From ad-blockers to password managers, millions of users browse the web with the help of browser extensions every single day. Do they realize how much access they’re really giving these applications? Do web stores really do their due diligence when it comes to reviewing extensions? Spoiler: the answer is most likely no.
How much can extensions really access?
This means, for example, that a bad actor could:
- Overwrite the window.fetch() function to intercept any requests made by a webpage, without impacting them
- Read input values (like your password) on a webpage
- Read any personal data displayed, including you password manager’s web vault
- Perform actions on your behalf by interacting with page elements