Browser Extensions: How to Vet and Install Safely

What is an extension?

A browser extension is essentially a small piece of software that performs a function or adds a feature to a browser client. Since extensions are given special authorizations within the browser, they are attractive targets for attackers. 

How to use extensions (more) safely

Even though extensions can be risky, if used correctly, they can be extremely beneficial. It’s especially important to research extensions if you are using an application that accesses P4 protected data.

Before Installing an Extension: 

  • Check out the developer’s website to see if it’s a legitimate extension and not a one-off by an unvetted source. 

  • Read the description. Look for things that may be questionable, like tracking info or data sharing.

  • Check out the reviews. Look for users complaining of oddities happening, speculating on their data being taken, or for anything that strikes you as odd.

When Installing an Extension:

  • Be picky. The more extensions installed, the bigger the attack surface you open up to attackers. Only pick the most useful and delete the ones you don’t need.

  • Only install through trusted sources. While not guaranteed safe, security technicians review extensions for malicious content. 

  • Review permissions. Review extension permissions closely. If an extension installed suddenly requests new permissions, be wary. If you can’t find a reason for the permission change, it’s probably better to uninstall.

  • Use antivirus protection. Install and run SCEP to detect and neutralize malicious code in browser extensions.

If you really want to dig into an extension, look it up on https://crxcavator.io/. CRXcavator is a Chrome Extension security assessment automation tool designed to help security analysts have better insight into Chrome Extensions.

How to see extensions already installed

  • Google Chrome users click the three dots to the right of the address bar, selecting “More tools”, then “Extensions.” 
  • Firefox users click the three horizontal bars next to the address bar, then “Add-ons,” then “Extensions.”
  • Safari users click Preferences, then on the Extensions tab. All extensions enabled will have a checkmark in the box to the left of the icon in the sidebar.
  • Internet Explorer users click the gear menu at the top-right corner and select Manage add-ons. Browser plug-ins are displayed under the Toolbars and Extensions category, along with any browser toolbars and other types of ActiveX add-ons installed.