Extensions: the right tech, the right way

What is National Computer Security Day?

National Computer Security Day is an event every 30 November to raise public awareness about threats to computer security, to remind us to take our online protective measures seriously and to promote good device management. This year, at Cancer Research UK, we want to highlight the risks posed by extensions.

Thinking of adding that new extension to your web browser? Want to try out that new app to make your presentations even more impressive? Or maybe you want to play around with that tool that reads text out loud? We’re surrounded by so many new and interesting technologies that it’s easy to get drawn in without much thought because they’re all so fun or seemingly useful. But there are risks these tools pose – to the performance of your computer systems, the security of your data (any usernames and passwords you use, ie for online banking or your email account), and your privacy.

What are extensions and how do they work?

An extension is a ‘browser extension’, ‘plug-in’ or ‘add-on/in’ you install and add to your web browser to make it more functional. They’re designed to make your web browsing experience better and more personalised, enabling you to customise as you wish. There are thousands of different extensions out there such as writing editors, ad-blockers, and discount finders. We recognise that these extensions are extremely helpful and can make work and personal tasks a lot more productive and efficient. But it’s worth understanding how extensions work to fully appreciate why we need to take them seriously.

Extensions only work if you give them permission to read and change the content of the web pages you access. If you happen to download an extension that impersonates a legitimate one (or one that presents itself as useful for you but is instead something else entirely) and then you approve all permissions, you can give both legitimate organisations and criminals access to your personal data and organisational information. A browser extension may not necessarily be harmful as most developers aren’t creating extensions for these purposes. But there are opportunistic cyber criminals out there who recognise the potential of extensions. These extensions can be designed to be malicious from the start, or those that are genuine can get hijacked. Since web browser extensions are permitted to access your web data, they’re highly attractive vehicles for malware (malicious software designed to disrupt, damage or gain unauthorised access to systems, eg viruses) as an unsuspecting user need only install it on their device.

What are the key security and privacy risks?

• Fake extensions may contain malware or send you to malicious servers controlled by cyber criminals without you knowing. Some can even reroute your internet traffic (the pathway to your intended destination) to take you to a malicious server where your information and personal data can be read and manipulated. This is known as a Man-in-the-Browser (MitB) attack.
• Extensions develop security holes over time and become vulnerable to attack if poorly managed. Keeping your software and extensions updated helps to fill in these holes and developers are also constantly looking for ways to improve security measures.
• Extensions that haven’t been developed in the UK or EU aren’t designed with the same data protection standards, so they may not protect users to the standard the UK is accustomed to, or at all.
• Granting extensions permission can give those on the other end access to your device activity such as search history, cookies, and other personal data. A lot of the time, it’s difficult to determine where this information is going and who can see it.

Other risks you should keep in mind:

• Overloading your browser with extensions can cause your device to run less efficiently. You might find that your device runs slower than usual and is more prone to overheating (the internal fan may turn on more than usual). This can physically damage your device.
• Extensions can increase the risk of intellectual property infringement, such as copyright and confidentiality. For example, torrent extensions (file sharing through a decentralised network) often entail the sharing of copyrighted material and generative AI tools can pose a confidentiality risk if you input confidential information.
• You accept the terms and conditions of any tool/platform or website you use, regardless of whether you’ve ticked a box.

While new tools and extensions can help with productivity and efficiency, there are always drawbacks. Most of the time these products are free to use, which makes them more appealing. But when something is free there’s always a catch – whether that be lower security standards or the risk of your personal data or confidential business information being shared or sold to other companies. Just because a tool is available doesn’t mean you have to use it – and that’s key. It’s always important to make sure that you’re using a new tool with a purpose in mind and that you’re aware of how to keep security and confidentiality risks to a minimum.

Make sure you’re keeping you’re the number of extensions you install to a minimum, keep on top of your extensions management and never input confidential information or information you wouldn’t usually share publicly. By adopting a proactive and informed approach to extension use, you can enjoy the benefits of these tools while also minimising your exposure to threats in the digital space.