When it comes to online security, you can never be too careful; this guide isn’t about antivirus programs, firewalls or VPNs though, as it is about Chrome extensions.
Just because an extension is on the Chrome web store doesn’t mean it is safe to use. There have been many cases of malicious add-ons which have been taken down in the past after they were installed by millions of Chrome users in some cases.
Note: The guide provides additional information on checking whether Chrome extensions are (likely) safe to use. You can check out Martin’s guide on verifying Chrome extensions, and there especially the part on looking at the source.
How to determine if a Google Chrome extension is safe
We will focus on steps that you may undertake before installing extensions. It is often easier to determine if an extension is shady or outright malicious if you have installed it as it may be the cause for visible unwanted changes or activity such as hijacking search engines, displaying advertisement or popups, or showing other behavior that was not mentioned in the extension’s description.
Web Store page
Analyze the extension’s listing and see if it rings some alarm bells. Broken grammar or English may be seen as warning signs but since developers from all over the world publish extensions on the Store, some may be written by non-English natives. Bad grammar or spelling mistakes may not be used as an indicator. Irrelevant screenshots or very odd descriptions, on the other hand are all tell-tale signs of a malicious extension. These are quite rare though.
Malware developers resort to all sorts of tricks to infect users, and one of these is to use the logo (icon) of popular brands or applications. Sometimes, people get fooled by these and think it’s from the company which makes the actual software. Pay attention to the developer name and click on it to see their other extensions.
Developer’s Website and Contact
Does the extension have its own web page? Visit it to learn more about it and maybe something about the developer. We recommend using a content blocker when visiting these sites to avoid issues if the site is specifically prepared to attack decvices.
Not all extensions have a web page, but most do, at least for support requests/FAQs. Is there a contact option on the Chrome web store page which lets you email the developer? If there is one it’s a good sign, but an absence of one doesn’t mean it’s a fake extension.
Use Control + F and search for words like data, collect, track, personal, etc, in privacy policies. Your browser should highlight the sentences which contain the word and you should read what it says.
If the policy is upfront about the data they collect, think about if it’s worth using the extension at the cost of privacy. I’ll give you a hint: It’s never acceptable.
When you click the install button, read the pop-up which lists the permissions the extension requires. Permissions may give important clues; an add-on for a visual enhancement (like a theme) shouldn’t require permissions like “Communicate with cooperating websites”. That means it could be sending data, your personal data, to some server.
These are big red flags if you know how to identify legit ones. Does an extension have reviews? Are they all 5-star reviews? That’s suspicious. Look at the publishing date of each review. If you find that they were all posted on the same day it may be fishy. Look at the text as well, if they look more or less the same, or if the usernames only contain random characters, alarm bells should go off and you should look deeper.
Take a look at the screenshot here. What do you see?
Did the reviewers copy/pasted the comment? It’s possible, but it wasn’t in this case. The extension had multiple reviews which used the same comments over and over. In fact, there was more than one review left by the same user. Is it possible the extension has hijacked the user to post these reviews? Or were they paid for? Regardless of this, I’d recommend avoiding such extensions to be on the safe side.
It may be a good idea to check whether the developer has commented on any of the user reviews. Go over the next few pages.
Search for similar extensions, watch out for the clones
It was alarming. The worst part was that the original add-on was about 2.15 MB in size while the clone was about 4.26 MB. If it was a clone, what’s the extra size for? That is scary. So search the web store using similar keywords (or the name of the extension), check out the results. Look at the add-on’s published date, the older one is obviously the original.
If the extension is open source, it is likely that it could be safe. But I wouldn’t take it for granted. You should go to the page where the source code is published to see if it actually exists. You should also check when the last commit was made on the source code page. If the extension was updated recently, but the source code wasn’t, the extension may no longer be open source and possibly open to privacy and security issues.
Search across Social networks
You could try Googling for the extension’s name to see whether any issues, recommendations or reviews were posted by users on social networks. This gives you an idea of real-world usage of the extension.
If you do come across suspicious extensions, do yourself and everyone a favor, and report it to Google.
Some tips I mentioned here aren’t necessarily restricted to Chrome extensions, they apply to extensions for other browsers such as Firefox as well.