Menu
EN

Research says extensions can steal your password from websites. Should you be worried?

Recent research by the University of Wisconsin-Madison found that “a significant percentage” of extensions in Chrome — about 12.5% — have received permissions from users that enable them to access sensitive personal information. The paper mainly focuses on passwords that the researchers say are often stored in plaintext within the source code of even reputable websites. These unprotected passwords, they argue, can become easy targets for malicious data-hungry extensions.

The researchers found that on 15% of the websites they studied — and these are not some obscure and unknown portals, but the likes of Google and Cloudflare (among others) — passwords were “present in plain text in the HTML source code.” In the researchers’ opinion, this careless attitude by website developers combined with relatively lax Chrome rules for extension developers leave the door wide open for attackers to exploit this vulnerability. During their research, they identified 190 extensions that were “directly accessing password fields,” including such popular extensions as AdBlockPlus and Honey — both of them boasting over 10 million downloads.

Exerpt from the research
Source

The researchers said:

“Analyzing the manifest files (the JSON-formatted files that provide important information about the extension’s capabilities and the files it uses), we find that 12.5% (17.3K) extensions have the necessary permissions to extract sensitive information on all web pages.

While Google Chrome’s new platform for extensions, Manifest V3, has imposed constraints on what extensions can do, the researchers found that these measures did not mitigate risks to security in any substantial way. They said: “Despite MV3’s intended advancements in user privacy and security, content scripts’ operations remain unchanged. This maintains the lack of security boundary between the extension and web page and allows an extension to be loaded on the DOM tree and gain unrestricted access to the webpage, posing security risks for the users.”

Sounds ominous, doesn’t it? So, let’s set things straight.

It’s a trust issue, there’s no getting round it

While it might be true that ad blocking extensions (like many others) require some scary-sounding permissions, it’s not because they are inherently malicious or hell-bent on stealing your data. It’s just they have no other way to do their job. And you have to trust them to do it right.

In fact, it’s by far not the first time that alarm bells have been sounded about the extent to which extensions can access user data. The issue is not specific to Chrome — extensions for other browsers, such as Firefox, have the same capabilities and permissions. Nor is it just about ad blockers: all extensions that need to modify the content of web pages, such as password managers and productivity tools, require broad access to the information on these web pages. The technical reason behind this is that these extensions use JavaScript, a programming language that allows them to read and transform HTML elements on the web page to fulfill their purpose. For example, password managers use JavaScript to insert passwords and usernames into input fields, while productivity tools use it to block distractions, track time, save web pages, etc. So, what about ad blockers?

Ad blockers run JavaScript to scan web pages for ad scripts and other elements that match their blocklist, so that they can block them. It also allows them to hide “ad leftovers” — empty spaces and broken elements that may have been left behind by the blocked ads. This process is called “cosmetic processing.”

In the AdGuard extension description in the Chrome Web Browser Store, we try to be transparent about why we need certain permissions.

AdGuard permissions

Thus we explain that we need permissions to read and change all your data on all websites (“host permission” in Chrome) and to access tabs (“tabs permission”) in order to block ads, as well as apply cosmetic rules so that web pages look clean and tidy. We also need the webNavigation permission to catch the moment when to inject ad-blocking scriptlets, that is before the page loads any ads.

To sum it up, the AdGuard extension, as well as many others, may require intrusive-sounding permissions to work. Ultimately, it’s up to you if you trust their developers and their justifications for needing these permissions enough to grant them.

So, should you be worried?

Yes, in the grand scheme of things, you should. You should be mindful when installing extensions that can access your data on web pages. Even if rather slim, there’s a chance that the extension you want to install is a malicious one and will steal your password or banking details that are stored in plaintext in a website’s HTML source code. With additional functionality come additional risks, and this applies not only for add-ons, but also for other services and devices: take WiFi-enabled vacuums or modern cars with sensors, for example. So, to cut to the chase, you will have to accept a higher level of risk to your security and privacy when you allow your add-on to work its magic, such as blocking ads. Regardless of whether you think such a trade-off is fair or not, it is just unavoidable.

In 2018, Mozilla devoted an entire blog post to extension permissions, including “scary-sounding ones”, in which it explained why extensions like ad blockers need them for legitimate reasons, but also highlighted the risks of installing them.

However, the Firefox maker noted that such cases, when a malicious developer claims your extension does one thing while it actually does something else, while possible, are still “rare.”

Mozilla's blog

Source: Mozilla

You may argue that even “rare” is sometimes too often. And we agree wholeheartedly — downplaying this problem would do nobody good. A few years ago, we ourselves exposed several malicious ad blocking extensions that ripped off the code of legitimate ones and could change your browser’s behavior in any way. At the time we estimated that over 20,000,000 people could be affected by these fake ad blockers. So now the burning question is, how can you be a little more comfortable giving your extension the ability to see all of your browsing activity?

