Every time you log in to your bank account, you see browser extensions. They can see your account balances, your transactions and your online banking password. They see everything in your browser: passwords, credit card numbers, private messages and the websites you visit.
Extensions have access to everything in your web browser
Have you ever paid attention to the message you see when you install a browser extension in Chrome, for example? For most browser extensions, a message is displayed that the add-on can “Read and edit all your data on the websites you visit.”
This means that the browser extension has full access to all the web pages you visit. It can see which web pages you are browsing, reading its contents and viewing everything you type. It can even change the web pages – for example by adding extra ads. If the extension is malicious, it can collect all your private data – from web browsing and the email you type to your passwords and financial information – and send it to a remote server on the internet.
So when you sign in to your online banking account, your browser extensions are with you. They can see your password when you log in and see everything you can see on your online banking account. They can even edit the online banking page before you see it.
RELATED: Why do Chrome extensions require “All your data on the sites you visit”?
There is a permission system, but most extensions get everything
We’ll simplify things here, but just a little bit: not every extension can see your online banking account. There is a permission system for browser extensions in modern web browsers like Google Chrome, Microsoft Edge, Mozilla Firefox and Apple Safari. Some browser extensions use far fewer permissions.
For example, they can only run if you click on the browser extension button, which means they can actually see nothing on a web page before clicking on the button. It can only work on specific websites – for example, a browser extension that affects Gmail can only work on Google’s website and not on other websites.
However, the vast majority of browser extensions used by most people have permission to run on every website that loads the browser.
In Google Chrome and Microsoft Edge, you can control the permissions of an extension’s access to the site ‘and choose whether it runs automatically on all the sites you open, just by clicking on it, or only on specific sites you list.
RELATED: How to control the permissions of a Chrome extension
Is it a real risk?
What we’re saying here is that most (or all) browser extensions you use can see your bank account information, just as they can see everything on the internet.
If a browser extension is completely reliable and trustworthy, that’s fine. The browser extension can act responsibly and not capture any data or interfere with your banking information.
If a browser extension is not reliable and wants to abuse this access, it can.
This is not just a theoretical problem. This has happened many times before. Even though all of your extensions are currently good, we’ve discussed the danger for a long time: A secure extension can turn into malware overnight. A developer might sell the extension to another company, and that company might add tracking code, keychains, or anything else. These kinds of things are big business. An extension can display more ads on the web pages you load and track you to better target ads, or criminals can capture your passwords, personal information and credit card numbers.
Your browser will install the update automatically and the new, malicious version of the extension will launch. Hopefully, your browser developer will spot the issue and disable the extension – Google may remove it from the Chrome Web Store, for example – but it may take some time.
And yes, some extensions have been captured with the capture of bank data.
RELATED: Browser extensions are a private nightmare: stop using so many of them
Only install extensions from developers you trust
We are not saying that you should remove every browser extension you have. Instead, just realize the awesome access to the browser extensions you are installing, and act accordingly.
Of course, if you trust the developer of an extension, install it. For example, if you use a password manager and the organization already trusts your passwords, please install your browser manager’s browser extension. (If you do not trust that organization to install a browser extension, you should definitely not trust it to manage your passwords!)
On the other hand, if you want a handy feature and you find an extension that offers it, but you have never heard of the developer and do not know how much to trust it, consider turning over the browser extension to strike.
You can also restrict access to the extension. For example, you can install an extension and set it to work only on specific websites in Chrome or Edge, or you can use a separate browser that has no potentially dangerous extensions installed to do your online banking services.
But keep in mind: if you do not trust the extension, you may not need to use it in the first place.
Finally, browser extensions have access to everything you do in your web browser. When you are thinking of installing a browser extension, ask yourself the following question: Would you install a browser desktop application from the browser extension maker and run it on your computer in the background? If not, consider skipping the browser extension as well.
Extensions look like small programs, but they are more powerful than they seem. A mobile app on iPhone or Android may not see everything you do on your phone, but a regular browser extension can see everything you do in your web browser.