Chrome’s official extension repository has more than 137,345 extensions, with some having more than 1M users. There are so many around, and you’re even using a few, albeit cautiously. How safe are these browser extensions? Can they steal your passwords?
Chrome extensions cannot steal your passwords by default. When you add an extension, you grant a set of permissions. If you approve access to site content, sensitive data can be read by the extension, including login usernames and passwords. It’s essential to vet extensions before installing them.
Be vigilant about the extensions you install and what permissions they have. Don’t let your guard down – keep reading to learn more about Chrome extensions and passwords.
Security of Chrome Extensions
Two types of worrisome extensions threaten your passwords: those with malicious intent and those that are not well-designed.
Malicious Extensions
Due to the global reach of the extension stores, it is compelling for attackers to launch attacks using extensions. These browser-based attacks can take many forms, the most common being ad fraud and credential theft.
Thousands of Chrome users were tricked into installing a fake AdBlock Plus extension that served them unwanted ads and collected their browsing data. This attack is not exclusive to the Chrome store—similar incidents have been seen in the Firefox and Opera extension stores.
In a different type of credential theft attack, hackers took advantage of the fact that many people reuse passwords across various sites. Using an extension, they intercepted users’ credentials as they typed them into the login fields of popular sites like Facebook. They then used the stolen credentials to hijack user accounts and commit fraud.
Non-malicious But Poorly Designed Extensions
Although well-intentioned, most extension developers are often not security experts and write buggy code that malicious website operators can exploit.
For example, an extension that could have been innocently built to be a spelling and grammar check tool. Suppose this extension has some security loopholes in the code. This is good news to an attacker who can exploit that and turn our helpful tool into a spy that silently logs the user’s keystrokes and transfers them to a third party.
A recent study found that extensions are vulnerable to a type of attack called cross-site scripting (XSS). This attack allows an attacker to execute malicious code in the context of the extension, giving them access to sensitive information like cookies, browsing history, and passwords.
Why Chrome Extensions Can Steal Passwords
Why are these types of attacks possible? The answer lies in the permissions that extensions request.
Most often, browser extensions run with the same privileges as the browser itself.
When you install an extension, you are presented with a list of permissions that the extension is requesting.
For example, it makes sense for a simple word counter extension to request access to the page so that it can do its job. But this also means it can read any username and password information displayed on the page.
The list of requested permissions is quite extensive but can include access to your browsing history, cookies, passwords, and other sensitive data.
While some of these permissions make sense for the extension’s functionality, others may be excessive and unnecessary.
An example of over-reaching permission: Does an ad blocker need to know your browsing history?
When you install an extension, you are trusting the developers not to abuse the permissions they are requesting. But some do.
You also trust that the developer was security conscious when programming the extension, such that there are no vulnerabilities that a malicious attacker could exploit and use the extension as a trojan horse to access your sensitive information.
3 Other Recent Attacks via Malicious Browser Extensions
Google Chrome has a built-in password management feature available from the extension store. Developers can add this feature to their extensions, but unfortunately, sometimes malicious extensions get through and collect user information.
Below are three recent culprits. I am glad these extensions are caught, but who knows how many are still under the radar.
CacheFlow
In 2021, malware was found in the CacheFlow extension that collected users’ personal information and redirected them to malicious sites.
The attacker used the extension for almost three years before it came to light and was removed from Google chrome and Microsoft Edge extension stores.
Great Suspender Extension
Later that same month, Great Suspender Extension Google removed this from the Chrome store in February 2021.
It was a potential risk to user security because it could sneakily add new features in the browser to execute arbitrary code from a remote server and perform functions like carrying out ad fraud and tracking users online.
The Chrome extension was quite famous because it helped users avoid memory issues. People often blame Chrome for using too much RAM, but this extension helped fix that.
The Great Suspender extension has been linked with the recent 2019 Google data theft incident wherein an attacker gained access to user accounts by tricking them into installing the extension from dubious websites and then sending them to an external server that installed malware.
Nigelthorn
Another popular malware-affected extension that came to light in 2018 was Nigelthorn.
It encouraged users to click on links that would lead them to fake YouTube pages and then ask to install an extension. This extension would then redirect users on Facebook or Instagram to log in with their credentials. It would then post account credentials, authentication tokens, and cookies to its server.
Nigelthorn uses the stolen accounts to spread further by publishing malicious links in spam messages or posts that tag the user’s contact.
As if all that wasn’t enough, experts also found this extension to be using the infected systems as cryptocurrency mining tools.
Some other popular browser extension-based attacks and how they worked have been shown in the table below:
| Attack type | Name of extension | Attack description |
| Adware | Dubbed Copyfish | Ad-injection |
| Spying or tracking | Autocopy | Stores and transfers user data to its servers. |
| Spying | BBC News Reader | Tracks browsing habits of users. |
| Spying | Viralands | Access to Facebook access token; login credentials stolen. |
How Do I Keep My Passwords Safe from Browser Extensions?
While there’s no one way to prevent your data from being stolen, I hope the information below will keep you safe from any nefarious hacking attempts.
- Limit the number of extensions installed: This would make it easier to keep a check on extensions and their activities and also limit your attack surface.
- Remove the extensions from your browser if you are not using them: When an extension is first uploaded on the Chrome extension store, it is vetted thoroughly. However, a benevolent extension from a trusted source can be exploited by attackers and may be replaced by an infected version. So, it is always a good idea to keep an eye on your extensions and remove the ones you are no longer using.
- Pay attention to the requested permissions: Review each permission carefully and understand what it means for you. Avoid giving permissions to useless features. Only allow the necessary permissions.
- Use private or incognito mode when visiting sensitive sites like financial sites: Using a protected browsing mode helps prevent the website from storing any user data to be saved to the browser and exploited by any of the extensions later. Extensions are by default disabled for private browsing mode to prevent access to secure and/or confidential information.
- Only install extensions from trusted developers: Do your due diligence. Always check its reviews, the number of installs, and the permissions it requests. Do not install any extension that has a low rating or doesn’t seem to be well-trusted.
Be extra careful when installing any new extension: Do not click on random links that offer extensions; always go to the official store. Additionally, do not click link offers within an installed extension that you do not trust.
Even if you visit the official store, be cautious about what you install.
It’s worth repeating: Only install extensions you genuinely need and carefully review what permissions are necessary.
You are being proactive by looking for ways to prevent add-ons from stealing your password. That’s good. But is your password strong? Take a look at how to make a strong password in 5 easy steps.
