Engineer's Corner
11:49 am
Tue January 21, 2014

TheEC: Browser Extensions that Spy on You

Browser Extension Adware Malware and Spyware
Credit howtogeek.com

Taking a break from broadcast engineering this time on TheEC, and instead we'll look at the other side of my job: computers.   In particular, here's a heads-up to a recent story that's lit-up the geekier realms of the internet, but may not have percolated to your inbox just yet.  It has to do with BROWSER EXTENSIONS and how they might or might not...probably might...be spying on you.

The original story hit ArsTechnica on January 17th, and details how the Google Chrome browser has a weakness: the auto-updater for extensions.   Works great in theory; install something once and updates/fixes are pushed to your browser automatically by the extension's creator.   Problem is, Chrome also lets a creator sell that extension to someone else.

So what's happening is that Adware and Malware makers are paying serious $$$ to various legit and semi-legit extension creators to take ownership of the extension, then to push out new updates that're chock-block full of Adware and Malware.  And these go out to ALL the users of the extension without their knowledge or consent - all the users know is that suddenly their computers are infected with viruses and/or their browsers are full of porn ads.  Yikes!

Google says their extensions policy for Chrome is due to change in June 2014, but that's not much help right now.  And the policy change doesn't necessarily solve the problem in the first place.

And let's pile on the bad news with the reveal that many browser extensions are spying on you, too...and that info is being sold to third parties. 

Worse, all these problems aren't limited to Google Chrome - it can impact the popular Mozilla FireFox browser, too.

So what can you do?  

  1. Take a look at the list of known-bad browser extensions.  If you've installed any of these, you need to disable and uninstall it.  Even if you like the functionality it offers, it's not worth the risk!
  2. If you use Google Chrome, open the extensions control page (click here) and disable any known-bad extensions (see point 1 above).  I'd strongly consider disabling all the extensions, since it's impossible to know which extension owners will sell out to adware/malware makers in the future.
  3. If you use Mozilla Firefox, open the browser and press CTRL+SHIFT+A keys to open the Add-Ons Manager.  There's a little icon like a six-pointed gear in the upper right.  Click the gear, then see if there's a checkmark next to "Update Add-ons Automatically".  If yes, click the checkmark to uncheck it.  Click the gear again and this time click "Reset All Add-ons to Update Manually".  This will force updates to be done manually.   
  4. If you use Internet Explorer, there isn't the fine control that Chrome and Firefox offer.  You can just enable/disable all third-party extensions.   Details are here.