Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Can I Trust Browser Extensions?

Is it true that you can’t trust browser extensions because they’ll grab your data when doing things like online banking?

You can trust some web browser extensions. At the same time, there are malicious extensions you absolutely should not trust.

The real question is, how do you know which is which? That’s a question for any software you choose to install on your machine, browser extension or not.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

Trustworthy browser extensions come from reputable sources, perform a specific, useful task, and don’t require more access than the task needs. Less trustworthy extensions often appear as PUPs, or come from sources you’ve never heard of. Given the amount of access a browser extension is given, it’s important to be cautious when considering one.

Browser extension access

It’s not at all uncommon for a web browser extension to request or require permissions to access your data.

Permissions required by Lastpass being installed in Firefox
Permissions required by LastPass being installed in Firefox.

In the example above, the LastPass password vault browser extension for Firefox needs access to just about everything. The extension can, for example, examine any and all data on every website you visit — including your bank!

But when you think about it, this makes sense. LastPass (and any other password vault extension) needs this access in order to do the job you’re asking it to do: collect passwords from and enter passwords on those pages.

Ad blockers are another example of browser extensions that require wide-ranging permission to examine all of the pages displayed in your browser to be able to do the job you’re expecting them to do: remove the ads on those pages.

Since many browser extensions are often about modifying what we see on the page — be it removing ads, filling in forms, or even customizing our social media feeds — needing access to “everything” is pretty common.

Viewing extension permissions

In most browsers, you can view the permissions granted to your installed extensions.

In Firefox, click on the hamburger menu in the upper right, then Add-ons, then Extensions. Click on the extension you want to examine, and then click on Permissions.

Lastpass extension permissions in Firefox
LastPass extension permissions in Firefox. (Click for larger image.)

In the example above, I’ve viewed the permissions required by the LastPass extension.

You can do the same in Edge. Click on the ellipsis menu in the upper right, Extensions, and then click on the Details item for the extension you wish to examine. For Google Chrome, click on the ellipsis menu in the upper right, More tools, Extensions, and then click on the Details item.

In some browsers, you’ll be able to restrict an extension’s access to only specific sites, which can be useful if their functionality is restricted to only those certain sites. More commonly, through, we ask extensions to operate on multiple sites, so allowed access is set to “all”.

Who do you trust?

Given that extensions have such wide-ranging abilities to examine the data shown and entered in your browser, it’s important to remain cautious and install only extensions you trust.

So, how do you know who to trust?

Aside from PUPs (extensions that appear without your having asked for them), there’s no easy answer. It boils down to researching the company providing the extension, making sure they’re legitimate, and ensuring their policies match your expectations.

Look for reviews on sites like Ask Leo!, but even there, be cautious: many “best X” sites and reports are not objective, but exist to promote a specific answer rather than a true “best of” list. Rely on sites you already know, and perhaps the advice or recommendations of trusted technical friends.

Read reviews, knowing that while there will always be unhappy customers, you’re looking for companies with mostly positive feedback. Make sure any negative reviews or complaints are about things that matter1. Check out support forums and see if the company responds to concerns raised by other users, and once again, whether those are issues that really matter.

Perhaps most importantly, assume the worst.

If you find you can’t come up with enough support to trust them, don’t. Don’t install the extension, and live without whatever functionality they had promised.

The risk for abuse is high. And you’re quite right: malicious browser extensions have indeed been known to slurp up banking log-in credentials and more.

Do this:

Subscribe to Confident Computing! More confidence & less frustration -- solutions, answers, & tips -- in your inbox every week.

I'll see you there!

Podcast audio

Play

Footnotes & References

1: It’s amazing how upset people get over the most minor annoyance. Take all individual reviews with a grain of salt, and look instead for trends.

1 thought on “Can I Trust Browser Extensions?”

  1. I think as a general rule only install a minimal amount of extensions and only trust ones that have been around a while as this keeps ones risk at a minimum (and I figure the less extensions installed the better for all around browser performance). I see Mozilla has a ‘Recommended extensions’ icon which I would imagine helps a bit. I only have three extensions installed and all three have the recommended logo on them as I imagine even with this logo, while not guaranteed to keep your safe, it’s probably noticeably less likely to be malicious vs those random no-name extensions.

    I think, at the minimum, just about everyone should have a decent ad-blocking extension since it removes a lot of unwanted junk online and gives one a smoother all around experience online (sure, technically risk increases on some level vs no extensions being installed but I figure the benefits outweigh the minimal risk). I suggest uBlock Origin (by Raymond Hill), which has nearly 4.9 million users(and has been around for years), since that seems to be the best free ad-blocker in general in my opinion. NOTE: get the extension (or pretty much any extension for that matter) from official sources. so in Firefox for example… click the triple line icon (near top right area of Firefox) then click the ‘add-ons’ and search for it in there.

    but anyways, like Leo said… treat extensions like programs, only install what you trust. so unless your confident it’s legitimate, just assume it’s malicious and don’t install it. or if some random site is asking to install a extension, it’s probably malicious so don’t install it.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.