You can trust some web browser extensions. At the same time, there are malicious extensions you absolutely should not trust.
The real question is, how do you know which is which? That's a question for any software you choose to install on your machine, browser extension or not.
Become a Patron of Ask Leo! and go ad-free!
Trustworthy browser extensions come from reputable sources, perform a specific, useful task, and don't require more access than the task needs. Less trustworthy extensions often appear as PUPs, or come from sources you've never heard of. Given the amount of access a browser extension is given, it's important to be cautious when considering one.
Browser extension access
It's not at all uncommon for a web browser extension to request or require permissions to access your data.
In the example above, the LastPass password vault browser extension for Firefox needs access to just about everything. The extension can, for example, examine any and all data on every website you visit -- including your bank!
But when you think about it, this makes sense. LastPass (and any other password vault extension) needs this access in order to do the job you're asking it to do: collect passwords from and enter passwords on those pages.
Ad blockers are another example of browser extensions that require wide-ranging permission to examine all of the pages displayed in your browser to be able to do the job you're expecting them to do: remove the ads on those pages.
Since many browser extensions are often about modifying what we see on the page -- be it removing ads, filling in forms, or even customizing our social media feeds -- needing access to "everything" is pretty common.
Viewing extension permissions
In most browsers, you can view the permissions granted to your installed extensions.
In Firefox, click on the hamburger menu in the upper right, then Add-ons, then Extensions. Click on the extension you want to examine, and then click on Permissions.
In the example above, I've viewed the permissions required by the LastPass extension.
You can do the same in Edge. Click on the ellipsis menu in the upper right, Extensions, and then click on the Details item for the extension you wish to examine. For Google Chrome, click on the ellipsis menu in the upper right, More tools, Extensions, and then click on the Details item.
In some browsers, you'll be able to restrict an extension's access to only specific sites, which can be useful if their functionality is restricted to only those certain sites. More commonly, through, we ask extensions to operate on multiple sites, so allowed access is set to "all".
Who do you trust?
Given that extensions have such wide-ranging abilities to examine the data shown and entered in your browser, it's important to remain cautious and install only extensions you trust.
So, how do you know who to trust?
Aside from PUPs (extensions that appear without your having asked for them), there's no easy answer. It boils down to researching the company providing the extension, making sure they're legitimate, and ensuring their policies match your expectations.
Look for reviews on sites like Ask Leo!, but even there, be cautious: many "best X" sites and reports are not objective, but exist to promote a specific answer rather than a true "best of" list. Rely on sites you already know, and perhaps the advice or recommendations of trusted technical friends.
Read reviews, knowing that while there will always be unhappy customers, you're looking for companies with mostly positive feedback. Make sure any negative reviews or complaints are about things that matter1. Check out support forums and see if the company responds to concerns raised by other users, and once again, whether those are issues that really matter.
Perhaps most importantly, assume the worst.
If you find you can't come up with enough support to trust them, don't. Don't install the extension, and live without whatever functionality they had promised.
The risk for abuse is high. And you're quite right: malicious browser extensions have indeed been known to slurp up banking log-in credentials and more.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Podcast audio
Footnotes & References
1: It's amazing how upset people get over the most minor annoyance. Take all individual reviews with a grain of salt, and look instead for trends.
I think as a general rule only install a minimal amount of extensions and only trust ones that have been around a while as this keeps ones risk at a minimum (and I figure the less extensions installed the better for all around browser performance). I see Mozilla has a ‘Recommended extensions’ icon which I would imagine helps a bit. I only have three extensions installed and all three have the recommended logo on them as I imagine even with this logo, while not guaranteed to keep your safe, it’s probably noticeably less likely to be malicious vs those random no-name extensions.
I think, at the minimum, just about everyone should have a decent ad-blocking extension since it removes a lot of unwanted junk online and gives one a smoother all around experience online (sure, technically risk increases on some level vs no extensions being installed but I figure the benefits outweigh the minimal risk). I suggest uBlock Origin (by Raymond Hill), which has nearly 4.9 million users(and has been around for years), since that seems to be the best free ad-blocker in general in my opinion. NOTE: get the extension (or pretty much any extension for that matter) from official sources. so in Firefox for example… click the triple line icon (near top right area of Firefox) then click the ‘add-ons’ and search for it in there.
but anyways, like Leo said… treat extensions like programs, only install what you trust. so unless your confident it’s legitimate, just assume it’s malicious and don’t install it. or if some random site is asking to install a extension, it’s probably malicious so don’t install it.