Browser extensions are small programs that can be installed on your browser, like Chrome or Firefox. They’re usually designed to make your life easier, like adding a new extension to Firefox that lets you add bookmarks without leaving the page you’re on. But some extensions are looking at more than just your browsing habits—they’re also looking at your bank account information. One extension called “Binocular” was found to be accessing user’s bank account information by scanning through their Google search history. The extension was downloaded over 1 million times before it was pulled from the Chrome Web Store last month. The issue isn’t just with Binocular, either—other extensions have been found to do the same thing. In December of last year, an extension called “Web Developer Toolbar” was discovered to be accessing user’s passwords and other sensitive information. The toolbar had been downloaded over 500,000 times before it was removed from the Chrome Web Store. It’s not clear how these extensions were able to access this information, but it’s possible that they were using third-party tracking cookies or other methods of tracking users’ online activity. It’s also possible that the developers of these extensions weren’t aware that their programs were accessing this kind of information. Browser extensions are a great way to make your life easier, but it’s important to be aware of what kind of data they’re collecting and how it might be used. ..
Extensions Have Access to Everything in Your Web Browser
Have you ever paid attention to the message you see when installing a browser extension in Chrome, for example? For most browser extensions, you’ll see a message stating that the add-on can “Read and change all your data on the websites you visit.”
This means that the browser extension has full access to all the web pages you visit. It can see which web pages you’re browsing, read their contents, and watch everything you type. It could even modify the web pages—for example, by inserting extra advertisements. If the extension is malicious, it could gather all that private data of yours—from web browsing activity and the emails you type to your passwords and financial information—and send it to a remote server on the internet.
So, when you sign in to your online banking account, your browser extensions are right there with you. They can see your password as you log in and view everything you can see on your online banking account. They could even modify the online banking page before you view it.
RELATED: Why Do Chrome Extensions Need “All Your Data on the Websites You Visit”?
There’s a Permission System, but Most Extensions Get Everything
We’re oversimplifying things here, but just a little bit: Not every extension can see your online banking account. There is a permission system for browser extensions in modern web browsers like Google Chrome, Microsoft Edge, Mozilla Firefox, and Apple Safari. Some browser extensions use much fewer permissions.
For example, they may only run when you click the browser extension’s button, which means that they can’t actually watch anything on a web page until you click that button. They may only run on specific websites—for example, a browser extension that affects Gmail might only run on Google’s website and not on other websites.
However, the vast majority of browser extensions that most people use have permission to run on every website the browser loads.
In Google Chrome and Microsoft Edge, you can control an extension’s “site access” permissions and choose whether it runs automatically on all websites you open, only when you click it, or just on specific websites you list.
RELATED: How to Control a Chrome Extension’s Permissions
Is It a Real Risk?
What we’re saying here is that most (or all) of the browser extensions you use can see your bank account information, just as they can see everything else that you do on the web.
If a browser extension is totally trustworthy and reliable, that’s fine. The browser extension can behave responsibly and not capture any data or interfere with your banking information.
If a browser extension isn’t trustworthy and wants to abuse this access—well, it can.
This isn’t just a theoretical problem. It has happened many times before. Even if all your extensions are fine right now, we have long discussed the danger: A safe extension could transform into malware overnight. A developer might sell the extension to another company, and that company might add tracking code, keyloggers, or anything else. This sort of thing is big business. An extension could display more ads in the web pages you load and track you to better target ads, or criminals could capture your passwords, personal information, and credit card numbers.
Your browser will automatically install the update and the new, malicious version of the extension will get to work. Hopefully, your browser’s developer will notice the problem and disable the extension—for example, Google might remove it from the Chrome Web Store—but this can take some time.
And yes, some extensions have been caught capturing banking data.
RELATED: Browser Extensions Are a Privacy Nightmare: Stop Using So Many of Them
Only Install Extensions from Developers You Trust
We’re not telling you you need to uninstall every single browser extension you have. Instead, just realize the immense access you’re giving to the browser extensions you install, and act accordingly.
If you trust an extension’s developer, then by all means, install that extension. For example, if you use a password manager and already trust that organization with your passwords, feel free to install your password manager’s browser extension. (If you don’t trust that organization to install a browser extension, you definitely shouldn’t trust it to manage your passwords!)
On the other hand, if you want a nifty feature and you find an extension that offers it, but you’ve never heard of the developer and aren’t sure how much you should trust them—consider skipping the browser extension.
You might also want to limit the access that the extension has. For example, you could install an extension and configure it to only run on specific websites in Chrome or Edge, or you could use a separate browser that doesn’t have any potentially dangerous extensions installed to do your online banking.
But think about it: If you don’t trust the extension, maybe you shouldn’t be running it in the first place.
Ultimately, browser extensions have access to everything you do in your web browser. When you’re thinking about installing a browser extension, ask yourself this question: Would you install a Windows desktop application from the creator of the browser extension and let it run in the background on your computer? If not, consider skipping the browser extension, too.
Extensions may look like small programs, but they’re more powerful than they might seem. A mobile app on iPhone or Android can’t see everything you do on your phone, but a typical browser extension can see everything you do in your web browser.
