I came across this youtube video by MegaLag today, and this reminded me of how the general population may be unaware of the kind of access chrome extensions have to your data. This video is a follow up to his previous video on the Honey extension privacy issues. Please go take a look at it for an in depth analysis on the story. Thanks for the amazing journalism on this piece MegaLag.
So, here are some things that chrome extensions can do that you may not be aware of:
- Play audio
- Read your clipboard (maybe your passwords?)
- Capture your screen content
- Read and modify content on your page
- Run code on web pages.
Chrome has recently done amazing work to ensure that users are informed of the permissions that an extension can take, including steps to ensure that scope is reduced as much as possible and extensions lazily gain permissions at the latest necessary time.
Even after all of this work, evil extensions disguised as legitimate usecase (erm, something like Honey?) can gain access to your data.
So what can you do to reduce your exposure? We can never be truly safe, but we can always take precautions.
Audit permissions requested by your extensions, ensure they only take permissions for what they do.
You can take a look at the permissions needed for an extension on the Chrome web store, as well as Extension details page if its installed. Audit them, if they only require the necessary permissions, then you’re all set. Else, you can read further on what to do.
Find open source alternatives to Extension X
You can try to find open source alternatives to chrome extensions that you need. Since the code is open source, there is a high chance people may have audited it, or you can do it yourself with the help of LLMs to understand what the extension is doing.
For example, I really like Onetab, say I wanted to move away from it, I can use something like BetterOneTab or NiceTab.
Build your own extension
Today, I was trying to link an URL in my obisidan note when I noticied something. I was copying the link, then copying the page title to link the page again. 2 times switching tabs. One too many maybe. So I quickly built a small extension using cursor that can copy the page URL along with the page title in the Markdown URL format. In the future I can add more stuff like different formatting and stuff.
With the widespread availability of LLMs, building things that is specific to your problems is easy. Small problems like these can be easily automated with a few prompts and some time spent.
So, next time you install a chrome extension, please check on what it can access and audit it to be aware of what data is shared!