By Nicholas De León, Consumer Reports
A recent leak of private Facebook messages, primarily in Europe, should remind consumers to be cautious when downloading and using web browser extensions, security experts say.
That’s because Facebook says the data loss didn’t stem from a security breach of the social platform itself but rather from an extension people had loaded onto their computers.
“We believe this information was obtained through malicious browser extensions installed off of Facebook,” Guy Rosen, Facebook vice president of product management, tells Consumer Reports. “We have contacted browser makers to ensure that known malicious extensions are no longer available to download in their stores and to share information that could help identify additional extensions that may be related.”
Extensions are small software programs that typically add useful functionality to web browsers such as Google Chrome, Mozilla Firefox, and Microsoft Edge, and are downloaded from online app stores hosted by these companies. Consumer Reports has a Chrome browser extension that shows members the CR ratings for products we’ve tested when they view the items on several retailer websites.
According to the BBC, which uncovered the leak, cybercriminals offered to sell personal Facebook information on a hacker message board. A cybersecurity firm that worked with BBC on the story confirmed that samples posted by the hackers included private messages from 81,000 accounts, but it discounted the hackers’ claim to have data from 120 million accounts.
Facebook and the companies behind the three biggest web browsers wouldn’t name the extension involved in the data theft or say how long it was available for people to download. Google said the extension had been removed from the Chrome Web Store last year over an unrelated policy violation. Mozilla said it wasn’t contacted by Facebook, and Microsoft declined to comment.
Legitimate browser extensions can be useful, doing anything from blocking ads to monitoring online retailers for sales to helping people manage passwords.
However, hackers can use malicious extensions to siphon your personal data.
“The only surprise to me is that we haven’t seen more data breaches of this type,” says Matt Atkinson, product director for Avast Secure Browser, a security-focused web browser created by the Avast anti-malware and cybersecurity firm. “Social data is just the tip of the iceberg, but there are other targets, like banks and other financially sensitive sites, that are vulnerable to this exact type of exploit—a compromised extension.”
Here’s how to stay safe when using browser extensions.
A recent leak of private Facebook messages, primarily in Europe, should remind consumers to be cautious when downloading and using web browser extensions, security experts say.
That’s because Facebook says the data loss didn’t stem from a security breach of the social platform itself but rather from an extension people had loaded onto their computers.
“We believe this information was obtained through malicious browser extensions installed off of Facebook,” Guy Rosen, Facebook vice president of product management, tells Consumer Reports. “We have contacted browser makers to ensure that known malicious extensions are no longer available to download in their stores and to share information that could help identify additional extensions that may be related.”
Extensions are small software programs that typically add useful functionality to web browsers such as Google Chrome, Mozilla Firefox, and Microsoft Edge, and are downloaded from online app stores hosted by these companies. Consumer Reports has a Chrome browser extension that shows members the CR ratings for products we’ve tested when they view the items on several retailer websites.
According to the BBC, which uncovered the leak, cybercriminals offered to sell personal Facebook information on a hacker message board. A cybersecurity firm that worked with BBC on the story confirmed that samples posted by the hackers included private messages from 81,000 accounts, but it discounted the hackers’ claim to have data from 120 million accounts.
Facebook and the companies behind the three biggest web browsers wouldn’t name the extension involved in the data theft or say how long it was available for people to download. Google said the extension had been removed from the Chrome Web Store last year over an unrelated policy violation. Mozilla said it wasn’t contacted by Facebook, and Microsoft declined to comment.
Legitimate browser extensions can be useful, doing anything from blocking ads to monitoring online retailers for sales to helping people manage passwords.
However, hackers can use malicious extensions to siphon your personal data.
“The only surprise to me is that we haven’t seen more data breaches of this type,” says Matt Atkinson, product director for Avast Secure Browser, a security-focused web browser created by the Avast anti-malware and cybersecurity firm. “Social data is just the tip of the iceberg, but there are other targets, like banks and other financially sensitive sites, that are vulnerable to this exact type of exploit—a compromised extension.”
Here’s how to stay safe when using browser extensions.
Don’t Use Too Many
Security experts say that the first step in staying safe is to avoid downloading too many extensions. “The most secure building is a building with no doors or windows,” Atkinson says. “Less is more.”And today’s web browsers are so feature-packed that you might not need many of the extensions that were once popular, such as tools for saving news articles to read later or managing to-do lists.
“Eventually many of the really good extensions just become part of the browser itself,” says Robert Richter, who oversees Consumer Reports’ privacy and security testing.
Delete Unused Extensions
Experts says it’s also smart to regularly review which extensions you have installed, and to delete ones you no longer use. This minimizes the risk of hackers taking advantage of a security flaw in a legitimate extension to steal your data.This can also help your browser work better.
“You should routinely go in and clean up your browser extensions,” says Gary Davis, chief consumer security evangelist at McAfee, a leading producer of anti-malware software. “It’s going to affect your system performance, so it’s a good digital hygiene thing.”
The process for deleting an extension varies by browser. In Chrome, you can typically click on the extension icon in the upper righthand corner of the window, and then choose Remove. Or, click the More button (three vertical dots at the upper right of the window), and choose More Tools to get a list of all your extensions, and the option to remove the ones you no longer want.
Stick to Trusted Sources
Make sure to download extensions only from an official source, such as the Chrome Web Store or Mozilla. These companies screen extensions for security.Google tells Consumer Reports that it uses machine learning to detect and block malicious extensions. If the company discovers problems with an extension already in the Chrome store, it can disable the extension remotely on users’ computers. Mozilla says it subjects extensions to automated validation checks, with manual code reviews if necessary.
Security experts say it’s also smart to limit yourself to extensions produced by companies you already trust. “If you just find a quick and dirty extension, you have no idea what data they’re collecting and what they may be doing with it,” Davis says.