Within the web stores of leading browsers like Chrome and Firefox, users can find hundreds of thousands of extensions. However, these little pieces of software pose big risks to the privacy and security of users and businesses.

Almost anyone can create a web extension and market it on browser web stores with little to no intervention or regulation from the web stores themselves. And in a marketplace that lacks adequate governance, it’s easy for users to unwittingly give unnecessary permissions to a malicious party.

In fact, this exact scenario played out over 1.7 million times across 500 extensions before Duo Security, a two-factor authentication platform, identified the extensions as malicious and facilitated their removal from the Chrome Web Store. Duo Security observed these extensions stealing user data, perpetrating click fraud, installing malware on user devices and sending users to phishing pages designed to trick them into handing over sensitive information, leaving the data of everyone that downloaded these extensions, both users and businesses, vulnerable.

Without extension governance, business security is on the line

A browser provides a window into your business and an extension with overreaching permissions can see everything that goes on.

Here’s how it usually plays out: An unknowing colleague installs an extension and gives it permission to access the contents of every website the user visits. This includes the contents of every webpage (possibly containing sensitive information), cookies that may contain access tokens for secure sites, browsing activities, and a list of other apps and extensions.

The permissions might also allow the extension to log keystrokes or redirect the user to a malicious phishing page, e.g., a website that looks eerily similar to the business’s online banking portal, designed to capture sensitive login details.

The extension could even send the user to a page that downloads malware directly to their computer and then across the entire corporate network. One user’s naive interactions can put sensitive and business critical information assets at risk.

Additionally, these malicious extensions can steal your business’s ad spend. In this scenario, the extensions use the host device to route fake advertising engagement or record user activity and then replay it later as fake traffic that doesn’t look like a bot. To the brand running the advertising, it looks like real clicks and impressions. This is ad fraud designed to trick brands into paying for advertising that is never seen by the intended audience — and it happens in the background, without the knowledge of the extension’s end user. In 2018 alone, North American advertisers lost $44 million of advertising spend per day to fraudulent traffic. When users install new browser extensions, they can unknowingly become part of the ad fraud army fueling fraudulent activity.

Unknowing consumers also place themselves at risk

Consumers are just as susceptible to risks of malicious extensions as businesses, with their own individual privacy and online security also vulnerable.

Nefarious extensions invade user privacy by tracking online activity. Malware and phishing domains compromise their personal security, and through various tactics, extensions can capture sensitive info like credit card details and log in information. Background tasks created by these extensions also consume bandwidth, data allowances and device battery life.

Unfortunately, Google puts the onus on the user

Instead of monitoring extensions in its app store with human employees, Google has implemented an automated scanning process to flag suspicious activity, which has proved insufficient in vetting extensions for malicious intentions. Historically, the tech giant has only acted after receiving consumer complaints, putting end users at high risk. In fact, security audits on extensions aren’t triggered until complaints reach a certain threshold, which means malicious activities can go undeterred for some time.

Relying exclusively on auto-detection routines rather than human oversight allows hackers to bypass scans and systems by creating an extension that circumvents them. However, Google has made some progress and is testing a new feature in its Canary build that will indicate to the user which extensions require “full access.”

It’s up to the individual user to determine which apps and extensions they trust rather than assuming only trustworthy extensions are permitted in the web store. When installing an extension, users must ask themselves whether the permissions it is requesting line up with the functionality it claims to provide.

Users can also rely on tools like CRXcavator to better understand the permissions the extension can access and determine its risk. But it’s important to keep in mind that bad actors can easily manipulate reviews, so users cannot automatically trust a choice just because it has a million downloads or five stars. Similar logic applies to downloading desktop and mobile apps which can be hosts for the same types of activity.

The bottom line: Users must take action to protect themselves now, but browsers can and should do more to protect their users by putting more rigorous checks in place.

Luke Taylor is the Founder and Chief Operating Officer of TrafficGuard. With over 18 years of experience in managing and growing various digital marketing, internet and mobile technology companies, Taylor has a proven ability to manage multifunctional teams and a track record of successfully developing and deploying ROI-driven strategies.