SecureMac, Inc.

Browser extensions and your privacy

July 8, 2020

afari is getting a major overhaul in macOS 11 Big Sur, and one of the most important privacy enhancements has to do with browser extensions

Browser extensions and your privacy

Safari is getting a major overhaul in macOS 11 Big Sur, and one of the most important privacy enhancements has to do with browser extensions. In this article, we’ll give you some background to the issue of browser extensions and privacy, talk about what’s planned for Safari 14, and tell you how to stay safe in the meantime.

What are browser extensions?

Browser extensions or browser add-ons are small but powerful programs that extend the functionality of your web browser. Every major web browser supports them. Browser extensions do all sorts of things: There are password managers, ad blockers, grammar checkers, color pickers, and more! 

Some browser extensions are built by large companies that you’re already very familiar with, but there are tons of extensions created by indie developers and small organizations too. 

How do browser extensions relate to privacy?

In order to add functionality to your web browser, an extension needs certain permissions and access rights on your system. Depending on what a browser extension does, it may ask for permissions to read and alter content on the web pages you visit; to access your microphone or camera; to make changes to your files; or to know your geographic location.

If that sounds scary to you, well, in one sense that’s good — many people are far too casual about the permissions that they give to their browser extensions. But there’s no reason for alarm: Most of the time, extensions are on the up and up, and the permissions they request make sense. After all, how could an ad blocker effectively block ads if it couldn’t see the web pages you were visiting or remove elements from them? How would a password manager function if it couldn’t read and write to website form fields?

Yet while many browser extensions are completely legitimate, some do pose a privacy threat to users — and because of the huge number of available extensions, it’s difficult for Google, Mozilla, and Apple to guarantee the safety of every single one of them. 

How can browser extensions threaten privacy?

Due to their powerful permissions, browser extensions are potentially serious privacy threats.

The most common risk comes from developers who use their extensions to collect and resell anonymized user data to third parties — usually to marketing, advertising, and analytics companies. While this is not exactly new territory for Internet users, it’s something to be aware of — especially considering that “anonymized” data doesn’t always live up to its name.

Another risk comes in the form of ad injection. Because extensions can alter web page data, they can be used by malicious parties to serve ads to users (ads which sometimes sell bogus or shady products). This is a common feature of adware on macOS: A “helpful” toolbar is added to Safari as an extension, and suddenly web pages and search results start to display strange advertisements. Such ads are (at best) annoying and unhelpful, and may even redirect users to sites with truly malicious content.

An even more serious danger comes from extensions that log personally identifiable information or sensitive user data. Truly sketchy extensions may be set up for the express purpose of collecting and monetizing user data; but even legitimate extensions can contain security flaws that accidentally expose user information.

Why don’t they do something about it?

You may be wondering why Chrome, Firefox, Safari and others don’t do more to stop malicious browser extensions. It’s a reasonable question, but in fairness to Google, Mozilla, and Apple, they are taking action to make their browser extension marketplaces safer. The web stores for the major web browsers are constantly monitored, and offending extensions are frequently deleted. Sometimes, if a problem is serious enough, there will be a major policy change (Google, for example, completely banned cryptocurrency mining extensions from the Chrome Web Store after numerous instances of abuse). 

But the hard truth is that there are just too many developers and extensions for the big browser vendors to catch everything — a phenomenon which parallels what we’ve seen in the App Store. There is also the issue of bad actors buying or even hijacking legitimate extensions, which they then repurpose for malicious activities. It’s hard to defend users against an extension that had a perfect track record right up until its developer got hacked!

How will the new Safari help?

Safari 14 will give end users more control over the data that they share with their browser extensions, and will address web privacy issues generally.

This update comes as Apple rolls out new tools that make it easier for developers to create extensions for Safari — or to quickly port existing Chrome and Firefox extensions to Safari. This is great news for Safari users, since it will likely result in a far greater range of Safari browser extensions to choose from, but more extensions also means that bad actors may have an easier time slipping through the cracks.

So how does Safari 14 attempt to improve web privacy?

First, Safari’s new Privacy Report feature will allow users to see all of the blocked trackers on any given website. This kind of deep visibility into how websites are monitoring their visitors is already available through third-party tools, but now that it’s built into Safari, many more people will be aware of how much they’re being tracked online.

Secondly, in terms of browser extension privacy specifically, Safari 14 users will be able to grant permissions to an extension for a single site only, for just one day, or for all websites all of the time. This means that it will now be possible to use a browser extension without giving it access to all of your web browsing activity. It also means you’ll be able to try out new browser extensions safely, and grant access to infrequently used extensions on an as-needed basis. Some people have described the new feature as “sandboxing for browser extensions”, which is a pretty nifty way of summarizing how this change to Safari will protect users — and how it fits into Apple’s overall model of security and privacy.

How can I stay safe?

Safari 14 is currently in beta testing, and should roll out to Mac users with macOS 11 — probably in the early autumn of 2020. If you’re concerned about browser extension privacy in the meantime, here are some things you can do to stay safe:

  1. 1

    Limit your extensions

    Given all of the issues with browser extensions and user privacy, the best thing you can do is limit the number of extensions that you install. Start by performing an audit of your installed extensions. In Safari, you can do this by going to Safari > Preferences > Extensions. You can do the same thing in Chrome by going to More tools > Extensions; and in Firefox it’s Add-ons > Extensions. If you see any extensions that you haven’t used in a while, or that you don’t really think you need, uninstall them.

  2. 2

    Research before installing

    Before installing a new extension, read the reviews in the web store, and do a quick search for the name of the developer. Take a look at the experiences others have had with the extensions — including recent performance issues that may indicate a new development team behind the app. If you spot any red flags, you’re better off not installing the extension.

  3. 3

    Watch for changes

    If you’ve had an extension for a while, and you suddenly notice that it’s requesting permissions that it had never asked for before, be careful. The extension may simply have some new functionality that requires additional access, but this can also be a sign that the extension has been sold (or compromised) and is now under the control of people who plan to invade your privacy for profit.

  4. 4

    Go native

    Many people turn to browser extensions for functionality that they think they can’t get any other way. But Apple has a powerful suite of native tools and utilities — some of them not very well-known — and these can often accomplish the same tasks as extensions without any of the privacy worries. To offer just one example, color pickers are a popular type of browser extension, but Apple’s built-in Digital Color Meter app does the exact same thing, and is just a Spotlight search away!

Closer to the public release of Safari 14, we’ll have additional updates and how-tos about the browser’s security and privacy features. In the meantime, stay safe with the tips above, and if you have any questions about browser extension security, feel free to write to us and ask!

Join our mailing list for the latest security news and deals