Chat with us, powered by LiveChat

Can Malicious Browser Extensions See Your Bank Info?

Internet Freedom
Print Friendly, PDF & Email

EDITOR NOTE: It’s true that digital browser extensions--add-on software to customize your browser--can make life much easier. They’re designed to help your online experience become more efficient and easier. They can also spy on everything you do on your computer, and a few that are malicious can read everything you type, and they can view and even record every site you visit. This includes your online banking. The money you hold in your accounts is viewable. Your account numbers are also visible. And your passwords are also viewable and recordable. Digital banking is much less private and much more vulnerable than you think. You don’t know who’s on the other end of the screen viewing or collecting your information, whether it’s a hacker, a foreign entity, a corporation, or the government. Digital assets or accounts are not safe havens. The safest assets are in “cold storage.” And besides cash, the only other physical assets that can be protected from malicious onlookers and data thefts are non-CUSIP gold and silver, stored away in a private depository.

Whenever you sign in to your bank account, your browser extensions watch. They can see your account balances, your transactions, and your online banking password. They see everything in your browser: passwords, credit card numbers, private messages, and the websites you visit.

Extensions Have Access to Everything in Your Web Browser

Have you ever paid attention to the message you see when installing a browser extension in Chrome, for example? For most browser extensions, you’ll see a message stating that the add-on can “Read and change all your data on the websites you visit.”

This means that the browser extension has full access to all the web pages you visit. It can see which web pages you’re browsing, read their contents, and watch everything you type. It could even modify the web pages—for example, by inserting extra advertisements. If the extension is malicious, it could gather all that private data of yours—from web browsing activity and the emails you type to your passwords and financial information—and send it to a remote server on the internet.

So, when you sign in to your online banking account, your browser extensions are right there with you. They can see your password as you log in and view everything you can see on your online banking account. They could even modify the online banking page before you view it.

There’s a Permission System, but Most Extensions Get Everything

We’re oversimplifying things here, but just a little bit: Not every extension can see your online banking account. There is a permission system for browser extensions in modern web browsers like Google Chrome, Microsoft Edge, Mozilla Firefox, and Apple Safari. Some browser extensions use much fewer permissions.

For example, they may only run when you click the browser extension’s button, which means that they can’t actually watch anything on a web page until you click that button. They may only run on specific websites—for example, a browser extension that affects Gmail might only run on Google’s website and not on other websites.

However, the vast majority of browser extensions that most people use have permission to run on every website the browser loads.

In Google Chrome and Microsoft Edge, you can control an extension’s “site access” permissions and choose whether it runs automatically on all websites you open, only when you click it, or just on specific websites you list.

Right-clicking an extension toolbar icon in Chrome to change its site access.

Is It a Real Risk?

What we’re saying here is that most (or all) of the browser extensions you use can see your bank account information, just as they can see everything else that you do on the web.

If a browser extension is totally trustworthy and reliable, that’s fine. The browser extension can behave responsibly and not capture any data or interfere with your banking information.

If a browser extension isn’t trustworthy and wants to abuse this access—well, it can.

This isn’t just a theoretical problem. It has happened many times before. Even if all your extensions are fine right now, we have long discussed the danger: A safe extension could transform into malware overnight. A developer might sell the extension to another company, and that company might add tracking code, keyloggers, or anything else. This sort of thing is big business. An extension could display more ads in the web pages you load and track you to better target ads, or criminals could capture your passwords, personal information, and credit card numbers.

Your browser will automatically install the update and the new, malicious version of the extension will get to work. Hopefully, your browser’s developer will notice the problem and disable the extension—for example, Google might remove it from the Chrome Web Store—but this can take some time.

And yes, some extensions have been caught capturing banking data.

Only Install Extensions from Developers You Trust

We’re not telling you you need to uninstall every single browser extension you have. Instead, just realize the immense access you’re giving to the browser extensions you install, and act accordingly.

If you trust an extension’s developer, then by all means, install that extension. For example, if you use a password manager and already trust that organization with your passwords, feel free to install your password manager’s browser extension. (If you don’t trust that organization to install a browser extension, you definitely shouldn’t trust it to manage your passwords!)

On the other hand, if you want a nifty feature and you find an extension that offers it, but you’ve never heard of the developer and aren’t sure how much you should trust them—consider skipping the browser extension.

You might also want to limit the access that the extension has. For example, you could install an extension and configure it to only run on specific websites in Chrome or Edge, or you could use a separate browser that doesn’t have any potentially dangerous extensions installed to do your online banking.

But think about it: If you don’t trust the extension, maybe you shouldn’t be running it in the first place.

Ultimately, browser extensions have access to everything you do in your web browser. When you’re thinking about installing a browser extension, ask yourself this question: Would you install a Windows desktop application from the creator of the browser extension and let it run in the background on your computer? If not, consider skipping the browser extension, too.

Extensions may look like small programs, but they’re more powerful than they might seem. A mobile app on iPhone or Android can’t see everything you do on your phone, but a typical browser extension can see everything you do in your web browser.

Originally posted on How-To Geek

Bank Failure Scenario Kit - sm2



  • This field is for validation purposes and should be left unchanged.

All articles are provided as a third party analysis and do not necessarily reflect the explicit views of GSI Exchange and should not be construed as financial advice.

Precious Metals and Currency Data Powered by nFusion Solutions