Thursday, September 19, 2024

Browser extensions: The hidden privacy risk affecting millions of internet users

By StudyFinds Staff
Reviewed by Chris Melore
Research led by Frank Li and Qinge Xie, Georgia Tech
Sep 18, 2024
Fact Checked


(Credit: hodim/Shutterstock)


ATLANTA — Have you ever installed a browser extension to block ads, manage your passwords, or find the best shopping deals? If so, you’re not alone. Millions of internet users rely on these handy tools to customize their browsing experience. However, Georgia Tech researchers are revealing a shocking truth: your favorite browser extensions might be secretly snooping on your personal information.

Browser extensions are like mini-apps that you can add to your web browser. They can do all sorts of helpful things, from correcting your grammar to translating web pages on the fly. For many of us, they’ve become an essential part of our online lives.


Here’s the catch: to do their job, these extensions often need access to the web pages you visit. That’s where things can get tricky.

A team of researchers at Georgia Tech, led by Frank Li and Qinge Xie, decided to take a closer look at what these extensions are really up to. They developed a clever system called Arcanum to monitor how extensions interact with web pages. They found out that of the over 100,000 extensions in the Chrome Web Store, more than 3,000 were automatically collecting user-specific data. Even more concerning, more than 200 extensions were directly taking sensitive information from web pages and uploading it to servers. The team presented their findings at the 33rd USENIX Security Symposium.

“We know from prior research that browser extensions collect users’ browser activity and history, but some of the most sensitive user data is located within webpages, such as emails, social media profiles, medical records, banking information, and more. We wanted to know if extensions are also collecting personal data from these webpages,” says Frank Li, an assistant professor at Georgia Tech, in a media release.

The research team focused on seven popular websites known to contain sensitive information: Amazon, Facebook, Gmail, Instagram, LinkedIn, Outlook, and PayPal. These are sites where many of us store our most personal data, from private messages to financial information. The scale of the problem is significant. The researchers found that these data-collecting extensions affect tens of millions of users.

Here’s the kicker: none of the extensions they examined clearly explained this data collection in their privacy policies or store descriptions.



To do their job, browser extensions often need access to the web pages you visit. However, none of the extensions examined clearly explained this data collection in their privacy policies or store descriptions. (© Urupong – stock.adobe.com)

Now, before you rush to uninstall all your extensions, it’s important to note that not all data collection is necessarily malicious. Some extensions might need certain information to function properly.

“Unfortunately, the same capabilities that extensions rely on to enrich the web browsing experience can also be abused to harm user privacy, and potentially without users’ knowledge or explicit consent. Even in cases where data collection is benign and necessary for legitimate functionality, it introduces privacy risks. Sensitive user data can be transmitted and stored by a third party, which may further share the data or possibly leak the data during a data breach,” Qinge Xie points out.

The researchers suggest that companies like Google could develop stricter privacy policies for extensions or more rigorously enforce existing ones. Websites that handle sensitive user data could also step up their protective measures. But what about us, the everyday users?

“I don’t believe individual users should have to bear the burden of worrying about their privacy or protecting their data, because they may not have the capability or technical knowledge to figure out what’s happening,” says Frank Li.

While we wait for tech companies to address these issues, there are a few steps you can take to protect yourself. Only install extensions from trusted sources and regularly review the permissions you’ve granted to your extensions. If an extension asks for more access than seems necessary for its function, think twice before installing it. Keeping your extensions updated is also crucial, as updates often include security improvements.


Paper Summary


Methodology

The study developed a system called Arcanum to track how web browser extensions (like those on Google Chrome) access and potentially misuse sensitive user data from websites. The researchers used a technique called dynamic taint tracking to follow the flow of private information, like emails or social media posts, from specific parts of web pages. They created “taints” or markers for sensitive data and observed how this data moved from a website to the browser extensions.

The team tested Arcanum with extensions from the Chrome Web Store and targeted seven major websites, including Amazon, Facebook, and Gmail, to see how extensions handled private user data. In simpler terms, the team “tagged” private information and watched what browser extensions did with it to see if it was being shared or stored without the user knowing.


Key Results

The researchers found that many browser extensions collect private information from websites you visit. They discovered that over 3,000 extensions were gathering sensitive data, like your emails or social media activity, without clear warnings to users. This affects about 144 million users worldwide. These extensions were taking information from websites like Facebook and PayPal and often sending this data to other servers or storing it.

Some of the information being shared included credit card details, email addresses, and even messages from Gmail. The results showed that browser extensions can be a big risk to privacy, and many users may not realize how much of their personal information is being collected.

Study Limitations

One of the limitations of the study was that it could not always tell whether the information collected by extensions was being used maliciously or for legitimate purposes. Some extensions may need this data to work properly, but the study couldn’t always distinguish between these two cases.

Also, the system they used, Arcanum, may not work with all future browser updates, which could limit its use in future studies. Another limitation is that the researchers only tested extensions on a limited set of websites, so they may not have caught all the potential privacy risks across the web.

Discussion & Takeaways

The main takeaway from the study is that browser extensions pose a significant privacy risk. Even though they help users customize their browsing experience, many extensions collect personal data without clear user consent. This data could be misused or leaked if not handled properly. The researchers suggest that browsers need to implement stricter privacy controls for extensions and that users should be more cautious when installing extensions.

They also recommended that developers be more transparent about what data their extensions collect and how it’s used. Arcanum helped highlight the extent of these privacy issues, but more needs to be done to protect users.

No comments:

Post a Comment