Cybersecurity: Chrome Extension Research Reveals 1 in 2 Extensions have Potential to Wreak Havoc

1 in 2 Google Chrome Extensions have potential to wreak havoc,” Incogni Research shows.

Data removal company Incogni analyzed “the risk profiles of 1,237 Chrome extensions available on the Chrome Web Store.” The study reveals “that 1 in 2 Chrome extensions (48.66%) has a High to Very High Risk Impact, asking for permissions that could potentially expose Personally Identifiable Information (PII), distribute adware and malware, and log everything users do, including the passwords and financial information they enter while online.”

Key findings:

  • 1 in 2 (48.66%) Chrome extensions have a High to Very High Risk Impact
  • Risk Impact is defined, first and foremost, by the permissions a given extension requires at installation.
  • 1 in 4 (27%) Chrome extensions collect data.
  • Chrome extensions used for writing:
    • are the most data-hungry (79.5% collect at least one data point)
    • collect the most data types on average (2.5).
    • are also the riskiest, asking for the most permissions, with one of the highest
    • average Risk Impact scores (3.7/5.0).

Almost half of the 1,237 Chrome extensions analyzed “score highly on Risk Impact, a measure of the potential consequences of an extension being or turning malicious.”

While just “over 1 in 4 (27%) of all Chrome extensions examined collect user data, almost 4 in 5 (79.5%) of writing aid extensions do so.”

Writers, bloggers, and language learners “need to pay particular attention to how they augment their browsers.” Writing extensions “collect the greatest number of data types (2.5 on average) and have the highest average Risk Impact scores (3.7/5.0).”

Drilling down into the types of data writing extensions collect, we see “that 56.4% collect PII (Personally Identifiable Information) and 33.3% collect location data.” That’s a lot of trust to place in a company that’s “looking to monetize its interactions with you.”

According to Aleksandras Valentij, Information Security Officer at Surfshark:

“[Users should] be extremely cautious with browser extensions that require the following permissions: read and change all your data on all websites you visit, audio capture, browsing data, clipboard read, desktop capture, file system, geo location, storage, and video capture. The general advice in such cases is to use common sense when granting permissions to browser extensions. For example, why would an ad blocker need audio capture access or access to your file system? If you have doubts, simply don’t use that particular add-on. There are plenty of alternatives for each add-on out there.”

Although installing extensions only from trusted developers with a history of ethical software development and high user ratings provides some level of protection, “it doesn’t guarantee it.”

Extensions, like any other proprietary software, “can change hands without notice.”

For more details, check here.

As noted in the update, is “a data privacy tool from the cybersecurity company Surfshark that periodically sends official data removal requests to personal information brokers on behalf of its clients.”

The Incogni team is “equipped with legal experience that their customers may not have.”

Instead of having to read through reams of legalese and having to remember which brokers answered their emails, Incogni subscribers “can simply monitor the process via regular updates.”

Register Now
Sponsored Links by DQ Promote



Send this to a friend