/ Technology

How safe are web browser extensions?

Web browser extensions can generate discount codes for retail sites, add features to your email app of choice and help you scribble down a to-do list in a couple of clicks. But are they safe to use?

Helpful add-ons sound great, but when you consider that you’ll have to part with your data to install many of them, It raises some very interesting questions over privacy

What can they do?

There are thousands of web browser extensions out there, and most of them are free to download. They’re supported by all the popular browsers, such as Microsoft Edge, Firefox and Google Chrome.

The Editor’s Picks section on the Google Chrome web store is updated every so often with some new options to take a peek at. This month, we’ve spotted:

LastPass – a password manager that saves your passes and logs you in automatically when you visit certain sites.

Save to Pocket – quickly save a web page or news story so you can revisit it on your smartphone, even without an internet connection.

My Cats – get treated to an adorable cat picture every time you open up a new tab!

Just recently, a coder shared his progress on an ‘experimental’ Chrome extension called FacePause, which uses your webcam to pause videos when you look away from your screen.

Would you be happy giving your web browser access to your webcam? I’m not sure I would.

Sharing your personal data

Every time you install a browser extension, you give that app permission to access your information.

By installing free grammar-checking app ‘Grammarly’, for example, you agree to the group’s terms and conditions, which means the following information will be collected: your username, email address, contact preferences, payment information (for paying users only), geographic information, ‘any user content you add to your account’, activities you perform within your account and the type of hardware and software you use.

That sounds like a lot of data, but it’s pretty typical for a Google Chrome extension to request these things.

Extensions and malware

With browser extensions getting increasingly popular, malware makers are getting creative. We’ve seen countless cases where a malicious Chrome extension has made its way onto Google’s download page, disguised as a legitimate tool when it’s actually stealing personal data without permission.

Earlier this month, cybersecurity group Radware reported on a damaging extension that managed to infect more than 100,000 users in over 100 countries.

Dubbed “Nigelthorn”, unsuspecting users on Facebook were lead to a URL supposedly linking to a YouTube video. However, the website was a fake, encouraging users to install a Chrome extension to play the video on the page. Once installed, the extension hijacks the user’s PC and uses its processing power to mine cryptocurrency, thus slowing down the PC to the point where it’s practically unusable.

Have your say

I’ve used my fair share of browser extensions in the past, with one of my favourites, Evernote, letting me quickly share files between my mobile and my PC, but should I rely less on apps that require so many data permissions?

What are your thoughts on sharing data with developers if it means having access to a genuinely useful browser extension? I’d love to hear your thoughts.


This comment was removed at the request of the user

Firefox doesn’t track you!

[Sorry, your comment has been edited to align with our community guidelines. Please keep comments polite. https://conversation.which.co.uk/commenting-guidelines/. Thanks, Alex.]

This comment was removed at the request of the user

This comment was removed at the request of the user

This comment was removed at the request of the user

Removing both discourteous comments seems the best solution. Has that happened between USA and N. Korea?

More or less, I think, Malcolm. Both sides were posturing for home consumption and the fundamentals are strong so neither side wanted to be the one to pull the plug on a dialogue. Trump might have his eye on a peace prize one day – such is his ego it knows no bounds. Be funny if the other man got it.

The only browser extension I have installed is one to auto-refresh browser pages in Safari. I often leave Which? Convo on the Latest comments page and get on with other jobs. A glance at the screen shows new posts. I started to use this with the previous version of this website, where only the three most recent posts could be seen without checking individual Convos.

I’m afraid that, while I agree 100% with everything technical Duncan has put, I’ve decided life’s too short – the effort required to keep clear of the browser trackers is substantial – and one slip… So I’ve decided that I accept most. Foolhardy? Possibly. Time saving? Probably – although I am surely grateful for a decent spam filter.

I have IE – remember that? And a few plugins for it to allow local viewing and setting tweaks for my plethora of IP-based cameras.

I’m with you on that Roger. I use several browsers and do clear them many times a day but I really can’t be bothered to manage them.

But what GDPR has highlighted, is the unimaginable extent of the minefield of abuse these companies inflict on our computers and personal data.

Software and internet services that are free to acquire and use have to be paid for somehow. So for many legitimate e-commerce (etc.) applications, e.g. Which? Convo, the offer is “you can use our site for free, but only if you are content to share data with us (and our partners)”.

