Browser Extensions: How to Stay Safe

Nicholas De León

Updated Fri, Nov 9, 2018, 1:26 PM

Consumer Reports has no financial relationship with advertisers on this site.

A recent leak of private Facebook messages, primarily in Europe, should remind consumers to be cautious when downloading and using web browser extensions, security experts say.

That’s because Facebook says the data loss didn’t stem from a security breach of the social platform itself but rather from an extension people had loaded onto their computers.

“We believe this information was obtained through malicious browser extensions installed off of Facebook,” Guy Rosen, Facebook vice president of product management, tells Consumer Reports. “We have contacted browser makers to ensure that known malicious extensions are no longer available to download in their stores and to share information that could help identify additional extensions that may be related.”

Extensions are small software programs that typically add useful functionality to web browsers such as Google Chrome, Mozilla Firefox, and Microsoft Edge, and are downloaded from online app stores hosted by these companies. Consumer Reports has a Chrome browser extension that shows members the CR ratings for products we’ve tested when they view the items on several retailer websites.

According to the BBC, which uncovered the leak, cybercriminals offered to sell personal Facebook information on a hacker message board. A cybersecurity firm that worked with BBC on the story confirmed that samples posted by the hackers included private messages from 81,000 accounts, but it discounted the hackers’ claim to have data from 120 million accounts.

Facebook and the companies behind the three biggest web browsers wouldn’t name the extension involved in the data theft or say how long it was available for people to download. Google said the extension had been removed from the Chrome Web Store last year over an unrelated policy violation. Mozilla said it wasn’t contacted by Facebook, and Microsoft declined to comment.

Legitimate browser extensions can be useful, doing anything from blocking ads to monitoring online retailers for sales to helping people manage passwords.

However, hackers can use malicious extensions to siphon your personal data.

“The only surprise to me is that we haven’t seen more data breaches of this type,” says Matt Adkisson, product director for Avast Secure Browser, a security-focused web browser created by the Avast anti-malware and cybersecurity firm. “Social data is just the tip of the iceberg, but there are other targets, like banks and other financially sensitive sites, that are vulnerable to this exact type of exploit—a compromised extension.”

Here’s how to stay safe when using browser extensions.

Don’t Use Too Many

Security experts say that the first step in staying safe is to avoid downloading too many extensions. “The most secure building is a building with no doors or windows,” Adkisson says. “Less is more.”

And today’s web browsers are so feature-packed that you might not need many of the extensions that were once popular, such as tools for saving news articles to read later or managing to-do lists.

“Eventually many of the really good extensions just become part of the browser itself,” says Robert Richter, who oversees Consumer Reports’ privacy and security testing.

Delete Unused Extensions

Experts says it’s also smart to regularly review which extensions you have installed, and to delete ones you no longer use. This minimizes the risk of hackers taking advantage of a security flaw in a legitimate extension to steal your data.

This can also help your browser work better.

“You should routinely go in and clean up your browser extensions,” says Gary Davis, chief consumer security evangelist at McAfee, a leading producer of anti-malware software. “It’s going to affect your system performance, so it’s a good digital hygiene thing.”

The process for deleting an extension varies by browser. In Chrome, you can typically click on the extension icon in the upper righthand corner of the window, and then choose Remove. Or, click the More button (three vertical dots at the upper right of the window), and choose More Tools to get a list of all your extensions, and the option to remove the ones you no longer want.

Stick to Trusted Sources

Make sure to download extensions only from an official source, such as the Chrome Web Store or Mozilla. These companies screen extensions for security.

Google tells Consumer Reports that it uses machine learning to detect and block malicious extensions. If the company discovers problems with an extension already in the Chrome store, it can disable the extension remotely on users’ computers. Mozilla says it subjects extensions to automated validation checks, with manual code reviews if necessary.

Security experts say it’s also smart to limit yourself to extensions produced by companies you already trust. “If you just find a quick and dirty extension, you have no idea what data they’re collecting and what they may be doing with it,” Davis says.

Consumer Reports is an independent, nonprofit organization that works side by side with consumers to create a fairer, safer, and healthier world. CR does not endorse products or services, and does not accept advertising. Copyright © 2018, Consumer Reports, Inc.

