Reminder: Be Sparing in Trusting Browser Extensions

Brian Krebs recently posted this examination of the ways some browser extension authors are trying to pay their bills.

A company that rents out access to more than 10 million Web browsers so that clients can hide their true Internet addresses has built its network by paying browser extension makers to quietly include its code in their creations. This story examines the lopsided economics of extension development, and why installing an extension can be such a risky proposition.

Singapore-based Infatica[.]io is part of a growing industry of shadowy firms trying to woo developers who maintain popular browser extensions — desktop and mobile device software add-ons available for download from Apple, Google, Microsoft and Mozilla designed to add functionality or customization to one’s browsing experience.

Some of these extensions have garnered hundreds of thousands or even millions of users. But here’s the rub: As an extension’s user base grows, maintaining them with software updates and responding to user support requests tends to take up an inordinate amount of the author’s time. Yet extension authors have few options for earning financial compensation for their work.

So when a company comes along and offers to buy the extension — or pay the author to silently include some extra code — that proposal is frequently too good to pass up.

While there have been stories in the past of browser extensions that have been found to be stealing user data or doing other nefarious things, either because the developer was tempted by offers like the above, or because the extension changed owners and the new owner wanted a fast buck.

As the article notes, browser extensions can potentially wield a lot of power inside your browser. The browser makers try to exert some control, either through changes to Application Programming Interfaces (APIs) or checks on extensions submitted to their marketplaces, but for the most part it’s down to the user to work out whether the promised utility outweighs the potential security and privacy risk.

For my part, I’ve reviewed the extensions I use in my browser, and stripped out all but five which I use regularly and trust. Your choice will probably vary from mine, but if you’re using more than half a dozen perhaps it’s time to consider whether you need all of them installed. For web design / development, you may want to consider installing the Developer versions of Chrome and/or Firefox and using those specifically for that purpose. Or you might want to install the regular version of Firefox and use their Containers technology for accessing social media.