Freelancers and contractors could be using Chrome extensions that are collecting every keystroke they make. Are some freelancers more at risk than others and which extensions could be more prone to malicious wrongdoing?
Freelancers and small business owners must be aware of the risk impact – the measure of the potential consequences of an extension being or turning malicious – and the risk likelihood – the probability that an extension is or may become malicious. This is according to a new report by Incogni.
- 1 in 2 (48.66%) Chrome extensions have a high or very high Risk Impact.
- 1 in 4 (27%) Chrome extensions collect data.
- Writers, bloggers, and language learners could be most at risk.
- Chrome extensions used for writing:
- are the most data-hungry (79.5% collect at least one data point)
- collect the most data types on average (2.5 data types).
- the riskiest, asking for the most permissions, with one of the highest average Risk Impact scores (3.7/5.0).
- Extensions in the Shopping category are among the most data-hungry (64.9% collect user data) and the most potentially harmful (with an average Risk Impact of 3.9/ 5.0).
Almost half of the 1,237 Chrome extensions analysed score highly on Risk Impact, a measure of the potential consequences of an extension being or turning malicious.
While just over 1 in 4 (27%) of all Chrome extensions examined collect user data, almost 4 in 5 (79.5%) writing aid extensions do so.
Writers, bloggers, and language learners need to pay particular attention to how they augment their browsers. Writing extensions collect the greatest number of data types (2.5 on average) and have the highest average Risk Impact scores (3.7/5.0).
Drilling down into the types of data writing extensions collect, we see that 56.4% collect PII (Personally Identifiable Information) and 33.3% collect location data. That’s a lot of trust to place in a company that’s looking to monetise its interactions with you.
Why would an ad blocker need audio capture access or access to your file system? If you have doubts, simply don’t use that particular add-on. There are plenty of alternatives for each add-on out there.Aleksandras Valentij, Information Security Officer at Surfshark
According to Aleksandras Valentij, Information Security Officer at Surfshark: “[Users should] be extremely cautious with browser extensions that require the following permissions:
- read and change all your data on all websites you visit
- audio capture
- browsing data
- clipboard read
- desktop capture
- file system
- video capture
The general advice in such cases is to use common sense when granting permissions to browser extensions. For example, why would an ad blocker need audio capture access or access to your file system? If you have doubts, simply don’t use that particular add-on. There are plenty of alternatives for each add-on out there.”
Some Chrome extensions have access to virtually everything you do in your browser, including all your keystrokes.
“Although installing extensions only from trusted developers with a history of ethical software development and high user ratings provides some level of protection, it doesn’t guarantee it,” said the report’s authors. “Extensions, like any other proprietary software, can change hands without notice.”
Some Chrome extensions have access to virtually everything you do in your browser, including all your keystrokes, said the report. If an extension like this was to turn malicious or get compromised, a bad actor could spy on your every move and steal your login and payment details from any site you visit. These are the highest Risk Impact extensions.
Risk Impact is only half the story, though. While in use, an extension like Grammarly sees most of what you’re typing* (minus some sensitive fields), but the company behind it has a good track record of keeping user data safe. It has a high-Risk Impact but low-Risk Likelihood. It’s generally considered safe.
You might also come across an extension made by a fly-by-night developer with a history of questionable business practices that don’t require any suspicious permissions. So an extension like this would have a high-Risk Likelihood but low-Risk Impact and may well be relatively safe.
So, to assess the danger posed by your favourite Chrome extensions, you need to look at both Risk Impact and Risk Likelihood scores together. The safest extensions score low on both measures. The most obviously dangerous ones score high on both.
The safest extensions have a low-Risk Impact and low-Risk Likelihood, while the most dangerous score highly on both measures. The vast majority fall somewhere in between these extremes and it’s up to the user to decide if they’re comfortable installing a given extension.
Risk Impact won’t change without the user knowing, since the extension would have to request additional permissions, but Risk Likelihood can change without notice, for example when an extension changes hands The distribution [above/below] shows the proportions of extensions studied that are generally considered safe (teal), that should be installed with caution (yellow), generally avoided (pink), or that are not recommended (red).
