This weekend, we did a little ‘housekeeping’ and went through an old machine. We took a look at the Google Chrome browser and pulled up all the plugins. What to our surprise did we see on a VPN plug-in: A red triangle with an exclamation point and the words, “This extension contains malware.” (Yes, the irony is strong with this one).
Our minds immediately thought several things at the same time:
- Who does quality/screening for plugins in the store? What does this process look like?
- How can you know enough about my browser to feed me this warning (I am pretty sure I would not have downloaded this if the warning had been there previously)?
- What else do you know about my plugins? My browsing history?
- Why didn’t Elton John go with ‘John Elton’?
So, after reviewing a few other plugins, we saw something that we found ‘concerning’. Many plugins required a LOT of permissions when installing, so they could ‘function properly’.
What exactly is ‘a lot’? Well, take a look at a VPN Chrome extension:
- Read and change all your data on the websites you visit
- Display notifications
- Manage your apps, extensions, and themes
WHY would you ever give a plugin the ability to read and CHANGE data on the sites you visit?! Or manage other apps, extensions, and themes (keep in mind that this particular plugin was supposed to keep communications private and secure)?
The answer is: Because apparently, we don’t get a choice. Any extension that interacts with websites will almost always require “Read and change all your data on the websites you visit” permission.
Our good friends over at howtogeek.com also explained that Chrome is one of the few browsers that asks for your permission, instead of just blindly installing it. So, that’s something?
Chrome has a permission system for its extensions, while Firefox and Internet Explorer do not. Every Firefox and Internet Explorer extension has full access to the entire browser and can do anything it wants.
OK…so Explorer/Edge and Firefox, are just installing extensions without even asking me for my permission or telling me what they are able to do. Huh, good to know. Time to go dig out the Netscape 3.0 floppy disk.
What should you do when faced with this scary warning? Theoretically, do not worry. Any ‘store’ that offers browser extensions should have a screening process monitored by the company, and the ability to remove bad extensions. Obviously, the reality is different.
The ‘best practice’ is the usual when installing any type of software.
- Ask if you really need it
- Is there an alternative?
- Is it worth the risk?
You may want to run some anti-virus/malware scans on your device after installing it – just to be safe. Something to think about when you’re not freaking out about all the other things happening.