New research from Georgia Tech reveals alarming privacy risks posed by thousands of browser extensions. These popular software add-ons, designed to enhance the web browsing experience, are found to be collecting sensitive user information from webpages, putting millions of internet users at risk.
New research from Georgia Tech reveals alarming privacy risks posed by thousands of browser extensions. These popular software add-ons, designed to enhance the web browsing experience, are found to be collecting sensitive user information from webpages, putting millions of internet users at risk.
Led by Frank Li, an assistant professor in the School of Cybersecurity and Privacy and the School of Electrical and Computer Engineering, and doctoral student Qinge Xie, the research team developed a groundbreaking system to monitor data collection practices by browser extensions.
“We know from prior research that browser extensions collect users’ browser activity and history, but some of the most sensitive user data is located within webpages, such as emails, social media profiles, medical records, banking information and more,” said Li in a news release. “We wanted to know if extensions are also collecting personal data from these webpages.”
Their study, presented at the Usenix Security Symposium, a top-tier cybersecurity conference, in August, found that over 3,000 browser extensions automatically extract user-specific data. This includes sensitive information from sites like Amazon, Facebook, Gmail, Instagram, LinkedIn, Outlook and PayPal. More than 200 of these extensions directly uploaded such data to external servers.
These findings indicate a pervasive issue within the ecosystem of browser extensions. Although some extensions collect data for legitimate functionality, identifying the real intent behind such data collection remains challenging.
The researchers highlighted that none of the sampled extensions clearly disclosed their data collection practices in their privacy policies or web store descriptions.
“Unfortunately, the same capabilities that extensions rely on to enrich the web browsing experience can also be abused to harm user privacy and potentially without users’ knowledge or explicit consent,” Xie said in the news release.
The implications of this study are significant for tech companies, suggesting the need for more stringent privacy policy enforcement and user data protection measures. Major companies like Google could lead by example.
“I don’t believe individual users should have to bear the burden of worrying about their privacy or protecting their data, because they may not have the capability or technical knowledge to figure out what’s happening,”Li added. “The goal of this type of work is to bring these issues to the organizations or stakeholders that can influence data collection, in hopes that it can guide them in enhancing user privacy.”
The potential for privacy improvements in browser extensions underscores the importance of continued scrutiny and regulation to safeguard users’ personal information.