One More Chrome Extension? You Need an Intervention! – Chrome Extensions Research

Key findings:

• 1 in 2 (48.66%) Chrome extensions have a high or very high Risk Impact.
• 1 in 4 (27%) Chrome extensions collect data.
• Chrome extensions used for writing:
  • are the most data-hungry (79.5% collect at least one data point)
  • collect the most data types on average (2.5 data types).
  • the riskiest, asking for the most permissions, with one of the highest average Risk Impact scores (3.7/5.0).
• Extensions in the Shopping category are among the most data-hungry (64.9% collect user data) and the most potentially harmful (with an average Risk Impact of 3.9/ 5.0).

Risk Impact is a measure of the potential consequences of an extension being or turning malicious, while Risk Likelihood refers to the probability that an extension is or may become malicious.¹

Some Chrome extensions have access to virtually everything you do in your browser, including all your keystrokes. If an extension like this was to turn malicious or get compromised, a bad actor could spy on your every move and steal your login and payment details from any site you visit. These are the highest Risk Impact extensions.

Risk Impact is only half the story, though. While in use, an extension like Grammarly sees most of what you’re typing* (minus some sensitive fields), but the company behind it has a good track record of keeping user data safe. It has a high Risk Impact but low Risk Likelihood. It’s generally considered safe.

You might also come across an extension made by a fly-by-night developer with a history of questionable business practices that doesn’t require any suspicious permissions. So an extension like this would have a high Risk Likelihood but low Risk Impact and may well be relatively safe.

So, to assess the danger posed by your favorite Chrome extensions, you need to look at both Risk Impact and Risk Likelihood scores together. The safest extensions score low on both measures. The most obviously dangerous ones score high on both.

The safest extensions have a low Risk Impact and low Risk Likelihood, while the most dangerous score highly on both measures. The vast majority fall somewhere in between these extremes and it’s up to the user to decide if they’re comfortable installing a given extension. Risk Impact won’t change without the user knowing, since the extension would have to request additional permissions, but Risk Likelihood can change without notice, for example when an extension changes hands The distribution [above/below] shows the proportions of extensions studied that are generally considered safe (teal), that should be installed with caution (yellow), generally avoided (pink), or that are not recommended (red).

Permissions are key

Almost half of the 1,237 Chrome extensions analyzed score highly on Risk Impact. Risk Impact is defined, first and foremost, by the permissions a given extension requires at installation. Some permissions are more potentially dangerous than others. 

According to Aleksandras Valentij, Information Security Officer at Surfshark:

“[Users should] be extremely cautious with browser extensions that require the following permissions: read and change all your data on all websites you visit, audio capture, browsing data, clipboard read, desktop capture, file system, geolocation, storage, and video capture.” 

Mr. Valentij goes on to add that:

“The general advice in such cases is to use common sense when granting permissions to browser extensions. For example, why would an ad blocker need audio capture access or access to your file system? If you have doubts, simply don’t use that particular add-on. There are plenty of alternatives for each add-on out there.”

Simply put, an extension can’t steal, share or “lose” data to which it doesn’t have access in the first place. Permissions can be used, either by the extension developer or third parties, to do everything from inserting affiliate IDs into shopping-site cookies² to logging your every keystroke.

In developers we trust

Some extensions truly can’t function without certain permissions, even scary ones like clipboard read and browsing data. This is why it’s important to only use extensions from trusted developers. A trusted developer is one with a history of problem-free software development and high user ratings.

Seeking out trusted developers is neither easy nor foolproof, though. A previously above-board developer can turn bad actor, reviews can be bought or faked, and extensions can be compromised through no fault of the developer.

Doppelgänger extensions also complicate things. You might think you’re installing a tried, tested, and trusted extension when really it’s a malicious counterfeit. These are easy to fall for if you’re not very careful to match the extension and developer names exactly.

Finally, there’s a risk to downloading High Risk Impact extensions even from verified and trusted developers. Extensions, like any other proprietary software, can change hands without the user being made aware. You grant permissions to the extension, not its developer. A less-than-trustworthy company could then acquire the developer, publisher, or code base and do as it pleases with your data.

Adware vendors buying Chrome extensions and infecting them with adware and malware³ is a well-known practice. There are many examples of this, from the Particle extension takeover⁴ to smaller developers having their reputations dragged through the mud⁵. Even a generally reputable company buying out a beloved extension can cause widespread concern⁶.

Data collection is where it’s at

All this talk of risk and danger is a little abstract if we don’t look into exactly what kinds of data are being exposed and collected by these Chrome extensions. Over 1 in 4 of the extensions studied (27%) collect data on their users.

Below is a breakdown of this data by type and the percentage of extensions that collect it.

There’s no data here that isn’t a cause for concern. Any of this information can be used against you to devastating effect. Combining data from these categories is privacy-disrupting dynamite. It doesn’t take much imagination to see how pairing Personally Identifiable Information (PII) with health information, for example, can be used to invade your privacy.

