Google Chrome extensions are popping up faster than you can say “there’s an app for that.”  As a result, the Google Security team simply can’t keep up with inspecting every single one of them.  There are a lot of great, useful extensions for Chrome, but there are also some bad apples in the bunch that pose a real threat to privacy.  Wondering exactly how safe you are with chrome extensions?  I was, so I did some research.   As it stands, this is the biggest thing that turns me off of Chrome extensions.  I know it isn’t any better than what other browser offer, but I thought they might be a little more strict with the new Chrome Web Store. Google doesn’t have a set privacy policy or terms of service regarding extensions made by third parties, so they can do whatever they want with whatever data they collect.  Regarding this Google has said: For example, there is a developer spammer for a duped-up DropBox extension and they are marked as a “verified author.” but their website is almost completely blank and they don’t have any policies or terms of service of their own.  On top of that, the permissions it is asking for are still rather vague; …If you install a plug-in on Google Chrome, any data processed by the plug-in will be handled in accordance with the policies of the developer of the plug-in.

Your data on *.dropbox.comYour tabs and browsing activity

Browsing history and tabs could mean that this extension is give data on every single site you open in your browser, and access to Dropbox.com may let the extension have access to all of your Dropbox files.  The other Dropbox apps that it likely copied don’t require permission to to access your tabs and browsing activity.  The Google code site delves into this in further details, and the last update on the matter came from Googler Tony in July of 2010 –where he said: Got it -don’t download apps from shady developers.  But, what about the “verified” author tag?

What does it mean if a chrome extensions developer is “verified?”

Back in August of 2010, Google started requiring a one-time $5 fee to signup for the Chrome Extensions Gallery.  Their intention in doing was was to prevent spam, and also to cut down on the amount of malicious extensions added to the gallery.  It’s been successful at reducing the amount of fraudulent, but it doesn’t stop someone from just paying $5 and uploading an information stealing app.  Of course, fraudulent apps don’t tend to last very long since users do have the ability to report them.

Conclusion

You need to be smart about downloading extensions.  The Google Chrome Extensions Gallery is filled with mostly well-intentioned developers.  But, all it takes is one bad guy to steal all of your internet browsing data, so pay attention to extension reviews, number of users, and who the developer actually is.  The overall lesson is still: if you don’t trust the developer, don’t install their extension. Comment Name * Email *

Δ  Save my name and email and send me emails as new comments are made to this post.

How Safe is it to Download Chrome Extensions  - 34How Safe is it to Download Chrome Extensions  - 41How Safe is it to Download Chrome Extensions  - 84How Safe is it to Download Chrome Extensions  - 59