Data removal company Incogni analyzed the risk profiles of 1,237 Google Chrome extensions available on the Chrome Web Store. The study reveals that 1 in 2 Chrome extensions (48.66%) has a High to Very High Risk Impact, asking for permissions that could potentially expose Personally Identifiable Information (PII), distribute adware and malware, and log everything users do, including the passwords and financial information they enter while online.
- 1 in 2 (48.66%) Chrome extensions have a High to Very High Risk Impact
Risk Impact is defined, first and foremost, by the permissions a given extension requires at installation.
- 1 in 4 (27%) Chrome extensions collect data.
- Chrome extensions used for writing:
- are the most data-hungry (79.5% collect at least one data point)
- collect the most data types on average (2.5).
- are also the riskiest, asking for the most permissions, with one of the highest average Risk Impact scores (3.7/5.0).
Almost half of the 1,237 Chrome extensions analyzed score highly on Risk Impact, a measure of the potential consequences of an extension being or turning malicious.
Chrome extensions examined collect user data
While just over 1 in 4 (27%) of all Chrome extensions examined collect user data, almost 4 in 5 (79.5%) of writing aid extensions do so.
Writers, bloggers, and language learners need to pay particular attention to how they augment their browsers. Writing extensions collect the greatest number of data types (2.5 on average) and have the highest average Risk Impact scores (3.7/5.0).
Drilling down into the types of data writing extensions collect, we see that 56.4% collect PII (Personally Identifiable Information) and 33.3% collect location data. That’s a lot of trust to place in a company that’s looking to monetize its interactions with you.
According to Aleksandras Valentij, Information Security Officer at Surfshark:
“[Users should] be extremely cautious with browser extensions that require the following permissions: read and change all your data on all websites you visit, audio capture, browsing data, clipboard read, desktop capture, file system, geo location, storage, and video capture.
The general advice in such cases is to use common sense when granting permissions to browser extensions. For example, why would an ad blocker need audio capture access or access to your file system? If you have doubts, simply don’t use that particular add-on. There are plenty of alternatives for each add-on out there.”
Although installing extensions only from trusted developers with a history of ethical software development and high user ratings provides some level of protection, it doesn’t guarantee it. Extensions, like any other proprietary software, can change hands without notice.
Our researchers analyzed 1,237 Google Chrome extensions available on the Chrome Web Store. These extensions all have at least 1,000 installs and fall under 56 use cases, from writing to gambling. Our analysis was focused on their risk profiles (scraped from Chrome Stats) and the nine data types that extensions can collect.
The extensions were analyzed according to their:
- Use case
- Number of installs (<3,000; 3,001–10,000; 10,001–50,000; >=50,001)
- Country of origin (for the extension developers that declared it)
- Risk Impact and Risk Likelihood
Given that information on the collection and sale of user data is provided voluntarily through a declaration, the data on this aspect are assumed to represent the best-case scenario.