Mark Zuckerberg got $24.4 million in ‘other compensation’ in 2023—but Meta also treated staff well, with the median employee making $379,000
On paper, Mark Zuckerberg is Meta’s lowest-paid employee, with a $1 dollar salary and no bonus.
Fortune•17h ago
$433 Billion Gone! One Stock Loses More Value Than Tesla
Tesla's loss of $328.3 billion this year in stock value certainly hurts. But it's only the second-largest market value loss in the S&P 500.
Investor's Business Daily•17h ago
Analysts reset Microsoft stock price targets ahead of highly anticipated earnings
Microsoft, which overtook Apple as the world's most valuable company earlier this year, is looking to cement its AI market leadership.
TheStreet•5h ago
Analysts reboot Amazon stock price target ahead of earnings
This is what could happen next to Amazon shares.
TheStreet•5h ago
Suze Orman Decided To Drop Homeowners Insurance After An Outrageous Quote: '$28,000 For A 2,100-Square-Foot Condo. Are You Kidding Me?'
Finance expert Suze Orman has voiced concerns about the impact of climate change on property insurance costs, asserting it could threaten the American dream of homeownership. Orman, 72, faced a $28,000 annual insurance quote for her Florida oceanside condo, leading her to forego coverage entirely. She highlights a troubling trend where soaring insurance costs driven by frequent and severe weather events may deter Americans from buying homes. Don't Miss: For many first-time buyers, a house is abo
Benzinga•1d ago
China's Temu Takes Over 17% Of US Market Share, Cutting Jobs From American Amazon And Decimating Small Businesses
With rising inflation, American consumers are increasingly turning to the Chinese e-commerce platform Temu for their shopping needs. With its enticing tagline “Shop like a billionaire,” Temu has captured 17% of the U.S. market share, posing a challenge to traditional American retailers such as Amazon.com Inc., Dollar Tree Inc. and Five Below Inc. The rise highlights the lucrative and disruptive nature of startups. Owned and operated by PDD Holdings Inc. (NASDAQ:PDD), Temu offers a wide range of
Benzinga•8h ago
Meta stock plummets 15% after second quarter outlook disappoints
Meta reported its Q1 earnings after the bell, beating analysts' expectations on the top and bottom, but a disappointing Q2 forecast sent shares falling.
Yahoo Finance•9h ago
Ford tops Q1 earnings expectations, sees full-year profit 'tracking to high-end' of guidance
Ford reported first quarter results after the bell that beat expectations on Wednesday, with its changing product game plan front and center along with its focus on gas and hybrid offerings.
Yahoo Finance•7h ago
Should You Buy Super Micro Computer Stock Before Earnings?
Super Micro Computer stock has many investors interested in its quickly approaching update.
Motley Fool•8h ago
Zuckerberg Asks for Patience After Meta’s AI Push Irks Investors
(Bloomberg) -- Mark Zuckerberg is asking for investors to stay patient. Again.Most Read from BloombergBiden’s Gains Against Trump Vanish on Deep Economic Pessimism, Poll ShowsTaylor Swift Is Proof That How We Critique Music Is BrokenZuckerberg Asks for Patience After Meta’s AI Push Irks InvestorsTech Giants Hit in Late Hours After Meta’s Outlook: Markets WrapFlorida’s Home Insurance Industry May Be Worse Than Anyone RealizesAfter Meta Platforms Inc. revealed that it will spend billions of dollar
Bloomberg•4h ago

News

Life

Entertainment

Finance

Sports

New on Yahoo

Yahoo Finance

Browser Extensions: How to Stay Safe

Don’t Use Too Many

Delete Unused Extensions

Stick to Trusted Sources

Recommended Stories

Mark Zuckerberg got $24.4 million in ‘other compensation’ in 2023—but Meta also treated staff well, with the median employee making $379,000

$433 Billion Gone! One Stock Loses More Value Than Tesla

Analysts reset Microsoft stock price targets ahead of highly anticipated earnings

Analysts reboot Amazon stock price target ahead of earnings

Suze Orman Decided To Drop Homeowners Insurance After An Outrageous Quote: '$28,000 For A 2,100-Square-Foot Condo. Are You Kidding Me?'

China's Temu Takes Over 17% Of US Market Share, Cutting Jobs From American Amazon And Decimating Small Businesses

Meta stock plummets 15% after second quarter outlook disappoints

Ford tops Q1 earnings expectations, sees full-year profit 'tracking to high-end' of guidance

Should You Buy Super Micro Computer Stock Before Earnings?

Zuckerberg Asks for Patience After Meta’s AI Push Irks Investors