Browser extensions, a still untapped goldmine for hackers

Want to avoid getting your accounts hacked? Maybe you should rethink all of those browser extensions that you're using.

Browser extensions, a still untapped goldmine for hackers

Want to avoid getting your accounts hacked? Maybe you should rethink all of those browser extensions that you're using.

Browser extensions have played a key part of what made a browser popular throughout the years. Firefox was one of the first browsers to popularise extensions, followed by Chrome. These days, a huge percentage of people are using some sort of extension in their browser, the most popular extensions tend to be geared towards ad-blocking and anti-tracking. However, with these types of extensions in particular, comes an enormous risk.

Extensions essentially allow you to install third party code into your browser to modify its behaviour in some restricted ways, yet, perhaps not restricted enough. These extensions have to ask for your permission to do certain stuff when you're installing them, a measure that Chrome and various other browsers implemented years ago in order to help combat the risk of installing these extensions. This may have helped some extensions, since there are a lot of useful extensions that shouldn't require access to much, if anything on your browser.

The most popular extensions, however, such as ad-blockers like Adblock, uBlock Origin and various others, work by editing the HTML of the page you're viewing. This means that they essentially are required to have full read and write permissions on every page that you view. There is no way that they can function without these permissions. They find ads on the page you're viewing by reading through the code and then they remove it from the code so you don't see it. These large extensions are used by up to 26% of the users of the web. Shouldn't that mean that they have been under plenty of scrutiny and should be safe? Maybe, kind of.

In theory, people are always watching these extensions and checking through the easily accessible source code (albeit pseudo obfuscated) for malicious activity. However, this is an ideal. In reality, these extensions are not being as scrutinised as you might think for the amount of people that use them. In fact, people using fairly popular extensions to actually inject their own ads into the websites you view, has already happened. In fact, Google released a report stating that 5% of all visits to their website had been altered by adware extensions. The risk however, goes even deeper.

Chrome allows extension creators to push out updates to their users and generally these updates happen in the background without the user's knowledge. The only case in which a user would be notified of this happening is when the permissions of the extension have changed. The problem is that for many of these extensions, you've already given the highest level of permission, the ability to read/write all data on all websites you visit. Someone could easily send out an update that injected ads or worse, malware scripts into the pages you visit that collect your login details for every website that you visit and you'd never even know the extension was updated with this new malicious code.

The only thing standing between you and having everything you do on the web fully monitored, including your login details, is simply the login details and signing key that the owners of the extension use to publish it. A hacker could obtain these and quietly add malware into these extensions which would likely go unnoticed for at least a few days, capturing potentially hundreds of thousands, if not millions of logins and various other sensitive, private data. It gets scarier because it's not just hackers gaining access to the extension you have to worry about.

There are already dedicated companies around that cold-call popular extension owners and offer them chunky sums of money to buy it from them, likely with the malicious intend of using their extension to inject ads into the pages of their users or worse, gather sensitive information. See this Reddit thread from one of the developer's of popular extension Honey. In here he states that over the past year, many companies have approached them varying from known adware companies to user data collection companies looking to buy user data from them. Honey is just another one of those popular extensions that has full access to all of the data on every website that you view and you rely totally on trusting them not to do anything malicious or to give access to anyone with malicious intent.

What do we do about this?

Personally, I'm an advocate for not using any extensions in your browser at all, unless they require almost no permissions from your browser. Certainly never use extensions that can read/write all data on every page that you visit. Are ads really annoying you so much so that you want to take this enormous risk? I'll give you a few alternatives.

Pay for services

Let's face it, we all know it, frustrating ads are most commonly seen on websites that are in the more grey or piracy side of the web. Maybe instead of illegally downloading stuff, you should try to pay for it? I understand of course that this is not applicable to everyone, you simply cannot pay in some countries to access content. There are a lot of problems with content distribution, I'm in no way taking some moral high ground on this issue.

Use a dedicated browser which has extensions

This is a pretty easy solution for most people to implement. Use one browser for all of your important stuff, everywhere you're logged into anything important, email, banking, cryptocurrency exchanges, etc. On this browser, don't use any extensions. Let's face it, you probably don't care much about ads on these more trustworthy websites, right?

For all of your other needs, use a separate browser which has all of your extensions of choice installed. Don't use this browser for any sensitive material. This limits the risk enormously.

Further alternative solutions

Some browsers like Brave browser come with ad and tracking blocking built into it. This browser is even available on your mobile device, so you can continue blocking ads there. Brave even allows you to opt-in to more moral and friendly advertising on participating websites, on which you can actually be rewarded for viewing in BAT tokens, which you can sell for real money. Brave is trying to create a web where the people are in control of advertising and there is a real way for people to pay for using websites based on their usage and for websites to make money from their users, with or without advertising.

What about tracking?

Well, without extensions or a dedicated browser like Brave, you're out of luck on this one. You'll either have to put up with it or install these risky extensions or use a browser that has anti-tracking capabilities. Luckily there is a growing concern about this worldwide and people are working on more concrete solutions for the future.

There is a technical alternative that some technically inclined people can try to go for, which is to use a DNS level blocker. This can come with its own risks when using a third party hosted DNS. There is a solution that more technically inclined and patient people can try to implement which is a Pi-hole. However it's understandable that this is gonna be a strain for most people to work with. It's also not a particularly portable solution.


Well, aren't there some positives to ads? Can't ads themselves hack you? Short answer, no, they cannot. If they can it'd be known as an exploit in your browser and these are incredibly rare. The risk of this happening is almost non-existent, it is not a common attack vector. Ads themselves can't do much, other than be an extreme nuisance at their worst. What about these "scripts"? Every website uses these "scripts" to function. They are just as safe as the HTML on the page you're viewing that is used to tell your browser how to display the page. Exploits in these are extremely rare and companies like Google offer serious financial rewards to people who find these and disclose them to Google first without telling anyone else. This allows Google to releases updates to Chrome that patch the exploits well before these exploits are known to the public and used for nefarious purposes.

Even then, these exploits are not common and take an immense amount of time and skill to exploit even when they are rarely discovered. Use a modern browser like Chrome or Firefox and keep it updated, then this is not a cause for concern.

Everything is a risk/reward ratio and the risk of using these extensions certainly outweighs the reward, in my view. There are ways of still using them, while limiting risk and there are some alternative solutions, which I've tried to outline in this post.

I however, will stay extension free.