Olivier Reuland
Pragmatic Information Security and Privacy Expert
Posts

Browser extensions

Are browser extensions the new macros?
security
privacy

I’m not a fan of browner extensions. I use a select few, and several browser profiles, to manage the risk. But the impact can be significant, with scams and malware all over them.

The sweet scam

By now, you might have heard of the scam Honey is running to allegedly steal money from influencers, sellers and customers alike. It’s pretty brazen if you ask me. Basically:

  1. Honey pays influencers to promote their browser extension, which finds discount codes.
  2. Customers install the extension and use it to automatically find the best discount possible.

Sounds good? Well, no so fast. Let’s fix this with what is allegedly happening instead:

  1. Honey pays unknowing influencers to promote their browser extension, which pretends to look for the best discount codes.
  2. Customers install the extension and use it to automatically find the best discount possible.
    1. The extension may or may not provide the best coupon codes, based on what merchants are willing to pay.
    2. It also replaces the referral code by its own, so that the referral fee goes to them, rather than the influencer or whoever is promoting a product. It does so even if there are no vouchers available.

So in the end:

  • Users lose money because Honey is knowingly not always offering them the best discount codes
  • Promoters (e.g., influencers, reviewers, etc) lose money because their referral codes are replaced by Honey’s
  • Sellers lose money because they have to limit the damage the Honey extension can do to their bottom line.
  • Honey, which is owned by PayPal, makes tons of money.

The big mess

But this kind of scams is not all that’s wrong with browser extensions: Many are also simply a malware hidden as a “useful” extensions. The reason is that extensions can have extensive permissions in your browser:

  • Read everything you read or type
  • Submit any request they want

And this means, yes, reading your password, accessing your bank account (or crypto wallet), stealing your (online) photos, and more. How do you feel about this?

Some browsers allow putting some restrictions in place, such as which website an extension can interact with. Google and others also try to scan extensions for malicious code. But it has proved insufficient.

Just over the end of year break, a widespread cyberattack targeted Google Chrome extensions and compromised 2.6 million devices. There are many techniques attackers use:

  • Compromise legitimate extensions
  • Trick people into believing they are installing a legitimate extension
  • Trick people into believing they are installing a useful extension

In any case, those extensions can be you: See what you see, do what you do. And that a serious risk to take.

What to do?

The problem is that some extensions are genuinely useful, starting with a password manager. So what can you do?

  • Verify carefully that the extension is legitimate: Go to the company’s website and follow the link from there.
  • Review the permissions these extensions ask for: Anything you don’t understand, you should stay away from.
  • Think twice about the risks and benefits: Is an extension that adds cat videos to every page really worth getting your life ruined for?
  • Use separate profiles/browsers: This allows you to install different extensions, avoiding the cat-video extension on your bank profile, for example.
Olivier Reuland

Related