Something important you need to consider for every extension you install.
The article in question is titled “Did You Know Browser Extensions Are Looking at Your Bank Account?”
In some ways, the article feels a little sensational. In other ways, it doesn’t go far enough.
Regardless, this is a very important concept to understand.
Become a Patron of Ask Leo! and go ad-free!
Can extensions be trusted?
Extensions add a wide variety of functionality to web browsers. In order for them to be able to do what we want them to, they need access to almost everything, often including the complete contents of the webpages we view. Extensions from trusted and reputable sources limit their activities to what they promise, even though they could do much, much more. Extensions from elsewhere? There’s no real way to know.
Browser extensions, also called add-ons or plugins, provide functionality the browser’s features do not include. Examples include ad blockers, password managers, web clippers, security software, and more.
Most commonly, they’re found in specific add-on repositories like Microsoft’s store for Edge, Chrome’s store, or Firefox’s.
Often browser extensions make the rounds by nothing more than word-of-mouth advertising as people use them to resolve issues or add functionality.
Can they see?
For extensions to perform their task, they need access to information within the browser. Sometimes that information is limited — perhaps the URL of the page you’re visiting, and nothing more. Other times, that information seems unlimited.
While most browsers have a more granular permissions system, many extensions ask for, and get, access to everything.
Everything in this context means your browser settings, the pages currently displayed in your browser, and the content of every webpage you view.
Some extensions also have the ability to modify what you see before you see it. For example, there are extensions designed to configure your Facebook experience more to your liking: they make a variety of changes to the pages you see, based on the options you choose.
So, can a browser extension see your bank account when you visit your bank’s website?
Absolutely. Browser extensions can see anything on any site, banking or not.
And, yes, that’s an important security risk to be aware of.
The real question is, do they? Do browser extensions look at your bank account?
Even that isn’t a simple question to answer.
An extension that, for example, scans webpages you visit to provide some kind of functionality could very well be scanning your bank account pages as you visit your bank.
Do they know it’s a bank? Do they care it’s a bank?
Not if they’re legit. But if scanning pages is required to do the job the extension provides, then yes, they could be looking at it.
Whether or not they do something malicious while they’re in there brings us to the most important take-away of all.
Only install extensions you trust
Given the access extensions can have to see the content of every webpage you visit, you’re placing a tremendous amount of trust in them. A browser extension could, for example, promise to do one thing — or even actually do it — but it could also be slurping up all your data and saving it for some hacker somewhere.
It’s critical, then, that you trust whoever is providing the extensions you use.
Whenever you consider adding yet another extension (and I’ll admit, they do seem to accumulate), think long and hard about whether the promised functionality is worth the security risk. Take the time to determine who’s providing it and how much of your trust they deserve.
When in doubt, live without the extension.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Download (right-click, Save-As) (Duration: 6:02 — 6.8MB)
Subscribe: Apple Podcasts | RSS
23 comments on “Can Browser Extensions See My Bank Account?”
is there a way to check on an extension before downloading it?
like a complaint or review site.
Most of the extension stores from which you download them will have reviews. Remember, though, that any of them can be gamed. Bottom line: don’t install extensions you’re not sure about, or from sources you’ve not heard of.
Thanks Leo, i have browser guard for that.
That’s why I tend to have a minimal amount myself (I got 3 extensions installed and all are ‘Recommended Extensions’ (by Mozilla since I am on Firefox) (NOTE: I know that does not guarantee they are safe, but it lowers the chances they are shady)) and I suspect ill be further protected since while I use Firefox as my primary browser (which has the three extensions), I have Chrome installed as a backup browser with NO extensions installed on it and I typically sign into Chrome when doing higher importance stuff online like Paypal/banking etc. I prefer Firefox (which has extensions installed) in general even though I realize a large portion of the general public uses Chrome, but one can simply reverse this if they want to and use Chrome with their extensions and then have Firefox as a backup browser with no extensions installed on it.
I figure just about everyone will want a ad-blocker extension installed at the minimum. I suggest uBlock Origin (by Raymond Hill), which is approved by Mozilla, as it’s got the ‘recommended extensions’ logo.
p.s. I also run my browsers in a sandbox (Firejail on Linux(I am using Linux Mint) (that’s FireJail, not FireFox) as I just run the .deb installer file and then manually make a shortcut on desktop (i.e. “firejail firefox %u” under ‘command’ section in the shortcut for Firefox) that has it run in the sandbox where as the normal shortcuts run the browser normally without the sandbox. I noticed if someone uses a YubiKey, you have to temporarily sign-in with the browser running normally, then you can exit the browser, reload it in the Firejail sandbox and your good-to-go since you will remain signed in from previous session.
@ Glen LW ; If something is fairly popular chances are you should be safe but if you start getting into the more obscure extensions then ones risk will probably rise a bit as a general guideline. but like I say, besides say a ad-blocking extension, which just about everyone will want to install, I would be cautious about installing much beyond that (because in a very basic sense the less extensions installed the lower the attack surface as the more extensions installed then technically your risk rises). or look at it this way… in my opinion, a person probably won’t need more than a handful (or so) of extensions installed and when browsing random sites online and those sites want to install a extension, that’s almost surely a red-flag in that it’s malicious, so don’t install it. it does not matter if the place claims to be from some legitimate place (like a anti-virus vendor etc), it’s almost surely malicious.
