Everyone who uses Chrome has at least one Chrome extension installed, even if it's just an adblocker. But few realize that many of these nifty little tools can also pose a major security risk, allowing malicious actors into their devices. Here's how to separate the good extensions from the bad ones and how to implement security measures, such as a VPN, to ensure safe browsing. 

Some would argue that Chrome is the gold standard of web browsers today - and it is one of the most popular browsers out there for sure. Even in 2019, with dozens of other browser options, Chrome is still leading the pack with a 55.4% market share. This popularity can be attributed to its secure infrastructure, Google account syncing, and impressive extension ecosystem.

The latter gives Chrome a ton of flexibility and user-freedom since extensions allow people to tweak their browser experience to their preferences. But, at the same time, these extensions also pose a considerable threat, because they can be created by anyone. Google has a verification process in place for extensions on their own store, but it doesn't catch everything. As has become glaringly obvious from the massive "DataSpii" leak earlier this year.

And while Google is doing their best to make sure that only safe browser extensions make it onto the webstore, it's still not enough. Once installed, these extensions have the potential to see and track everything a Chrome user does online. They don't necessarily do that, but they can.

What Are Chrome Extensions?

Extensions are programs that change or enhance the functionality of a browser in some way. Users can install these extensions to tailor their browsing experience to their needs. For instance, many marketers use extensions to track their emails, optimize their schedule, and find new customers. There's virtually no limit to what extensions can do. Although they usually don't have a UI of their own and rely on Chrome's interface to work.

There is a permission system in place to keep extensions from doing pretty much whatever they want, which helps in theory. Problem is, this system is only good if it's used - whereas most people tend to ignore permissions when installing an extension.

Permissions might not even be used for nefarious reasons by the extension itself, but that doesn't make them any less dangerous. Because anything is hackable, and there's no guarantee that the code in a trustworthy extension is completely secure.

This is why it's important to exercise discernment when installing any Chrome extension, even if it looks secure.

When Chrome Extensions Become Dangerous

There are a plethora of examples out there that showcase how malicious browser extensions can affect those who download them. For example, Google recently removed four popular extensions from its web store that posed as sticky note apps. In reality, these malicious extensions were clicking on pay-per-click ads in the background to generate revenue.

That did not impact the users negatively, but it could have. Like the malicious extension that was spread through Facebook Messenger back in 2017.

Extensions don't have to be malicious themselves to pose a risk, though. Some become compromised and lead hackers straight to the honeypot. This can happen with big names in the industry as well, like when the MEGA extension was compromised to steal cryptocurrency keys.

It's not always obvious when an extension is trustworthy or not. But there are some, such as free VPN extensions (which are gaining popularity) that are almost always guaranteed to be malevolent. It's important to keep in mind that these extensions perform a service, and when it's a valuable service, it doesn't make sense that they're free. No one wants to pay for something they can get for free, but in some cases, as with VPNs, it's safer to just go down the paid route.

And finally, some extensions start out as trustworthy and are perfectly safe to use, but then get sold. Extension development isn't exactly a gold mine, so when developers get the chance to sell them, they often do. The company that buys the extension can essentially do what they want, and users won't even know about it. Because the software updates happen automatically. This isn't unusual either, and extensions regularly get turned into adware after being sold.

How to Evaluate Chrome Extensions for Safety

1. Make sure the developer is legitimate. Extension developers should have a public profile or website somewhere that can verify their identity. There are also plenty of fake extensions masquerading as the real thing. So make sure the developer matches the software. For instance, Instagram wouldn't have been made by some random person - since it's owned by Facebook.

2. Only install extensions from official web stores such as the Chrome Web Store.

3. Read through all of the permissions that an extension requests carefully. If something is requesting permissions that don't sound right, then it's time to question its authenticity. For instance, if a sticky note extension requests permission to read and change data on the websites a person visits. Why would a simple note-taking app want access to everything a person does online? That should be a red flag. Unfortunately, extension permissions don't work the way mobile app permissions do. If someone doesn't agree with all of them and won't give the go-ahead, then they can't install the extension at all.

4. Don't install a boatload of extensions. Almost no one needs to have 20+ extensions on their browser, and it slows down the computer anyway. People should stick to the most important extensions that perform functions they can't live without. Delete the rest.

5. Regularly go through installed extensions and make sure they're still functioning normally. If they have update logs - go through those too and be on the lookout for any suspicious language.

6. Make sure to have security software installed. A good firewall can go a long way, and while it won't protect against everything, it's still a good failsafe to have. Install anti-virus software as well. Many malicious extensions have code that's known to be dangerous, and a good anti-virus can pick up on that.

Sticking to the Safe Side of Browsing

Chrome extensions can add great functionality to the browser and shouldn't be avoided. But a little paranoia goes a long way when it comes to staying safe online. So just make sure to stick to safe extensions and refrain from installing too many of them - hard as that may be.