Like free copies of the Metro newspaper, advertising (and related activities) pay for much of the free stuff on the net. So long as the offers are open and honest, then we can all make informed choices about what we use.

I’ve seen various unwanted browser attacks that replace things like sensible choices of search engine, presumably to cream off data and sales traffic, but I’ve never seem examples of “widely recommended” add-ons doing that.

In principle, decent internet security apps ought to help prevent such attacks.

The attacks I’ve seen occurred on family members’ PCs, running either Windows (presumably with security software) or ChromeOS (as supported by Google) or generic linux (presumably without any security software). Of those three, the simplest to clean up after a malware intrusion seems to be ChromeOS, using its factory refresh option.

Indeed. At one time it seemed likely that users might have to pay for web browsers, but the free versions proved compelling and now we have advertising and tracking. Perhaps it will become so bad that positive action will be taken to control this. Back in the 80s I thought that people would stop watching commercial TV because of the amount of advertising, but I’m one of the few who seems to have done this.

I’m stupidly still paying for a TV licence, even though my aerial cable has been disconnected for a few weeks now. Thanks to YouTube and Netflix, I can get by without any terrestrial TV.

Sometimes the advert breaks are an opportunity to slip out to the brain and check on emails and latest comments, make a cuppa, load the dishwasher, read a bit of Private Eye, go to the…., but I would not miss one of the good programmes on a commercial channel just to spite the adverts. Just ignore them. I expect with a modern tv, AI will know when I’m avoiding my duty and penalise me in some way?

Malcolm, if you watch terrestrial TV via a PVR, then you can just press the pause button anytime you need a break.

My technology is not up to scratch, Derek.

I see that Which? are giving me advice on “How to buy the best TV for the 2018 World Cup
Read more: https://www.which.co.uk/news/2018/05/how-to-buy-the-best-tv-for-the-2018-world-cup/ – Which?

One day I’ll need a new tv, no doubt with pause technology, but I hope it might also have a “no-football” button as well.

I always watch TV via the PVR so that I can pause TV programmes and listen again to something interesting. I have a radio with the same facilities.

I hate when they change te homepage! My Grandma’s homepage used t change constantly! Turns out Windows Embedded was the answer to that

Agreed on LastPass which I have used for years on many devices.
WoT is the second addon for me.
As an Apple user I am happy to pay a small monthly amount to have iCloud backup on all my devices which means I can store any file there for access whilst connected and recent battles between Apple and the CIA gives one hope that they are reasonably confidential.
Using an iPad which has the equivalent of sandboxing of programs can be further enhanced by using TOR.
This message sent via VPN.

I only use AdBlock Plus and Rapport (from IBM). I not convinced others are vetted enough before appearing on an app store to risk downloading any more.

I detest Rapport but use it on on the computer I use for online banking. I don’t know about the PC version but the Mac version slows has slowed down every Mac I’ve tried it on.

Without giving too much away, I’ve recently become the owner of some water transport. The signal here is hit and miss, so my postings –when here – are also hit and miss. This might explain why I am more often in the breach than the observance in matters conversational. That and musical demands plus a massive felling and logging at home (where do blunt chainsaws go to die? I shall write the ballad of the handsaw in due course. ) Enough personal boring ephemera.
Oh for the days of innocence when the internet was simple and exciting and new. Now every click has to be thought about and every visit backed by a check to see if someone or something has slipped in unnoticed. I don’t have any web extensions that I know of, just simple browser connections and an E.mail address. This does all I need to do on line, so see no point in adding anything else. My anti-virus and firewall seem to work though there is no way of knowing if they do, other than the computer behaving as it should without any sign of malware in the background. It’s difficult to see what else there is to do without becoming technical and spending time going round computer. I suspect Duncan would disagree with this as his technical knowhow and internet savvy are light years ahead of mine. My motto is “keep it simple and keep it backed up”

This comment was removed at the request of the user

Vynor – I recall you told us about the buying of Amanda Louise, in the Rhyming Room. I do read your contributions. A quick guess suggests that you are now the proud owner of a yacht.

Yes – I think Sir Philip Green had one for sale recently.

I’m just booking my berth in Cannes for lunch with * *!

🙂 Keep in touch on your travels then.

You must install AdBlockPlus, YouTube+ and Hide Twitter Guff

This comment was removed at the request of the user

Which one tracks then??

