Ad blockers, VPN services, password managers, typo correctors, and other browser extensions have full access to all your personal data on all pages that you visit including password, credit cards, and private photos.
I’ll not claim that any particular extension collects such information but I’ll show you why it is possible and what you can do about that. However, there were numerous privacy scandals with extensions.
What the heck I’m talking about?
I developed a Google Chrome extension that was eventually used by 14000 users. I received shady proposals to monetize my extension once a month.
Monetizing, in this case, is just another way to say fraud because those people suggest showing users unwanted advertisements instead of images or legitimate banners, and use other not quite ethical methods of earning money.
For example, you can use one of the so-called “free” VPN services. It can earn money to cover servers costs by replacing Amazon links to affiliated ones, all Google Adwords blocks with third-party banners, or simply send to its servers everything that you type into email and password fields. No one ever read privacy policies anyway, right? Besides that, such extensions can simply lie there.
Why is it possible?
Browser developers are very smart people. They allowed the whole new ecosystems to emerge and grow on top of browsers. Extensions add missing functionality to browsers and I recommend using them. The main problem is lying in the access control that extensions request on installation. I will give examples for Google Chrome but Firefox, Opera, and many smaller browsers use the same extensions format so the problems are the same.
Full access problem
Everyone who installed an extension saw the following modal:
Have you noticed that? The extension just asked full access to read and modify all data on all pages that you visit. I allowed it with a single click. UI/UX professionals can confirm that the modal looks like a regular modal to confirm action “Are you sure you want to install the extension?“. Even if you read the notice carefully, it’s kind of hard to understand what the phrase means exactly.
The true meaning is that the extension, in fact, receives permission to execute any code on any page that you visit. This can be happening in the background without your consent. Moreover, the extension can perform HTTP requests, again, in the background, so even Web Inspector won’t show them.
Extensions have a way to specify on which sites they will work but there is no way to request access to do only particular actions. For example, you can’t request permission to:
You can read full article at https://blog.mironov.live/