Browser Extensions

Expanding the capabilities of your web browser through the use of plug-ins is something many of us do. It's simple and easy to browse the Chrome Web Store or Add-ons for Firefox pages and stock up on tons of free, useful, and novel extensions to increase productivity, add features, or simply change the browser aesthetic.

Unfortunately, browser extensions are often built on technologies like HTML, JavaScript, and CSS that can be exploited to perform malicious functions. With cross-browser extensions gaining support, the userbase for popular extensions is growing into the millions.

Potential Risks

Recently, the Chrome Web Developer extension created by Chris Pederick was compromised, effecting over a million users. Pederick tweeted out a notice explaining that he had fallen victim to a phishing attack and accidentally handed over his Google account credentials. The attacker used this to modify the extension and push an update that infected everyone using it.

This is not the first time, or the last, that this sort of attack will happen. Many of these attacks are aimed at injecting ads into your browser, which generate revenue for the attacker. Malicious code could also be embedded in these ads, allowing for further infection to spread. Even worse, keyloggers and clipboard sniffers could be added to the extension, potentially compromising millions of users sensitive information.

There was only one person that needed to be compromised in order to effect millions, indicating that this security model is incredibly flawed.

What You Can Do

The first thing you should do is cut down on all unnecessary browser extensions.

On Chrome, go to chrome://extensions/ and review everything on this page. Click the trashcan icon to delete all extensions you don't recognize or use. Additionally, if you use incognito mode when accessing sensitive information websites, make sure that the appropriate extensions are able to run by checking the "Allow in incognito" option.

On Firefox, go to about:addons and select the "Extensions" tab on the left. Go through and prune out everything unknown or unnecessary.

If you had unknown extensions, you're going to want to think about how they got there. Do some google-fu and research the extension name, find out if it's legitimate and if it is automatically installed with any software you use. You want to understand why and how things went wrong when they do in order to prevent them in the future.

Recommended Extensions

Panopticlick is a neat tool from the Electronic Frontier Foundation (EFF) that can tell you how well your browser protects you from common tracking methods. You will want to pass at least the first three tests, and ideally be protected from fingerprinting as well.

Privacy Badger - developed by the EFF, helps block spying ads and trackers

- developed by the EFF, helps block spying ads and trackers HTTPS Everywhere - developed by the EFF, forces HTTPS on all sites

- developed by the EFF, forces HTTPS on all sites Self-Destructing Cookies - automatically deletes cookies, add sites to the whitelist if you want to keep cookies for it

Less is more - avoid all unnecessary browser extensions, they are a major risk

- avoid all unnecessary browser extensions, they are a major risk AdBlock/uBlock - prevent ads from loading to decrease risk of accidentally clicking on one

- prevent ads from loading to decrease risk of accidentally clicking on one NoScript/ScriptSafe - stop background scripts from running without your consent

For cryptocurrency users

MetaMask - not the most secure wallet application, but has a great blacklist of scam sites.