Even “just” website content and location data can put you at risk. Say you spend some time looking up information on the legality of abortion procedures in your area and then make a couple of visits to a family planning clinic. In 2022, this can land you in a world of trouble⁷ you don’t need.

Then there’s the more typical criminal element: a malicious or compromised Chrome extension that has access to your every keystroke could be used to scrape your login and payment details. The sites you visit, the authentication information you use to log into them, and your credit card details are all right there on a silver platter.

Chrome extensions collecting the most data

If one or two data points can be devastating in the wrong hands, imagine what six or seven could do. Yet the top 10 data-collecting extensions collect exactly that much. They’re all Productivity and Shopping extensions.

Extensions that collect the most data, by category

The table below ranks all the categories studied by the % of extensions collecting data, the number of data types collected, and average risk metrics.

A whopping 65% of shopping extensions collect user data, at an average of 1.4 data types each. The combined average risk metrics are also the highest in this category, with an average Risk Impact of 3.9 and Risk Likelihood of 1.6.

Productivity, Search Tools, and Sports extensions vie for second place, with 32-35% of them collecting data, on average. Productivity extensions edge ahead with an average of 0.7 data types collected and the second-highest Risk Impact and Risk Likelihood pair of any category: 3.3 and 1.7, respectively.

Keep in mind that when dealing with averages like this, the differences within each category will be greater than those between categories. Still, on average, shopping extensions require more caution than other categories. They collect the most data by far and have the highest Risk Impact.

Extensions collecting the most data by use case

Another useful way to break down the data is to look at use cases. Filtering the results by keywords that speak to different use cases reveals clear deviations from the norm. Just over 1 in 4 (27%) of all Chrome extensions examined collect user data. Yet almost 4 in 5 (79.5%) of writing extensions do so.

So writers, bloggers, and language learners need to pay particular attention to how they augment their browsers. Especially given that writing extensions also collect the greatest number of data types (2.5 on average) and have one of the highest average Risk Impact scores (3.7/5.0).

Drilling down into the types of data writing extensions collect, we see that 56.4% collect PII (Personally Identifiable Information) and 33.3% collect location data. That’s a lot of trust to place in a company that’s looking to monetize its interactions with you. The table below shows the most data-hungry writing extensions.

The wildly popular Grammarly extension collects five data types, has a Risk Impact score of 4 out of 5, and boasts over 10,000,000 installs. Its Risk Likelihood is the lowest possible, but it’s not immune to being compromised by third parties, like state-sponsored hackers—no developer is.

Safety in Numbers?

Sticking to only the most popular Chrome extensions might seem like a good way to minimize risk. The data shows otherwise, though:

It turns out that more popular extensions are more likely to collect user data and collect more data types on average. Among the most popular extensions, 36% collect data, at an average of 0.9 data types. Only 20.7% of the least popular extensions collect data, with an average of 0.4 data types being collected.

The risk analysis shows an analogous correlation, with Risk Impact increasing with popularity:

So there’s really no substitute for looking into each extension individually before deciding whether to install it. We have some great tools and techniques to help you with this, but first, let’s look at some general best practices that we can glean from this research.

What we can learn from the worst of the worst 

The most dangerous Chrome extensions combine high Risk Impact with high Risk Likelihood. We found that, out of the 1,237 extensions we analyzed, 47 scored 4 or 5 on both of these measures.

The most common use cases among these 47 extensions are: increasing volume (5), refreshing tabs (5), watching videos in a floating window (5), translating (4), and screen recording (3).

Straight away you can see that they all have one thing in common: they’re useless additions to your browser, duplicating functions available in your operating system, the browser itself, or the given website or web app. No one needs any of these extensions. They wouldn’t be worth any level of risk, let alone the greatest level.

You can find the list of these high Risk Impact & high Risk Likelihood Chrome extensions at the bottom of this page.

Straight away you can see that they all have one thing in common: they’re useless additions to your browser, duplicating functions available in your operating system, the browser itself, or the given website or web app. No one needs any of these extensions. They wouldn’t be worth any level of risk, let alone the greatest level.

So what should you do when installing Chrome browser extensions?

First and foremost, ask yourself if you really need yet another extension. Does your operating system, browser, or some other piece of software you already have offer the same functionality? Search online and find out. It could save you from bloating your browser with risky extensions unnecessarily.

Generally speaking, the more extensions you have, the slower your browser and computer run. Some are real resource hogs, eating up RAM and CPU cycles like nobody’s business. More importantly, the odds of coming across a malicious Chrome extension⁸ or having one compromised stack as you add more of them to your browser.

If you’re convinced you need an extension to do whatever it is you’re doing, check its permission requirements and risk profile. Always double check you’re looking at the original extension by making sure the extension name, logo, and developer name match what you were expecting.

