Browser extensions can be hugely useful, plugging gaps in functionality, adding cool new features and options, and generally just making life on the web more convenient.
At the same time, they have the potential to be a serious security risk—many ask to see everything you see online, some change key settings inside your browser, and they can operate and communicate with their developer (or with advertisers or other parties) in the background without your knowledge.
We don’t want to discourage you from using your favorite extensions, but you should definitely make sure the ones you’re using are safe.
First, all the usual rules apply: Keep your computer and its applications up to date. Run regular malware scans. That’ll go a long way toward minimizing the risk posed by potentially dodgy extensions. Beyond those tips, here’s how to run an audit.
How to Spot Threats Early
Identifying a bad browser extension isn’t an exact science, but there are some general pointers to follow. Always do your research before installing an add-on—check the reviews from other users and reviews on the web, if there are any. See when the extension was last updated, as really old and out-of-date tools can be less secure than newer ones, and definitely look for indications that the add-on has changed hands recently.
It’s important to make sure that the extensions you install come from official repositories, such as the Chrome Web Store or the Firefox Browser Add-Ons portal. It gives you some degree of certainty that the software you’re installing is legitimate and safe, so be a bit warier of extensions that you find elsewhere.
We’re not saying that new, unreviewed add-ons from unknown developers are bad, but you should be extra careful of them—can you find anything out about the company or the person behind the tool? Is it clear how the extension is being funded, or is it a passion project? What clues can you get from the website linked on the extension listing page, for example?
Double-check the permissions that an add-on is asking for. In some cases (Firefox), they’ll be listed on the extension page on the web; in others (Chrome), you won’t see them until you’re installing the software. Be on the lookout for any permission requests that seem unreasonable or strange considering what the add-on is supposed to do.