Well, here’s a checklist that the extension needs to meet to be considered safe in our eyes:

  • The author of the extension is clearly stated, has a physical address, and, ideally, has been in the industry for many years

  • The privacy policy is present, clear, and user-friendly

  • The reasons for permissions are clearly stated, and match the purposes of the extension

  • The extension is open source: you can see the list of all commits and it’s always available (for example, AdGuard ad blocker extension for Chrome is free and public)

  • The developer maintains online presence and can be easily contacted by users (via social media, website, or a dedicated support desk) and provides timely responses

  • The extension has positive ratings and favorable reviews. Although these are not an iron-clad guarantee of it being safe, as reviews can be manipulated by bots or left by non-inquisitive casual users who appreciate the fact that the extension works and don’t look any deeper — but that’s another story

Liked this post?
By downloading the comments you agree the terms and policies

AdGuard for Windows

AdGuard for Windows is more than an ad blocker. It is a multipurpose tool that blocks ads, controls access to dangerous sites, speeds up page loading, and protects children from inappropriate content.
User Reviews: 12830
4.7 out of 5
By downloading the program you accept the terms of the License agreement
Read more

AdGuard for Mac

AdGuard for Mac is a unique ad blocker designed with macOS in mind. In addition to protecting you from annoying ads in browsers and apps, it shields you from tracking, phishing, and fraud.
User Reviews: 12830
4.7 out of 5
By downloading the program you accept the terms of the License agreement
Read more

AdGuard for Android

AdGuard for Android is a perfect solution for Android devices. Unlike most other ad blockers, AdGuard doesn't require root access and provides a wide range of app management options.
User Reviews: 12830
4.7 out of 5
By downloading the program you accept the terms of the License agreement

AdGuard for iOS

The most advanced ad blocker for Safari: it makes you forget about pop-up ads, speeds up page loading, and protects your personal data. A manual element-blocking tool and highly customizable settings help you tailor the filtering to your exact needs.
User Reviews: 12830
4.7 out of 5
By downloading the program you accept the terms of the License agreement

AdGuard Browser Extension

AdGuard is the fastest and most lightweight ad blocking extension that effectively blocks all types of ads on all web pages! Choose AdGuard for the browser you use and get ad-free, fast and safe browsing.
User Reviews: 12830
4.7 out of 5

AdGuard for Safari

Ad blocking extensions for Safari are having hard time since Apple started to force everyone to use the new SDK. AdGuard extension is supposed to bring back the high quality ad blocking back to Safari.
User Reviews: 12830
4.7 out of 5
App Store
Download
By downloading the program you accept the terms of the License agreement

AdGuard Home

AdGuard Home is a network-wide software for blocking ads & tracking. After you set it up, it’ll cover ALL your home devices, and you don’t need any client-side software for that. With the rise of Internet-Of-Things and connected devices, it becomes more and more important to be able to control your whole network.
User Reviews: 12830
4.7 out of 5

AdGuard Content Blocker

AdGuard Content Blocker will eliminate all kinds of ads in mobile browsers that support content blocker technology — namely, Samsung Internet and Yandex.Browser. While being more limited than AdGuard for Android, it is free, easy to install and still provides high ad blocking quality.
User Reviews: 12830
4.7 out of 5
By downloading the program you accept the terms of the License agreement
Read more

AdGuard Assistant

A companion browser extension for AdGuard [desktop apps](/en/products.html). It offers an in-browser access to such features as custom element blocking, allowlisting a website or sending a report.
User Reviews: 12830
4.7 out of 5
Assistant for Chrome Is it your current browser?
Install
By downloading the program you accept the terms of the License agreement
Assistant for Firefox Is it your current browser?
Install
By downloading the program you accept the terms of the License agreement
Assistant for Edge Is it your current browser?
Install
By downloading the program you accept the terms of the License agreement
Assistant for Opera Is it your current browser?
Install
By downloading the program you accept the terms of the License agreement
Assistant for Yandex Is it your current browser?
Install
By downloading the program you accept the terms of the License agreement
Assistant for Safari Is it your current browser?
If you can't find your browser, try the old legacy Assistant version, which you can find in AdGuard extension settings.

AdGuard Temp Mail β

A free temporary email address generator that keeps you anonymous and protects your privacy. No spam in your main inbox!
User Reviews: 12830
4.7 out of 5

AdGuard for Android TV

AdGuard for Android TV is the only app that blocks ads, guards your privacy, and acts as a firewall for your Smart TV. Get warnings about web threats, use secure DNS, and benefit from encrypted traffic. Relax and dive into your favorite shows with top-notch security and zero ads!
User Reviews: 12830
4.7 out of 5
Downloading AdGuard To install AdGuard, click the file indicated by the arrow Select "Open" and click "OK", then wait for the file to be downloaded. In the opened window, drag the AdGuard icon to the "Applications" folder. Thank you for choosing AdGuard! Select "Open" and click "OK", then wait for the file to be downloaded. In the opened window, click "Install". Thank you for choosing AdGuard!
Install AdGuard on your mobile device