Check the risk profile of any extension on the Chrome Web Store

To check an extension’s risk profile, find it on the Chrome Stats⁹ website. Alternatively, here’s a one-click way to bring up the risk profile for any extension on the Chrome Web Store:

Setting it up takes less than a minute and will save you a lot of time if you’re a power user. All you need to do is add a bookmark that contains some simple JavaScript to your browser. Here’s a step-by-step guide:

1. Click the star in your browser’s search bar (it doesn’t matter what page you’re on).
   
   
2. Click “more.”
   
3. Paste the following line of JavaScript into the URL field as shown below.

javascript:(function(){location.href=’https://chrome-stats.com/d/’ + window.location.href.replace(/https:\/\/.*\//g, “”);})();

Now go to the Chrome Web Store page of any extension, and you’ll be able to bring up the Chrome Stats page for that extension with a single click.

The extension looks a little too risky? Look for alternatives

Don’t shrug off any red flags or lingering doubts—whatever your need, it’s bound to have been addressed by other developers. To find similar extensions:

On the extension’s Chrome Web Store page click on “related.”

The gold standard in terms of minimal data collection is using Free and Open Source (FOSS) extensions, like Bitwarden¹⁰ and uBlock Origin¹¹. Failing that, look for extensions that are marked as trusted by Google and have an acceptable risk profile on Chrome Stats.

Methodology

Our researchers analyzed 1,237 Google Chrome extensions available on the Chrome Web Store. These extensions all have at least 1,000 installs and fall under 56 use cases, from writing to gambling. Our analysis was focused on their risk profiles (scraped from Chrome Stats) and the nine data types that extensions can collect.

The extensions were analyzed according to their:

• Category
• Use case
• Number of installs (<3,000; 3,000–9,999; 10,000–49,999; >=50,000)
• Country of origin (for the extension developers that declared it)
• Risk Impact and Risk Likelihood

Given that information on the collection and sale of user data is provided voluntarily through a declaration, the data on this aspect are assumed to represent the best case scenario.

References

1. “Risk analysis,” ChromeStats, accessed October 25, 2022, https://docs.chrome-stats.com/analysis/risk-analysis.
    
2. Sabrina Ortiz, “Malicious Google Chrome extensions affect 1.4 million users,” last modified August 31, 2022, https://www.zdnet.com/article/malicious-google-chrome-extensions-affect-1-4-million-users/.
   
3. Ron Amadeo, “Adware vendors buy Chrome Extensions to send ad- and malware-filled updates,” last modified January 18, 2014, https://arstechnica.com/information-technology/2014/01/malware-vendors-buy-chrome-extensions-to-send-adware-filled-updates/.
   
4. Catalin Cimpanu, “‘Particle’ Chrome Extension Sold to New Dev Who Immediately Turns It Into Adware,” last modified July 13, 2017, https://www.bleepingcomputer.com/news/security/-particle-chrome-extension-sold-to-new-dev-who-immediately-turns-it-into-adware/.
   
5. Amit Agarwal, “I sold a Chrome Extension but it was a bad decision,” last modified January 16, 2014, https://www.labnol.org/internet/sold-chrome-extension/28377/.
   
6. Kevin Purdy, “Beloved browser extension acquired by non-beloved antivirus firm,” last modified September 9, 2022, https://arstechnica.com/gadgets/2022/09/beloved-browser-extension-acquired-by-non-beloved-antivirus-firm/.
   
7. Bobby Allyn, “Privacy advocates fear Google will be used to prosecute abortion seekers,” last modified July 11, 2022, https://www.npr.org/2022/07/11/1110391316/google-data-abortion-prosecutions#:~:text=In%20the%20first,Times%20in%202019.
   
8. “ChromeLoader Infects the Browser by Loading Malicious Extension,” BlackBerry Blog, last modified November 3, 2022, https://blogs.blackberry.com/en/2022/11/chromeloader-infects-the-browser-by-loading-malicious-extension.
   
9. “ChromeStats,” Google, accessed October 24, 2022, https://chrome-stats.com/.
   
10. “Move fast and securely with the password manager trusted by millions,” Bitwarden, accessed November 4, 2022, https://bitwarden.com/.
    
11. “uBlock Origin – Free, open-source ad content blocker,” uBlock Origin, accessed November 4, 2022, https://ublockorigin.com/.

*Update from Grammarly:

“Grammarly only accesses the text users write while using our product to provide suggestions and is blocked from accessing anything typed in fields marked “sensitive,” such as credit card and password fields. Grammarly only checks the text users want it to, and they can always see what Grammarly is processing by the presence of the Grammarly widget. Users can also turn off Grammarly in any application at any time if they don’t want it to check a particular piece of text.”

Appendix: Highest risk Extensions and their alternatives

Here are some of the worst extensions and their less risky alternatives. Note that sometimes no extension at all is the better alternative.