Blogs @ SelvanSoft: Online Safety

Showing posts with label Online Safety. Show all posts

Sunday, May 17, 2026

Browser Extensions

We rely on browser extensions for convenience, but most people have no idea how much access they grant. This blog post highlights why that kind of blind trust can be dangerous.

Problem:
Browser extensions are extremely powerful because they run inside your active web sessions. When you grant an extension permission to read or change data on the sites you visit, you are giving it access to your digital life. That convenient ad blocker or productivity tool you have installed can do serious damage including reading your passwords. Most extensions people install require broad access to function, especially ad blockers. Extension stores like the Chrome Web Store do scan for spyware, but malicious plugins still slip through. Many of us practice good cyber hygiene with strong passwords, 2FA, and password managers, but when it comes to browser extensions, people often overlook the risk and trust the developer or the store without thinking. The real danger is that extensions operate natively inside the browser, so their actions look completely legitimate to security tools.

Solution:
If you install browser extensions, and most people do, ask yourself whether you truly need them and whether the risk to your online data is worth it. If you cannot live without an ad-blocker extension, which is true for almost all users, consider using DNS‑level ad blocking with something like Pi‑hole instead of a browser extension. DNS‑based blocking works across all devices on your network rather than on each device or browser separately. A much safer approach is to keep a separate browser with zero extensions installed for sensitive tasks like banking or email. I follow this myself in addition to using Pi‑hole for network‑wide ad blocking.

Working demonstration:
To show how dangerous extensions can be, I wrote a working browser extension (link below) that you can install. If you are curious, try it and see the level of access a browser extension actually has.

Extension Telemetry Demo

The screenshot below is from this extension running in my Chrome browser, showing what it captured, including the username and password I typed while browsing a website. You will notice it also captures live network data, form fill data, and more.

FAQ:

Here are some FAQs on this topic. If you have a question that is not covered in this list, feel free to post a comment and I will try to answer it.

Q. Every website uses HTTPS these days, which is fully end-to-end encrypted. That means I am safe from browser extensions reading my data, right?

A. No. A browser extension sees your data before it is encrypted. It reads everything in plain text long before HTTPS comes into action.

Q. I always use a VPN. That means extensions cannot read my data, right?

A. No. Same answer as before. Extensions see everything in plain text before the VPN comes into action. Speaking of VPNs, many misunderstand what a VPN is and assume it is a security solution. It is not. Read my VPN blog here https://blog.selvansoft.com/2024/06/vpn-myth-vs-reality.html to learn more.

Q. If I only install extensions with good reviews, that means they are safe, right?

A. No. Malicious extensions often start clean to build trust, then update themselves later with harmful code once they have a large user base.

Q. If an extension is open source, that means it is safe, right?

A. Not necessarily. Most people never review the source code, and even if they do, the published code may not match the code that was actually packaged and uploaded to the store.

Q. If I install an extension from a well‑known company, I should be safe, right?

A. Usually safer but not guaranteed. Large companies have had compromised developer accounts and supply‑chain attacks. Trust helps, but it is not absolute protection.

Q. If I disable an extension on certain websites, it cannot read anything from those sites, right?

A. Not always. Some extensions request broad permissions that allow them to run everywhere, even if you manually toggle them off on specific sites.

Q. If I use private browsing or incognito mode, extensions cannot access my data, right?

A. Not exactly, but you can still grant them access. If you enable an extension in incognito mode, it has the same visibility as in normal browsing.

Q. If I uninstall a suspicious extension, I am safe again, right?

A. It stops future access of course. However, a malicious extension could have already captured data or exfiltrated information before you removed it.

Stay Informed and Safe Online
If you enjoyed this blog, you'll find many more cybersecurity related microblogs at link below. They offer valuable insights to help you stay informed and safe online. Explore them at https://blog.selvansoft.com

Sunday, June 22, 2025

Pwned Perspective: Understanding email/password leaks without the panic

Lately, there’s been a wave of panic on social media about email and password leaks. This blog aims to highlight why it’s not the end of the world, how common these incidents are, and how understanding the facts can help you not only stay safer online but also avoid unnecessary panic. As the title suggests, this blog focuses solely on leaked login credentials (i.e., usernames, emails, & passwords) and does not cover data breaches involving PII (SSN, DOB, DL, name/address etc). If you’re affected by that kind of breach, freeze your credit file immediately by following this link.

Chances are, your email and passwords have been exposed in one of numerous past breaches; it's an established reality, not an assumption. Services like Have I Been Pwned (HIBP) collect this leaked data so you can check whether your credentials have surfaced on the dark web.

But don’t panic. Most people don't know that a pwned password is not your actual password in plain text, but a hashed version. Although there have been a few rare incidents where passwords were leaked in plain text, that’s uncommon so you can assume pretty much all breached passwords are hashed and require cracking to become usable. If your password is long, strong, and includes special characters, numbers, etc., it becomes impractical and nearly impossible to crack without powerful computing resources and may take days, weeks, or even months or years to crack depending on the complexity of the password. Hackers don’t have that kind of time and skip these in favor of easier, crackable passwords. Also, if the affected account has two-factor authentication (2FA) enabled, your exposure is minimal. Still, treat it as a heads-up.

In summary, if your passwords are strong and unique and you had 2FA enabled, you can safely assume you are fine. In any case, make sure you do the following:

Change your passwords immediately, especially if reused
Enable 2FA wherever possible, preferably using an authenticator app that generates OTP instead of SMS-based verification
Always use strong and unique passwords or preferably use passphrases

It’s not about fear; it’s about stacking the odds in your favor. Hackers aren’t chasing hard battles; they want quick wins. Don’t be the easy one!

