At a time when we get pretty much everything done on the internet, browser extensions serve as a kind of toolbox that can make tasks easier. Whether it’s saving money while shopping, saving time while filling out forms, correcting typing mistakes and grammar, or helping you stay productive, they’ve become a way to simplify your online life. However, there might be some risks to using the helpful tools: New research has found that browser extensions might be stealing your personal info while you browse.
RELATED: How to Set Up a VPN to Stay Safe Online.
The latest research comes from a team at the Georgia Institute of Technology, which examined the more than 100,000 available software add-ons available on the Google Chrome Web Store. Using a new software they developed called Arcanum, the group monitored how each program collects user data from websites when installed.
“We know from prior research that browser extensions collect users’ browser activity and history, but some of the most sensitive user data is located within webpages, such as emails, social media profiles, medical records, banking information, and more,” Frank Li, PhD, an assistant professor at Georgia Tech, said in a press release. “We wanted to know if extensions are also collecting personal data from these webpages.”
For the purposes of this study, the research team specifically focused on how browser extensions handled sensitive data when using Amazon, Facebook, Gmail, Instagram, LinkedIn, Outlook, and PayPal, according to a press release. Results showed that 3,028 browser extensions were collecting sensitive data, affecting more than 144 million users.
Perhaps more distressingly, they found that 202 of the programs were collecting sensitive data from within web pages and uploading the information to servers. This included “the contents of emails, private social media profiles and activity, banking information, and professional networks” of more than 300,000 potentially affected users.
The researchers point out that it’s not uncommon for browser extensions to collect data related to their functions, which can make examining the process more difficult. The team was able to get a deeper understanding by looking at a sample group of flagged extensions and comparing how they collected data to each’s posted privacy policy and web store description—finding that none matched.
"Unfortunately, the same capabilities that extensions rely on to enrich the web browsing experience can also be abused to harm user privacy, and potentially without users' knowledge or explicit consent," Qinge Xie, a researcher from Georgia Tech who worked on the study, explained in the press release. "Even in cases where data collection is benign and necessary for legitimate functionality, it introduces privacy risks. Sensitive user data can be transmitted and stored by a third party, which may further share the data or possibly leak the data during a data breach."
RELATED: What Does a Credit Card Skimmer Look Like? 7 Ways to Spot One.
This isn’t the only recent research to spotlight a potential cybersecurity issue where browser extensions are concerned. A study from a team at Stanford University published in June 2024 found that there had been roughly 280 million installations of Google Chrome extensions containing malware between July 2020 and February 2023. And in August, it was discovered that more than 300,000 users were affected by a browser extension containing malware available for Google Chrome and Microsoft Edge, The Hacker News reported.
In their conclusion, the Georgia Tech team said their findings suggest that Google should take a harder stance against potentially risky browser extensions and do more to uphold its security policies. They also encouraged major companies collecting data to be especially mindful of protecting it from breaches and leaks.
“I don’t believe individual users should have to bear the burden of worrying about their privacy or protecting their data, because they may not have the capability or technical knowledge to figure out what’s happening,” says Li.
Fortunately, there are still ways you can stay safe on the internet without completely abandoning your favorite programs. According to Forbes, it’s best to carefully review every browser extension before downloading them, including reading their privacy policies. Once you’ve downloaded them, be sure to limit which sites each has permission to work on from your settings. It’s also good to perform occasional digital housekeeping by removing any old extensions and consider switching on the Enhanced Protection mode on Google Chrome to help stop malware and other risks.