Facebook and malicious apps often get most of the criticism when it comes to data mining. However, malicious browser extensions can be just as much of a privacy risk. A new study of the Google Chrome Web Store has revealed that over a third of all Chrome browser extensions can read user data on any site.
The study was published by the US cloud security firm Duo Security. The data for the study was collected via a tool called CRXcavator which scans all the browser extensions in the Google Chrome Web Store and then uses numerous criteria to assign a risk score to each extension. For the study, CRXcavator scanned all 120,463 of the extensions in the Google Chrome Web Store during January 2019.
Here are the key findings from this study:
- 35.4% of the Chrome extensions could read your data on any site
- 31.8% of the Chrome extensions used third-party JavaScript libraries with publicly known vulnerabilities
- 15% of the Chrome extensions used third-party JavaScript libraries with publicly known vulnerabilities and could read your data on any site
- 84.7% of the Chrome extensions didn’t have a listed privacy policy
- 77.3% of the Chrome extensions didn’t list a support site
- 9% of the Chrome extensions could access and read your cookies
While these results are alarming, they serve as a stark reminder that you should always review the permissions, privacy policies, and user reviews of any piece of software before you install it on your device or browser. Malicious extensions and apps can slip through even the most tightly regulated web stores, so you need to be very selective with the software you install on your device.
Even though these results only cover the Google Chrome Web Store, the trends from this survey are likely to be similar across all browser extensions. So, no matter which browser you use, take this opportunity to audit all the extensions you currently have installed and keep only those that you need.