Beware the Browser Extensions Privacy Trap!

There’s a story going around currently about a group of researchers who claim to have de-anonymized a variety of browser users’ search data. The fact that proper anonymization of data is a nontrivial task is quite well known. Sloppy “anonymization” can be effectively as bad as no anonymization at all.

But the interested observer might wonder … where did these researchers get their search data in the first place?

It turns out that the main source of this data are the individuals or firms behind third-party browser extensions and apps, which provide or sell the user data that they collect to data brokers and to other entities.

And so we open up a very big can of worms.

The major browsers (e.g., Google’s Chrome) provide various means for users to install extensions and applications (also known as “add-ons” or “plugins” or “apps”) to extend browser functionalities. While the browser firms work extensively to build top-notch security and privacy controls into the browsers themselves, the unfortunate fact is that these can be undermined by such add-ons, some of which are downright crooked, many more of which are sloppily written and poorly maintained.

Ironically, some of these add-on extensions and apps claim to be providing more security, while actually undermining the intrinsic security of the browsers themselves. Others (and this is an extremely common scenario) claim to be providing additional search or shopping functionalities, while actually only existing to silently collect and sell user browsing activity data of all sorts.

The manner in which these apps and extensions end up being installed can be insidious, and relates to the fundamental complexity of the underlying security models, which are not understood by the vast majority of users, especially non-techie users. For the record, similar confusion exists regarding smartphone app security models, e.g. for Android.

The bottom line is that most users, faced with a prompt to install an extension or app that claims to provide useful functions, will simply grant the requested permissions, no matter how privacy and/or security invasive those permission actually are.

And why should we expect these users to do anything differently? Expecting them to really understand what these permissions mean is ludicrous. We’re the software engineers and computer scientists — most users aren’t either of these. They have busy lives — they expect our stuff to just work, and not to screw them over.

I recently helped an older Chrome user whom I know clean out their Chrome browser on Windows 10. As is routine for me, I used Chrome Remote Desktop for this purpose (please see: “Google Asked Me How I’d Fix Chrome Remote Desktop — Here’s How!” – https://lauren.vortex.com/2017/07/24/google-asked-me-how-id-fix-chrome-remote-desktop-heres-how).

He must have had 25 or 30 “crap” extensions installed that I needed to individually remove (some of which appeared to have been “slave” extensions installed by other “master” extensions). He claimed not to have knowingly installed any of them. Almost certainly, these were all prompted installations at sites he visited once or twice, with which he could have easily interacted without installing any of these add-ons at all.

But these sites push users very hard to install these privacy-invasive, data sucking extensions, and as noted above most users will grant requested permissions, implicitly assuming that they’re protected by the browser itself.

Underlying browser security models can complicate the situation. For example, one of the most common — and most easily abused — categories of permissions requested by extensions and apps is one that grants read and write access to all data at all websites you visit — or even that *plus* all data on your computer!

Now, here’s the kicker. While these sorts of permissions are the golden ticket for abuse by crooked and sloppy extensions or apps, there are many legitimate, well-written add-ons that also require such permissions to operate.

But how is the average user to make a reasonable determination in this context, faced with a site urging them to install an add-on that is being portrayed as necessary? Most users don’t have a site reputation database at hand for reference — they just want to get on with what they’re trying to do online.

I will note here that I know of various corporate environments where security policies absolutely prohibit the installation of apps or extensions with such broad permissions, with few if any exceptions (e.g. unless they’re of internal origin and have passed rigorous internal security and privacy audits).

I don’t have a brilliant “magic wand” solution to this set of problems.

Personally, I install as few browser extensions and apps as possible unless I am absolutely confident in the reputation of their origins, and I absolutely minimize the installation of any add-ons that require broad permissions either to websites or the local machines. Sometimes there are situations where an app or extensions looks very useful and enticing — but I still need to say “no go” to them the vast majority of the time.

One last thing. I urge you to check right now to see what extensions and/or apps you have installed, and remove the ones that you don’t need (or worse, don’t even recognize). For most versions of Chrome, you can do this by entering on your browser address bar:

chrome://extensions

and:

chrome://apps

On the extension list, a little trash can at the right is where you click to remove an extension. On the app list page (page select is at the bottom of that page), right click to access the menu that includes a “Remove from Chrome” entry. On Chrome OS, you may not be able to access the app page(s) using the link above. If the link doesn’t work in this case, click on the white circle in the bottom of screen toolbar to bring up the app page.

Is this all too complicated? Yep, it sure is.

Be seeing you.

–Lauren–

Google, Personal Information, and Star Trek
A Googler's Leaked Google "Diversity" Manifesto -- Lose-Lose-Lose
>

Leave a Reply

Your email address will not be published.