Extensions can expand the out-of-the-box functionality of your browser. They can help you take notes, manage passwords, block ads, and more. But do you know how browser extensions actually work?

Some require access to almost everything your browser sees. Everything from the sites you visit, keystrokes, even your passwords. And while you might install from a reputable source (like the Chrome Web Store), note that extensions are made by thousands of publishers, some smaller (and less respected) than others. It can be hard to tell what’s legit and what’s just a fancy piece of malware. Many browser extensions are safe, but some are malicious and could expose you to fraud and identity theft.

So how do you decide if a browser extension is safe? In this article: best practices for data safety in browser extensions.

Internet browsers and personal data

Before we discuss extensions, let’s discuss the browser itself. Your Internet browser is the main vehicle you use to access the Web. It’s where you search, visit webpages, watch videos, and more. But many browsers have unfettered access to your personal data. Websites track your viewing history, social media tracks likes and follows… And third-party data brokers collect that info to assemble a digital profile for you so they can target you with tailor-made ads. Often, all this tracking & collection happens in—and is enabled by—the browser.

So if this data is sitting in your browser, any extension you install might have access to it.

Is it safe to use browser extensions?

Any secure browser can be susceptible to attack from within. If you install an unsecured or compromised extension, you might allow attackers to gain access to all the data in your browser. For example, in 2018, four Google Chrome extensions were discovered to be secretly using the browser to click on pay-per-click ads. More recently, Mozilla removed 197 add-ons, many from the same company, that were either collecting user data without the user’s consent or were running malicious data.

Others might start safe (being built by a reputable publisher) only to slip into unsafe territory if the extension gets sold to a different, less trustworthy publisher.

This happened in 2017 when the “Particle” extension for YouTube was sold to a developer who updated and then used the extension to inject ads into websites. As users of the extension swiftly noticed the change and complained, others picked up on the fact that two other extensions owned by the developer also changed from helpful to fraudulent after being sold. It also reminded people that dangerous extensions can be found in official web stores.

What makes browser extensions so potentially dangerous is their permissions management. Most browser extensions have an extensive level of access that users are unaware of. They can even add viruses to your device.

Now, these are obviously worst-case scenarios. Many extensions are safe and reputable. You just have to be careful.

How to safely use extensions

Brave and Google Chrome are both Chromium-based web browsers; they’re both compatible with most of the extensions found on the Chrome Web Store. And the vast majority of extensions you find there are safe.

To validate the safety of any extension, start with a few quick checks:

• Is the extension available on an official web store?
• Who built the extension? Do they seem like a reputable source?
• Does the extension’s Web store listing have proper grammar and logos?
• Does the extension maker have a web page? Does it seem legit? Is there contact info for the developer?
• Check the extension’s permissions—what does the extension have permissions to in your browser, and why?
• Does the extension have a large number of user reviews? Are the reviews positive? Are they recent? (Beware of a string of 5-star reviews, identical comments, or comments all published on the same date.)
• When you search for the extension, do you find look-alike or “clone” versions? Are you sure you’re installing the right one?

As a best practice, you should regularly review the extensions you’ve got installed. If you find one that’s worrisome, or that you’re just not using anymore, remove it quickly.

Beyond extensions—using next gen browsers instead

To use browser extensions safely, use them sparingly, and follow the best practices discussed in this article. But of course, the safest way to use extensions…is to not use them at all. Consider the purpose of the extension you’re looking at, and see if there’s a browser with that functionality out-of-the-box. For example, Brave has ad-blocking, VPN, even a crypto wallet, all built right into the browser. No extensions required.

Brave doesn’t allow trackers, and eliminates the vast majority of third-party ads. The result gives much more control to the users over who has access to their data. The Brave browsing experience is also markedly faster, free from the slow-down effect of background trackers. Faster page loading is one of the key features of the Brave Browser.