I use the Chrome browser, and I’ve installed several extensions that I downloaded from the official online “Chrome Web Store”. However, before I visit a website that contains my personal information, such as my online banking website, I temporarily disable all of my extensions. I only re-enable them after I’ve completed my activities and logged out of my online bank account. During the time that they are disabled, aren’t the extensions unable to “see” or access/manipulate my personal data?
In theory that’s quite correct. Could be quite cumbersome if you have a lot of extensions, though.
Perhaps someone can make an extension to turn off and on all the extensions with the press of a button. But can you trust them? :-)
To Leo and Mark: There already is a 5-star rated extension, called “SimpleExtManager” (available in the Chrome Web Store), that can be configured to turn all — or any desired subset — of my other Chrome browser extensions on and off with one click of the mouse. I’ve been using SimpleExtManager for years and, according to a notation on the Chrome Web Store page for SimpleExtManager, so have more than 100,000 other happy users. Best wishes, Harris.
Thought there might be one. Thanks for pointing it out.
I almost suggested that.
@ Harris Stewart ; personally I think it would be easier/safer for you to just have a additional browser installed without any extensions installed for occasional use on banking and other sensitive sites. so in other words… use Chrome like you usually do, then use Firefox (without any extensions installed) temporarily for your banking/email and the like. that’s probably a better/more secure option vs disabling extensions temporarily.
Good suggestion. I have a friend who takes that to an extreme. When he does online banking, he boots from a Live Ubuntu stick. I consider that overkill as all banks here have two factor authentication via an app. For really sensitive work, it might be a good idea.
Hmm, little problem here. Using a browser extension to keep track of the very passwords I use to visit my most important, sensitive sites. As advised to do by best password practices from many sources including askLeo. And now extensions themselves are a security risk?
@ Fiona Gregory – Although I don’t recall which password extension manager Leo recommends, you should be safe sticking with well known highly used ones, such as LastPass or Norton’s Password Vault. There are other good ones too. But as Leo and others here pointed out, you could turn off all your OTHER extensions first (might also be a good idea to restart your browser after turning the others off), then go to your secure site. And the other option is using your password manager extension only in a clean browser that only has that extension installed and no other, and don’t use that browser for anything else. And one other idea – don’t use a browser you synchronize with all your other devices.
Read the article carefully. I didn’t say ALL extensions are evil. I said that you must be careful about which ones you have installed, and not install them without thought. I have perhaps a dozen installed right now, but each was a decision (and I revisit those decisions periodically — do I still need this?)
Extensions are programs. The same rules apply. You have be careful about any program you use and only use extensions you trust.
Thanks for the tips, Chuck, Leo, and Mark. This was new to me as I had heard cautions about opening email attachments, phishing, downloading freeware, but not extensions before (obviously others have). I guess I assumed that they didn’t “see” my web pages anymore than the browser itself “sees” them; in other words, they applied algorithms to the content on said pages for me to see.
To dive a little deeper and better understand the threat:
I can see now the potential for this situation
1) EvilHacker creates a browser extension that appears to perform a useful function, but is really a trojan horse for a key logger or something like that.
So if you or others have used an extension for awhile without problems, it can be deemed safe and legit?
But do we also need to worry about this scenario?:
2) NiceButSloppyDeveloper makes a useful extension, but it has a vulnerability that allows it to be compromised by EvilHacker. Possibly through NBSDeveloper themself being attacked by EvilHacker.
” I guess I assumed that they didn’t “see” my web pages anymore than the browser itself “sees” them;” that’s kind of the point: the browser sees it completely, and can indeed “see” your bank account information as it goes by. The browser must, in order to present you with that information. And yes, there have been malicious browsers.
Both scenarios you outline are legit and things to be wary of. I think #1 has happened, and I’m certain #2 has.
This is getting scary. The only extension I have is KeeForm. Does anyone see a problem with that?
I really need to start remembering to disable my extensions when going on sites like banking or similar others.
If you are using Chrome browser, Extensity is a trusted extension that allows quick/easy enable/disable of other extensions. And its description says it has no additional site access.
One fairly simple workaround: Have more than one Browser, do any online finances in one with no 3rd party plugins.
– Chrome / Firefox with plugins for routine browsing.
– Online finances: I use Brave – in Private mode.
Never mind the extensions — if you’re going to travel down Paranoia Boulevard, what assurance do you have that the whole danged browser itself isn’t the creation of some hacker, and is not (to use Leo’s own colorful terminolgy) “slurping up” every single page you visit, banking sites among all the rest?!?
For example (and I must emphasize that this is only an example!), how do you know that Google Chrome isn’t transmitting every single byte of every page you view and every byte you enter, to Google’s servers? “GINYF,”* anybody? :o
*‘GINYF” – “Google Is NOT Your Friend.” (I have yet to hear of any “GINYF Society of America,” but it would never surprise me to hear that one had formed!)
Anything is possible, but companies like Google and Microsoft make much more money from legitimate activities than they could make from a spyware trojans. Firefox, TOR, Brave and Opera are open source, so any spyware would be discoverable. I’d trust either an open-source browser or a browser from a tech giant whose reputation is worth more than anything they can gain through using spyware.
Google gathers a lot of information which you may not be comfortable with, but nothing on the level of data theft. If you don’t feel comfortable with Google, there are open-source browsers. If you don’t trust Microsoft, Linux is open source.