One of the most useful things about modern web browsers is their support for extensions, whether it's automatically finding coupon codes. Cleaning up your experience on social media, auto-magically filling in passwords or blocking ads and cutting into our revenue. There's a ton of extensions out there that can make your life a little bit better, but with so many extensions floating around and trying to get you to install them, security is a legitimate concern, especially since many extensions aren't exactly from big name developers that you would immediately recognize and know whether or not to trust.
So to address this, Google uses security vetting for extensions with both manual human review and automated methods based on algorithms, similar to how smartphone apps from the Play Store have to be approved before they're available for public download. But with over 180,000 extensions currently available through the Chrome web store, certain poorly and maliciously coded extensions slip through the vetting process from time to time.
Attackers who want to use extensions to steal information know this, and in fact, back in 2018, Google announced that it was going to beef up its review practices after it was found that one in 10 submissions to the web store contained malicious code. The idea was that Google would make its approval process more stringent by cracking down on obfuscated code. In other words, when developers made the code deliberately hard to understand, possibly to hide some sort of seedy functionality.
Google also reigned in how many permissions extensions were granted by default in an attempt to prevent them from reading or modifying user information in a surreptitious manner.
However, the web store still has problems. In June 2020, it came out that one particular form of spyware that hidden browser extensions had been downloaded nearly 33 million times. That's almost one download for every person in Canada. These extensions secretly contained key loggers and other code that harvested login credentials as well as information copied to the Windows clipboard, and ironically, many of these extensions claimed to give users a heads up when they were visiting risky websites.
Others masqueraded as file converters, and it can indeed be tricky to convert from one file format to another, so it's easy to understand the appeal. So what can you do to protect yourself when you're hunting for a useful extension?
Number one is to keep in mind that most of those 180,000 plus extensions have very small user bases. In fact, over 85% of extensions have fewer than 1000 installs worldwide, and it's far more likely that compromised extensions will be part of this mass with very small user bases to pick through them and monitor them and figure out if there's something wrong. So if you're trying to pick between several extensions that all appear to offer very similar functionality, it's not a bad idea to stick with the ones that have lots of positive reviews as a quick way to avoid problems.
Another sound strategy is to limit your exposure by asking yourself whether you really need a particular extension in the first place. Like don't get me wrong. Some extensions that manage your tabs or give added functionality to specific websites are extremely useful and can't really be replicated, but if you just want to be served inspiring quotes or get reminders or convert files, like we mentioned before, those are things that can all be accomplished through just browsing the web or using a program that you can download to your computer. Again, please make sure you find a reputable one.
Additionally, be sure to have a good hard look at the extensions page before you download it. Extensions that are really just vehicles for malware can often have clunky looking interfaces and poorly written descriptions riddled with grammatical errors, similar to what you might see in a spam email or on a phishing page.
Of course, we expect Google to improve its vetting procedures, especially because it's kind of a bummer that we're going to lose some of those diamonds in the rough if we say, hey, just make sure you only install mainstream extensions. But sometimes in life, you've just got to put your own safety first, lest, you end up like that poor fellow who lost over 100 grand worth of Bitcoin thanks to a shady crypto client extension.