Stay Informed and Safe Online

If you enjoyed this blog, you'll find many more cybersecurity related microblogs at link below. They offer valuable insights to help you stay informed and safe online. Explore them at https://blog.selvansoft.com

Thursday, January 9, 2025

Online Safety Tips

This blog is intended for both general and technical audiences. While the tips outlined below are basic things everyone should already be aware of, following as many of them as possible will significantly reduce your risk of becoming an online victim. First, using common sense is your primary line of defense in staying safe online. Trust your instincts, be cautious of unfamiliar websites or emails, and think twice before sharing personal information on social media. Common sense can go a long way in protecting you online. In addition to using common sense, adhere to the following guidelines to enhance your online safety.

Passwords: Use long and complex passwords and change them regularly. If the website allows passphrases, use those instead of passwords with special characters that are hard to remember. For example, a passphrase like "Jade Owl Loop Zinc Moon" is easy to remember but much harder to crack. Without going into detail, the main reason passphrases are more resistant is because of the length and entropy (the measure of unpredictability). The sheer number of possible word combinations dramatically increases entropy, making them extremely difficult to crack. You can also opt-in for passkeys when offered, but don’t be fooled into thinking passkeys will solve all your password problems; they won’t. Read this blog (https://blog.selvansoft.com/2025/01/passkey-practical-or-premature.html) which explains why.
Multi-Factor Authentication (MFA): Wherever possible, use more than just a password to secure your accounts, commonly referred to as two-factor authentication (2FA). Most websites provide multiple options for MFA these days. Always choose an OTP authenticator or hardware key-based authenticator if those options are offered and avoid SMS-based 2FA at all costs.
Account Recovery: It is very important to set up account recovery for your Gmail, Apple, and Microsoft accounts. Make sure account recovery is set up with recovery codes, your phone, and most importantly, a different email that you never use for anything else but account recovery.
Web browsing: Always ensure the website you visit uses the HTTPS protocol, especially when entering sensitive information. While all modern browsers enforce this and provide warnings, be attentive to these warnings and refrain from using any website that does not use HTTPS protocol or, worse, provides a mismatched SSL certificate, which is a red flag for a phishing attempt.
Online Banking: Before logging in to your banking website for financial transactions or to review your bank statement, close all tabs in your browser. If you are particularly cautious, temporarily disable any browser plugins you may have installed, which you can turn back on later. When you are logged in to your banking website, do not do anything else, such as performing a Google search, browsing Facebook, Instagram, or any other sites. Specifically, avoid reading emails or, worse, clicking on a link your buddy sent you to "check it out." Once you are done with your online banking, make sure to log off. Many secure banking websites these days do protect you by logging you off automatically. However, don’t rely on them because there are still some online banking websites that don’t properly log you out in a reasonable time or, worse, don't do anything.
Public Wi-Fi: When using public Wi-Fi, avoid logging into sensitive accounts or performing financial transactions. It is safer to wait until you are connected to a trusted network. This also applies to smartphones even if they are not on public Wi-Fi, because cellular data networks are shared by thousands of devices on the same carrier network, which can increase exposure to risk.
Enable Firewall: Ensure your device's firewall is enabled. Most operating systems come equipped with a built-in firewall, so enable it and block all inbound connections. Keeping your firewall enabled is a simple yet effective way to bolster your security on any network, public or private.
DNS: Don’t use the default DNS servers provided by your ISP (Internet Service Provider). Instead, use any of the following DNS servers: 1.1.1.1, 8.8.8.8, or 9.9.9.9. You can follow this link (https://www.tomsguide.com/us/cloudflare-dns-1.1.1.1-set-up,news-26964.html) that walks you through how to change DNS on various devices.
Antivirus and Anti-malware Software: Keep them updated to protect your device from threats.
Phishing Scams: Be skeptical of emails or messages with links or attachments that urge immediate action or ask for personal information. If it sounds too good to be true or creates a sense of urgency, it's likely a scam.
Links: Avoid clicking on random links, regardless of who sent them to you. However, there may be legitimate reasons to click a link; for example, confirming your email for a new account signup or completing authentication for a website, etc. In such circumstances, right-click the link and select "Open Link in Incognito Window" (if you are using the Chrome browser) or use a similar feature available in your preferred browser if it is not Chrome.
Installing Software: Only download and install software from reputable sources. Avoid pirated software and gaming cheat codes, as they almost always contain malware and viruses.
Software Update: Regularly update your operating system, browsers, antivirus definitions and apps to protect against security vulnerabilities.
App Permissions: Check the permissions granted to apps and revoke any that are unnecessary.
Personal Information Sharing: Be mindful of what personal information you share online. Don’t overshare on social media and be wary of websites or services asking for more information than necessary.
Monitor Your Accounts: Regularly check your bank and credit card statements for any unauthorized transactions.
Credit Freeze: Add a credit freeze to all major credit bureaus. There is no need for your credit report to be in an "unlocked" status unless you are applying for a loan, bank account, credit card, etc., which you don’t do every day. So, why does it need to be in an "unlocked" status? When you need it, you can unlock your credit report, get your business done, and lock it back. Follow this blog (https://blog.selvansoft.com/2023/05/howto-credit-freeze.html) that walks you through the credit freeze process.
Backup: Regularly back up your data to an external hard drive or a cloud service.
Educate Yourself: Stay informed about the latest cybersecurity threats and how to protect yourself. There are a lot of useful cybersecurity FAQ’s documented in this blog (https://blog.selvansoft.com/2024/09/cybersecurity-faq.html)
Trust Your Gut: If something feels off or too good to be true, it probably is. Your intuition can be a powerful tool in staying safe online.

Stay Informed and Safe Online