Permissions are key
“Simply put, an extension can’t steal, share or “lose” data to which it doesn’t have access in the first place. Permissions can be used, either by the extension developer or third parties, to do everything from inserting affiliate IDs into shopping-site cookies to logging your every keystroke,” stated the research report.
What extensions love to collect the most
“There’s no data here that isn’t a cause for concern,” said the report’s authors. “Any of this information can be used against you to devastating effect,” said the report.
Combining data from these categories is privacy-disrupting dynamite. It doesn’t take much imagination to see how pairing Personally Identifiable Information (PII) with health information, for example, can be used to invade your privacy.
The report said that even “just” website content and location data can put you at risk. Say you spend some time looking up information on the legality of abortion procedures in your area and then make a couple of visits to a family planning clinic. In 2022, this can land you in a world of trouble7 you don’t need.
Then there’s the more typical criminal element: a malicious or compromised Chrome extension that has access to your every keystroke could be used to scrape your login and payment details. The sites you visit, the authentication information you use to log into them, and your credit card details are all right there on a silver platter.
If one or two data points can be devastating in the wrong hands, imagine what six or seven could do. Yet the top 10 data-collecting extensions collect exactly that much. They’re all Productivity and Shopping extensions.
Extensions that collect the most data, by category
The table below ranks all the categories studied by the % of extensions collecting data, the number of data types collected, and average risk metrics.
A whopping 65% of shopping extensions collect user data, at an average of 1.4 data types each. The combined average risk metrics are also the highest in this category, with an average Risk Impact of 3.9 and Risk Likelihood of 1.6.
Productivity, Search Tools, and Sports extensions vie for second place, said the report, with 32-35% of them collecting data, on average.
Productivity extensions edge ahead said the research report with an average of 0.7 data types collected and the second highest Risk Impact and Risk Likelihood pair of any category: 3.3 and 1.7, respectively.
“Keep in mind that when dealing with averages like this, the differences within each category will be greater than those between categories,” said the research findings. “Still, on average, shopping extensions require more caution than other categories. They collect the most data by far and have the highest Risk Impact,” said the report.
Extensions collecting the most data by use case
Another useful way to break down the data is to look at use cases. Filtering the results by keywords that speak to different use cases reveals clear deviations from the norm. Just over 1 in 4 (27%) of all Chrome extensions examined collect user data. Yet almost 4 in 5 (79.5%) of writing extensions do so.
So writers, bloggers, and language learners need to pay particular attention to how they augment their browsers. Especially given that writing extensions also collect the greatest number of data types (2.5 on average) and have one of the highest average Risk Impact scores (3.7/5.0).
Drilling down into the types of data writing extensions collect, we see that 56.4% collect PII (Personally Identifiable Information) and 33.3% collect location data. That’s a lot of trust to place in a company that’s looking to monetize its interactions with you. The table below shows the most data-hungry writing extensions.
The wildly popular Grammarly extension collects five data types, has a Risk Impact score of 4 out of 5, and boasts over 10,000,000 installs. Its Risk Likelihood is the lowest possible, but it’s not immune to being compromised by third parties, like state-sponsored hackers—no developer is.
So there’s really no substitute for looking into each extension individually before deciding whether or not to install it, the report suggested. “We have some great tools and techniques to help you with this, but first, let’s look at some general best practices that we can glean from this research.”
Straight away you can see that they all have one thing in common: they’re useless additions to your browser, duplicating functions available in your operating system, the browser itself, or the given website or web app.
How to spot the most dangerous Chrome extensions?
The reportedly most dangerous Chrome extensions combine high-Risk Impact with high-Risk Likelihood. The report researchers found that out of the 1,237 extensions analysed, 47 scored 4 or 5 on both of these measures.
The most common use cases among these 47 extensions are: increasing volume (5), refreshing tabs (5), watching videos in a floating window (5), translating (4), and screen recording (3), said the report.
“Straight away you can see that they all have one thing in common: they’re useless additions to your browser, duplicating functions available in your operating system, the browser itself, or the given website or web app. No one needs any of these extensions. They wouldn’t be worth any level of risk, let alone the greatest level.