Whenever you sign in to your bank account, browser extensions assist. They can view your account balances, transactions and your online bank password. They see everything in your browser: passwords, credit card numbers, private messages and the websites you visit.
Extensions have access to everything in your web browser
Have you ever paid attention to the message you see when installing a browser extension on Chrome, for example? For most browser extensions, you will see a message stating that the add-on can “Read and change all of your data on the websites you visit”.
This means that the browser extension has full access to all the web pages you visit. It can see what webpages you are browsing, read your content and watch everything you type. You can even modify web pages – for example, by inserting extra ads. If the extension is malicious, it can collect all of your private data – from web browsing activity and the emails you enter to your passwords and financial information – and send them to a remote server on the Internet.
So when you sign in to your online bank account, your browser extensions are there with you. They can see your password when you log in and see everything you can see in your online bank account. They can even modify the bank’s online page before you view it.
RELATED: Why do Chrome extensions need “all of your data on the websites you visit”?
There is a permission system, but most extensions have everything
We’re oversimplifying things here, but just a little: not all extensions can see your bank account online. There is a permission system for browser extensions in modern browsers like Google Chrome, Microsoft Edge, Mozilla Firefox and Apple Safari. Some browser extensions use far fewer permissions.
For example, they can only be executed when you click the button on the browser extension, which means that they cannot actually watch anything on a web page until you click that button. They can only run on specific websites – for example, a browser extension that affects Gmail can only run on the Google website and not on other websites.
However, the vast majority of browser extensions that most people use are allowed to run on all the websites that the browser loads.
In Google Chrome and Microsoft Edge, you can control an extension’s “site access” permissions and choose whether it will run automatically on all sites you open, just when you click on it, or only on specific sites you list.
RELATED: Controlling the permissions of a Chrome extension
Is it a real risk?
What we are saying here is that most (or all) of the browser extensions you use can see your bank account information, just as they can see everything else you do on the web.
If a browser extension is completely trustworthy and reliable, that’s fine. The browser extension can behave responsibly and not capture any data or interfere with your bank information.
If a browser extension is unreliable and you want to abuse that access, well, you can.
This is not just a theoretical problem. It has happened many times before. Even though all of its extensions are fine now, we have long discussed the danger: a secure extension can turn into malware overnight. A developer can sell the extension to another company, and that company can add tracking code, keyloggers, or anything else. That kind of thing is big business. An extension can display more ads on the web pages you load and track to better target the ads, or criminals can capture your passwords, personal information and credit card numbers.
Your browser will automatically install the update and the new malicious version of the extension will start to work. Fortunately, your browser developer will notice the problem and disable the extension – for example, Google can remove it from the Chrome Web Store – but it may take some time.
And yes, some extensions were captured by capturing bank details.
RELATED: Browser extensions are a privacy nightmare: stop using so many of them
Only install extensions from developers you trust
We are not saying that you need to uninstall all the browser extensions you have. Instead, just notice the immense access you’re giving to installed browser extensions and act accordingly.
If you trust the developer of an extension, please install that extension. For example, if you use a password manager and already trust that organization with your passwords, feel free to install the password manager browser extension. (If you don’t trust this organization to install a browser extension, you should definitely not trust it to manage your passwords!)
On the other hand, if you want a nice feature and find an extension that offers it, but you’ve never heard of the developer and you’re not sure how much you should trust it – consider skipping the browser extension.
You may also want to limit the access that the extension has. For example, you can install an extension and configure it to run only on specific sites on Chrome or Edge, or you can use a separate browser that has no potentially dangerous extensions installed to make your bank online.
But think about it: if you don’t trust the extension, maybe you shouldn’t run it in the first place.
Ultimately, browser extensions have access to everything you do in the web browser. When thinking about installing a browser extension, ask yourself this question: Would you install a Windows desktop application from the browser extension creator and allow it to run in the background on your computer? Otherwise, consider skipping the browser extension as well.
Extensions may seem like small programs, but they are more powerful than they look. A mobile app on the iPhone or Android cannot see everything you do on your phone, but a typical browser extension can see everything you do on your web browser.