Blogs @ SelvanSoft: SecurityFirst

Sunday, May 17, 2026

Browser Extensions

We rely on browser extensions for convenience, but most people have no idea how much access they grant. This blog post highlights why that kind of blind trust can be dangerous.

Problem:
Browser extensions are extremely powerful because they run inside your active web sessions. When you grant an extension permission to read or change data on the sites you visit, you are giving it access to your digital life. That convenient ad blocker or productivity tool you have installed can do serious damage including reading your passwords. Most extensions people install require broad access to function, especially ad blockers. Extension stores like the Chrome Web Store do scan for spyware, but malicious plugins still slip through. Many of us practice good cyber hygiene with strong passwords, 2FA, and password managers, but when it comes to browser extensions, people often overlook the risk and trust the developer or the store without thinking. The real danger is that extensions operate natively inside the browser, so their actions look completely legitimate to security tools.

Solution:
If you install browser extensions, and most people do, ask yourself whether you truly need them and whether the risk to your online data is worth it. If you cannot live without an ad-blocker extension, which is true for almost all users, consider using DNS‑level ad blocking with something like Pi‑hole instead of a browser extension. DNS‑based blocking works across all devices on your network rather than on each device or browser separately. A much safer approach is to keep a separate browser with zero extensions installed for sensitive tasks like banking or email. I follow this myself in addition to using Pi‑hole for network‑wide ad blocking.

Working demonstration:
To show how dangerous extensions can be, I wrote a working browser extension (link below) that you can install. If you are curious, try it and see the level of access a browser extension actually has.

Extension Telemetry Demo

The screenshot below is from this extension running in my Chrome browser, showing what it captured, including the username and password I typed while browsing a website. You will notice it also captures live network data, form fill data, and more.

FAQ:

Here are some FAQs on this topic. If you have a question that is not covered in this list, feel free to post a comment and I will try to answer it.

Q. Every website uses HTTPS these days, which is fully end-to-end encrypted. That means I am safe from browser extensions reading my data, right?

A. No. A browser extension sees your data before it is encrypted. It reads everything in plain text long before HTTPS comes into action.

Q. I always use a VPN. That means extensions cannot read my data, right?

A. No. Same answer as before. Extensions see everything in plain text before the VPN comes into action. Speaking of VPNs, many misunderstand what a VPN is and assume it is a security solution. It is not. Read my VPN blog here https://blog.selvansoft.com/2024/06/vpn-myth-vs-reality.html to learn more.

Q. If I only install extensions with good reviews, that means they are safe, right?

A. No. Malicious extensions often start clean to build trust, then update themselves later with harmful code once they have a large user base.

Q. If an extension is open source, that means it is safe, right?

A. Not necessarily. Most people never review the source code, and even if they do, the published code may not match the code that was actually packaged and uploaded to the store.

Q. If I install an extension from a well‑known company, I should be safe, right?

A. Usually safer but not guaranteed. Large companies have had compromised developer accounts and supply‑chain attacks. Trust helps, but it is not absolute protection.

Q. If I disable an extension on certain websites, it cannot read anything from those sites, right?

A. Not always. Some extensions request broad permissions that allow them to run everywhere, even if you manually toggle them off on specific sites.

Q. If I use private browsing or incognito mode, extensions cannot access my data, right?

A. Not exactly, but you can still grant them access. If you enable an extension in incognito mode, it has the same visibility as in normal browsing.

Q. If I uninstall a suspicious extension, I am safe again, right?

A. It stops future access of course. However, a malicious extension could have already captured data or exfiltrated information before you removed it.

Stay Informed and Safe Online
If you enjoyed this blog, you'll find many more cybersecurity related microblogs at link below. They offer valuable insights to help you stay informed and safe online. Explore them at https://blog.selvansoft.com

Sunday, October 19, 2025

Convenience vs. Security

Every time we make technology more convenient, we often chip away at its security. In modern digital ecosystems, convenience is frequently prioritized over security, especially in consumer-facing tools. This blog focuses on one such tool i.e. the Password Manager, which enhances convenience but often does so at the expense of reducing overall security.

Problem: While password managers promise frictionless access, they also introduce systemic risks that are frequently underestimated. It is a fact that they offer convenience features like auto-generating strong and unique passwords, centralized storage, auto-fill and auto-login, and cross-device sync. While these features improve security hygiene, they also create a high-value target and a single point of failure. Most password managers rely on a master password or biometric unlock. If this is compromised via phishing, keylogging, or device-level malware, the attacker gains access to all stored credentials. Most password managers sync vaults across devices using cloud infrastructure. While encrypted, these vaults are still susceptible to credential stuffing attacks, cloud misconfigurations, API abuse, or token hijacking. Additionally, auto-fill features embedded in browsers can be exploited via malicious iframe, form injection, or XSS. Last but not least, if a device is compromised, such as a rooted Android, jailbroken iPhone, or malware-infected PC, the password manager’s vault may be decrypted locally or intercepted during use. There has been an increase in compromises involving popular password managers recently (see links at end), and it is only a matter of time before this becomes an everyday occurrence, much like the frequent data breaches we are all painfully aware of.

Solution: Security and convenience have an inverse relationship where increasing one decreases the other and vice versa, so how do you balance these? Here is a secure hardened approach and an alternative approach to leverage convenience without risking security. For the secure hardened approach, use a password manager (example: Dashlane) that supports hardware keys like YubiKeys instead of a master password for vault encryption, as they are resistant to remote compromise and phishing. Alternatively, segment your credential storage into two groups such as high-risk (i.e. financial and banking websites, key service providers like Google, Microsoft, and Apple), and low-risk (i.e. rest of the accounts). Store the high-risk credentials in offline encrypted containers like VeraCrypt or file-based encryption using tools like GPG or openssl and completely avoid cloud sync. For the low-risk category, use a good password manager for convenience. Personally, I use a combination of VeraCrypt and GPG-based Pass for my high-risk category. If you are an advanced user, I have several convenient wrapper scripts that I wrote for VeraCrypt and GPG or openssl, which I use frequently and that work on macOS, Linux, or WSL (Windows Subsystem for Linux). You can find them on my GitHub at the links below and are welcome to use them.

As a final thought, treat a password manager as a convenience tool, not a security guarantee.

Links to password manager compromise incidents: