I declined as it would put me in a better position work wise than Joe Bloggs I do have principles which , yes hurt me financially but I go to sleep with a better moral sense. Nobody is perfect including myself but I have stood alone all my life and “lean ” on nobody.

You say they are all safe

Were did I say that? Please post the reference. Or withdraw the comment.

Hi both, please can you refrain from making unfriendly personal comments. These comments are beginning to become off-topic so I kindly ask that you refrain from making any further comments about each other. Any further rude/offensive comments will be moderated.

If you would like to continue to constructively discuss web browsers then please do 🙂 Thank you.

DerekP says:
3 June 2018

Duncan, I think the underlying dilemma here is that most people expect our security services to use all best available technologies to ensure security, including the prevention of terrorist attacks.

If our security services had been better able to collect and analyse data, so that recent terrorist attacks had been averted, wouldn’t we all have wanted that?

Ian see my post on the new convo . AMAZON hacked -this year. “Unsubstantiated ” my a–.

Well, Tom here is the bang up to date news on your convo from Google Chrome – starting -June 12th no new extension apps will be allowed on their browser -you will be directed to the official website store. come 12th September -2018 all extensions NOT directly from the Google Chrome official store will be SHUT DOWN, I take that to mean the removal of that app you got direct from the app designers website you will be redirected to Chrome webstore. Come December and version -Chrome 71 the app allowing this will be removed. Officially ? to “protect you ” — unofficially? well, its Google isn’t it -naughty -naughty -installing an app that blocks them tracking you. If I translated it wrong please correct?

Have any posters got those apps on their smartphones in relation to browser extensions– Block Site -Adblock Prime -Mobile health club apps -Speed Booster-Battery Saver- App Lock/Privacy Protector -Clean Droid-Popper Blocker -Crx Mouse ?? If you have you are definitely being spied upon –Big Star Labs are behind it , their company name is an image and obfusticated . For those seeking proof click on https://beebom.com/spyware-apps-and-extensions-on-android-ios-allegedly-affect-over-11m-users/

DerekP says:
27 July 2018

Duncan, thanks for that post.

Am I right in thinking that the “proof” you’re citing comprises claims hosted by a rival software product “AdGuard” ?

If so, is that useful proof – or just “hurt & rescue” marketing?

You could use the same logic and theory on Google /Microsoft and a lot of other big digitally run companies . I get several from Germany as well as the USA telling me about hacks etc . If several of those tech. companies agree then its not just a case of “self publicising ” to obtain recognition but you are equally allowed to not believe it but think of the reputations of those software engineers working for those companies , their names would be mud if it was a lie . You saw the heading and introduction of where the last piece of malware came from and that was proved correct . Warnings come to me constantly including a well known guy I think you know of international “fame ” who has been warning people for a long time but also from big name international malware and investigative tech companies , I have yet to find any of the ones I rely on turn out to be fakes . I get all the background investigation but I got the “message ” here keep the tech. down so I do but if you question the reality of my warnings and then complain about -“too much engineering ” if I go into detail isn’t that suppressing proof to prove another conclusion ? Look Derek I have been given no reason to trust the “big boys ” in the digital media they are devious , conniving, etc in their information gathering and getting worse now so if somebody even a small company “bursts the lid ” on their wrong doings its worth listening to at least . I also check up on system programming websites to see if they agree and advise implementation of changes to my programming which is more possible on my system than many , to protect myself so I dont just take one viewpoint I take a range of views . It might not seem it but I do believe in capitalism with a small “c” why shouldn’t an investigative company give itself a pat on the back if it finds out hidden malware ? as long as what it says is truthful –nobody has questioned this report so far.

DerekP says:
27 July 2018

So the answers to my questions were “yes” and “no – just normal marketing and sales”?

I think that the browser extension is very helpful in the work