Beware of Browser Extensions

I rarely use browser extensions. The security and performance risks outweigh the benefits.

A few years ago, a friend installed a JSON pretty print extension. He started noticing strange links and eventually determined the extension was secretly tracking his web traffic.

More recently, the Avast Antivirus browser extension made headlines for selling user browsing history.

Chrome warns us of the risks when installing extensions. Perhaps years of software installation dialogs have trained us to quickly click through without fully reading and considering the risks.

Avast chrome extension installation

Do you trust anyone with full read access to all of your website data? In the Avast case, anonymized data was being sold. Imagine a more criminal extension author that obtains credentials and account numbers from your financial sites. Even when you do trust the original extension author, there are many cases where they abandon or sell the software to someone less trustworthy.

Extensions can modify websites unexpectedly. A common abuse is ad injection which browsers have pushed back against. Yet it keeps happening. As recent as February 14, 2020, another 500+ extensions were banned for uploading private browsing data, enganging in ad fraud, and serving malware.

Even trustworthy extensions slow down page load speed. Open your developer tools and you'll find that a simple bookmark manager can delay page load by 10-300+ milliseconds. This might not seem like a lot but it adds up and makes your browser experience feel more sluggish.

In the extreme case, the Skype extension had such poor performance that Firefox banned it. Skype must have been unbanned because years later I ran into this issue when comparing website performance across Chrome and Firefox. I was stumped as to why Firefox was seconds slower until I discovered that the Skype application had secretly installed a browser extension.


Hi, I'm Eddie Scholtz. These are my notes. You can reach me at Atom