Are Browser Plugins a Necessary Evil?

This weekend, I was doing a little 'housekeeping', and went through an old machine. I was looking at my Google Chrome browser, and pulled up all the plugins. What to my surprise did I see on a VPN plug in: A red triangle with an exclamation point and the words, "This extension contains malware." (Yes, the Irony is strong with this one).

 Screenshot of browser plugins. Are  browser plugins a necessary evil?

My mind immediately thought several things at the same time:

  1. Who does quality/screening for plugins in the store? What does this process look like?
  2. How can you know enough about my browser to feed me this warning (I am pretty sure I would not have downloaded this if the warning had been there previously)?
  3. What else do you know about my plugins? My browsing history?
  4. Why didn't Elton John go with 'John Elton'?
  5. Did I forget to take my Adderall?


"Screenshot highlighting concerns about plugin permissions in a browser, emphasizing data security and privacy risks


So, I started to review a few other plugins, and saw something that I found 'concerning'. Many plugins required a LOT of permissions when installing, so they could 'function properly'.

What exactly is 'a lot'? Well, take a look at the screenshot again from this VPN Chrome extension:

  1. Read and change all your data on the websites you visit
  2. Display notifications
  3. Manage your apps, extensions and themes


Browser plugin permissions.


WHY would I ever give a plugin the ability to read and CHANGE my data on the sites I visit?! 

Or manage my other apps, extensions and themes (keep in mind that this particular plugin was supposed to keep my communications private and secure)?

The answer is: Because apparently, we don't get a choice. Any extension that interacts with websites will almost always require “Read and change all your data on the websites you visit” permission.


Because apparently, we don't get a choice.


Our good friends over at howtogeek also explained that Chrome is one of the few browsers that asks for your permission, instead of just blindly installing it. So, I guess that’s something?



How to geek website. Link to article.

Chrome has a permission system for its extensions, while Firefox and Internet Explorer do not. Every Firefox and Internet Explorer extension has full access to the entire browser and can do anything it wants.


OK...so Explorer/Edge and Firefox, are just installing extensions without even asking me for my permission or telling me what they are able to do. Huh, good to know. Time to go dig out my Netscape 3.0 floppy disk.


Explore the TRaViS cyberpunk-themed mascot—a realistic raccoon in a hoodie, holding a floppy disk at a retro computer. Perfect for tech-savvy audiences and cybersecurity enthusiasts.

 

What should you do when faced with this scary warning? Theoretically, do not worry (LMAO). Any 'store' that offers browser extensions should have a screening process monitored by the company, and the ability to remove bad extensions. Obviously, the reality is different.

TRaViS ASM  LOGO

(One day, when I get around to telling how hard it was to get my Zombie Scanning App approved by the Apple Store, you will really appreciate this irony. I was rejected several times for making false promises that the hardware was not really capable of scanning a person to see if they were a zombie. It took numerous emails to explain the history of zombies, and that they were, in fact, not real. It's a good story, but back to the show).

So what is 'best practice'?

The 'best practice' is the usual when installing any type of software.

  • Ask if you really need it
  • Is there an alternative?
  • Is it worth the risk?

You may want to run some anti-virus/malware scans on your device after installing it - just to be safe.

Something to think about when you're not freaking out about all the other things happening.


Stay Safe!

-Aaron

About the Author

Picture of Aaron Birnbaum. Security Savvy Speaker | vCISO | TRaViS ASM Founder | Cybersecurity Whisperer | CISSP | MBA

Aaron Birnbaum

Security Savvy Speaker | vCISO | TRaViS ASM Founder | Cybersecurity Whisperer | CISSP | MBA



Attack Gone Wrong
by wabafet