What are browser extensions, and are they safe?

Modern Web browsers make it easy to access websites, search the Web, and do just about everything online. But by default, browsers might not have all the functionality you want. In these cases, many people will customize by installing a browser extension.

An extension is basically a piece of software that adds some custom function to your core browser. They can help you take notes, manage passwords, block ads, and more. But extensions can also introduce security risks.

In this short article: an intro to browser extensions. What they do, how they work, how to add (or remove) them, and how to use them safely.

What are browser extensions and how do they work?

At essence, Web browsers process information. Uploads from your computer, downloads from the Web, visiting websites…all this happens in your browser, with information constantly sent back and forth. Browser extensions modify this basic flow of information in some way.

An extension is a small piece of software you can install to customize your browser’s appearance or function. Some extensions come from the makers of a browser, but more often, they come from third-party developers trying to add some new functionality that a browser doesn’t already have.

What can browser extensions do?

Extensions can do almost anything. They might enable email encryption, ad blocking, one-click password storage, spell-checking, and more. Extensions are like specialized agents working with the flow of information through your browser. They might organize your notes, protect you from hackers, or just transform how that information appears in the browser window (e.g. dark mode).

But in order to function, extensions usually need broad-sweeping permissions over your browser. Some require access to almost everything your browser sees. Everything from the sites you visit, keystrokes, even your passwords. This means a bad extension (or a poorly secured browser) can expose you and your data, and introduce major privacy and security risks.

Security and privacy risks with browser extensions

Many browser extensions are safe, but there’s always some degree of inherent risk. Installing an extension introduces new software to your browser—software which could potentially have security weaknesses (or be downright malicious).

Third-party extensions might secretly include malware, or have security flaws that hackers can exploit. And it’s very common for attackers to “spoof” legitimate browser extensions, creating fraudulent versions to trick and defraud users (e.g. the numerous MetaMask fakes on the market).

There’s even a risk in downloading from trusted channels like the Chrome Web Store—sometimes Google will accidentally remove the authentic version of an extension and leave a fake one behind. It’s also possible for a legitimate extension to make it onto the Web Store, and then be sold to a different publisher who changes the code and introduces malware.

And, with broad permissions over your browser, malicious extensions can cause all kinds of harm. For example, malicious extensions have been found to secretly use the browser to click on pay-per-click ads, collect user data, intercept messages from Gmail, and—most recently—hijack Facebook accounts using a fake ChatGPT extension.

A guide to safely using browser extensions

Many extensions are safe and reputable, you just have to be careful when installing and using them. This guide covers the most important considerations when using extensions.

Check the source of an extension before you install

To validate the safety of any extension, start with a few quick checks:

• Is it made by a reputable source?
• Are you downloading from an “official” place like the Chrome Web Store?
• When you search for the extension, do you find look-alike or “clone” versions? Are you sure you’re installing the right one?
• Does the extension have lots of downloads and positive reviews? (Beware of a string of 5-star reviews, identical comments, or comments all published on the same date.)
• Are there third-party reviews (e.g. in tech blogs) that vouch for the extension?
• Does the extension have a privacy policy? Does that policy make sense?
• Check the extension’s permissions—what does the extension have permissions to in your browser, and why?

By installing an extension, you’ll likely be enabling it to access any personal data that passes through your browser. So it’s best to know it comes from a reputable source and it has some social proof or third-party vetting. The questions above will help you determine the extension’s safety.

Stick with extensions from official sources

The Chrome Web Store is a useful resource to search for new Chrome extensions. But note that you can use those extensions for any browser that relies on Chromium, the open-source language that underpins the Chrome browser.

For example, the Brave browser will work with any Chrome browser extension since they share the Chromium code. There are other places to find extensions, including downloading them directly from the publisher’s website, but if you’re running a Chromium-based browser, the Chrome Web Store should be the first place you look.

Don’t overload your browser with extensions

Every extension you install adds a security risk and a performance burden to your browser. If you’ve got 15 extensions installed—and running—you’ll likely see a slowdown in browsing and even device processing speeds. Everything will just move slower, or your computer’s fan might even turn on more.

Know what extensions you have installed

It’s best practice to monitor the extensions you’ve installed, and which are still actively running in your browser or on your device. Then if you hear about a risky extension or a possible data leak, you know to take action.

Delete unused extensions

Finally, you should delete any extension you’re not regularly using. If it’s not in daily or weekly use, it’s probably not worth keeping on your browser. When you look at your list of installed extensions, you might find more there than you thought. If you’re unsure how an extension got installed or where it came from, delete it.

Extension compatibility across browsers and devices

Depending on your device and browser type, you’ll have different extensions available, and different official resources to download from.

Firefox and Safari use fundamentally different source codes from Chrome and Brave (which both rely on the open-source Chromium codebase). This means that an extension for Firefox will require a separate version to work for Safari, or for Brave and Chrome. Both Brave and Chrome, however, are compatible with extensions found on the Chrome Web Store.

Extension compatibility on mobile devices

Mobile browsers generally offer three approaches to extensions:

• Some don’t allow extensions
• Some are only compatible with native extensions from the browser maker
• Some allow for third-party extensions

The desktop version of Chrome, for example, supports thousands of extensions, but the mobile version of Chrome supports none. Other mobile browsers like Opera offer only native extensions, which are built by the publisher and managed by the user. Safari on iOS enables users to download third-party extensions through Apple’s App Store.

The Brave browser: safe by default, safer for extensions

To use browser extensions safely, use them sparingly, and follow the best practices discussed in this article. But of course, the safest way to use extensions…is to not use them at all. Consider the purpose of the extension you’re looking at, and see if there’s a browser with that functionality out-of-the-box. For example, Brave has ad-blocking, a VPN, and even a crypto wallet, all built right into the browser. No extensions required.

And if you do need to use an extension, it’s best to do so in a private browser that doesn’t collect or store data about you. The more data that’s sitting in your browser, the more an extension might have access to.

The Brave browser is safer and more private by default, and safer for extensions (if and when you need them). Download Brave and try it today.