Researchers examining the security of web browsers have uncovered that nearly 10% of extensions for Google Chrome could be used for data theft. Even more concerning, the behavior of malicious extensions is undetectable to end users, and the permission system doesn't always make it clear what an add-on will do to your browser.
Of the 48,000 Chrome extensions the researchers tested, 130 were labeled as being outright and definitively malicious. These extensions were found to perform a variety of dodgy actions, including credential and data theft, advertising and affiliate fraud, and abuse of a user's social networks.
A further 4,712 extensions were described as suspicious. One of these suspicious extensions was downloaded by more than 5.5 million people, and installs a tracking beacon that sends information on your browsing activity to a remote server, without encryption. This behavior wasn't labeled as malicious by the research team, but with unknown intentions it could be risky to use.
Some other suspicious extensions were found to modify the URLs of some shopping websites, such as Amazon, to insert an affiliate link. This behavior could earn money for the extension's creator, but commits affiliate fraud along the way. Other extensions replaced or injected ads into websites, again so the extension's creator could earn money.
To discover the dodgy extensions, the researchers developed a detection engine called Hulk, that closely monitors how extensions react with specific "HoneyPages" created by the team. Luckily, very few extensions were found to interfere with online banking.
Despite finding that nearly 10% of the extensions tested were dodgy, Google has been improving they way they deal with them. It's now harder to install extensions from outside of Google's Chrome Web Store, and all extensions on the store are reviewed. Despite this, some malicious extensions do slip through the cracks, so it's good to always be aware of what you're installing and exactly what it does.