This comment was removed at the request of the user

This comment was removed at the request of the user

Tony says:
2 June 2018

I use Firefox which is not run by Google, Apple or Microsoft, and I use DuckDuckGo as my default search engine. This goes some way to anonymising me – I hope.

This comment was removed at the request of the user

This comment was removed at the request of the user

Duncan, thanks you those links. I was able to download NetSurf 3.2 from the Debian repository but, never mind being “lightning fast”, it would not even function with Which? Conversation.

WaterFox does not seem to be in the Debian repos, but the download you linked to includes an executable that (mostly) seems to work here. (It has crashed once, so far…). I did note that Waterfox comes with Bing (hello Redmont…) as its default search engine, so I changed that to DuckDuckGo. And, as evidenced by this, it seems to work for W?C.

You need to exercise caution when using Firefox-forks like Waterfox.

Netsurf is also something that needs care.

This comment was removed at the request of the user

This comment was removed at the request of the user

Funnily enough, I was just reading that website when you posted the link to it. I note some of the comments there challenge the veracity of the article text though…

As regards WaterFox, I didn’t relish the fact that I couldn’t download it from my linux repository ( “App store” ), because directly downloading 3rd party code eliminates the security barrier provided by those responsible for repository maintenance. Hence, this places more emphasis on trusting the software vendor (and any other available advocates).

Personally, if I were really paranoid about being “spied on” whilst on the ‘net, I’d start out by using a completely free and libre OS, e.g. one of the actual GNU/Linux versions like Tisquel and then work onwards from there. By doing that I coud be sure that I wasn’t vulnerable to any sneaky code in closed source apps or device drivers. That said, the common problem of unintended vulnerabilities in other code would still be present.

But, even I never personally logged onto the ‘net at all, it would still end up containing data about me.

Ian, I think the NetSurf hijacker and browser are probably not the same beast…

Duncan, having tried NetSurf 3.2 and found it to be essentially useless as released via Debian, I really don’t see any point in trying a later version.

For what I most need, Cromium works just fine…

This comment was removed at the request of the user

This comment was removed at the request of the user

This comment was removed at the request of the user

Duncan Lucas says:
Today 10:29

Works okay in Arch Derek. Its very basic unlike Ian who likes the “big boys ” who constantly gather your data,

Duncan, a lot of what you claim is unsubstantiated, but this is simply uninformed and wrong. You have no idea about which browsers I use or favour, and you have no idea why. So stop claiming you know things which you don’t and stick to what you can prove, please. Trolling in here is unacceptable and your post (above) is an example of that.

This comment was removed at the request of the user

This comment was removed at the request of the user

Duncan, if you calm down for a moment and read what I’ve written you will see that it’s postings of yours where you claim to ‘know’ what I think about things eg:

“unlike Ian who likes the “big boys ””

“You are also worried that confidence in HMG,s propaganda forcing the British public to “use the Web ” can be shown to be not safe”

“YOU are trying to control me by dissing me with YOUR unsubstantiated post”

which is where I take exception. Unless you’re possessed of psychic capabilities such as mind reading you cannot possibly ‘know’ what you claim about me. And when you make those comments which I’m sure you know are provocative, you are trolling: a Troll is a person who sows discord on the Internet by starting quarrels or upsetting people, by posting inflammatory, extraneous, or off-topic messages in an online community (such as a newsgroup, forum, chat room, or blog) with the intent of provoking readers into an emotional response.

This comment was removed at the request of the user

You say they are all safe

Were did I say that? Please post the reference. Or withdraw the comment.

Hi both, please can you refrain from making unfriendly personal comments. These comments are beginning to become off-topic so I kindly ask that you refrain from making any further comments about each other. Any further rude/offensive comments will be moderated.

If you would like to continue to constructively discuss web browsers then please do 🙂 Thank you.

Duncan, I think the underlying dilemma here is that most people expect our security services to use all best available technologies to ensure security, including the prevention of terrorist attacks.

If our security services had been better able to collect and analyse data, so that recent terrorist attacks had been averted, wouldn’t we all have wanted that?

This comment was removed at the request of the user

This comment was removed at the request of the user

This comment was removed at the request of the user

Duncan, thanks for that post.

Am I right in thinking that the “proof” you’re citing comprises claims hosted by a rival software product “AdGuard” ?

If so, is that useful proof – or just “hurt & rescue” marketing?

This comment was removed at the request of the user

So the answers to my questions were “yes” and “no – just normal marketing and sales”?

I think that the browser extension is very helpful in the work