WEBVTT

00:00:00.000 --> 00:00:05.040
One of the most useful things about modern web browsers is their support for extensions,

00:00:05.040 --> 00:00:12.880
whether it's automatically finding coupon codes, it's not coupon, it's coupon, cleaning up your experience on social media,

00:00:12.880 --> 00:00:17.040
automatically filling in passwords, or blocking ads and cutting into our revenue.

00:00:17.840 --> 00:00:22.400
There's a ton of extensions out there that can make your life a little bit better.

00:00:22.400 --> 00:00:26.480
But with so many extensions floating around and trying to get you to install them,

00:00:26.560 --> 00:00:32.080
security is a legitimate concern, especially since many extensions aren't exactly from

00:00:32.080 --> 00:00:36.560
big-name developers that you would immediately recognize and know whether or not to trust.

00:00:37.280 --> 00:00:42.720
So to address this, Google uses security vetting for extensions with both manual human review

00:00:42.720 --> 00:00:48.240
and automated methods based on algorithms, similar to how smartphone apps from the Play Store have

00:00:48.240 --> 00:00:54.640
to be approved before they're available for public download. But with over 180,000 extensions

00:00:54.640 --> 00:01:01.040
currently available through the Chrome Web Store, certain poorly and maliciously coded extensions

00:01:01.040 --> 00:01:06.720
slip through the vetting process from time to time. Again, LOL, just like the apps.

00:01:06.720 --> 00:01:10.320
Attackers who want to use extensions to steal information know this,

00:01:10.320 --> 00:01:15.600
and in fact, back in 2018, Google announced that it was going to beef up its review practices

00:01:15.600 --> 00:01:21.120
after it was found that one in ten submissions to the Web Store contained malicious code.

00:01:21.120 --> 00:01:27.040
The idea was that Google would make its approval process more stringent by cracking down on obfuscated

00:01:27.040 --> 00:01:31.680
code. In other words, when developers made the code deliberately hard to understand,

00:01:31.680 --> 00:01:37.520
possibly to hide some sort of CD functionality. Google also reigned in how many permissions

00:01:37.520 --> 00:01:42.320
extensions were granted by default in an attempt to prevent them from reading or modifying user

00:01:42.320 --> 00:01:49.840
information in a surreptitious manner. However, the Web Store still has problems. In June 2020,

00:01:49.840 --> 00:01:54.720
it came out that one particular form of spyware that hid in browser extensions had been downloaded

00:01:54.720 --> 00:02:00.560
nearly 33 million times. That's almost one download for every person here in Canada.

00:02:01.200 --> 00:02:07.200
These extensions secretly contained keyloggers and other code that harvested login credentials,

00:02:07.200 --> 00:02:12.960
as well as information copied to the Windows clipboard. And ironically, many of these extensions

00:02:12.960 --> 00:02:16.800
claimed to give users a heads up when they were visiting risky websites.

00:02:17.520 --> 00:02:22.720
Others masqueraded as file converters, and it can indeed be tricky to convert from one file

00:02:22.720 --> 00:02:27.840
format to another, so it's easy to understand the appeal. So what can you do to protect yourself

00:02:27.840 --> 00:02:34.160
when you're hunting for a useful extension? Number one is to keep in mind that most of those 180,000

00:02:34.160 --> 00:02:41.040
plus extensions have very small user bases. In fact, over 85% of extensions have fewer than

00:02:41.120 --> 00:02:48.080
1000 installs worldwide. And it's far more likely that compromised extensions will be part of this

00:02:48.080 --> 00:02:53.200
mass with very small user bases to pick through them and monitor them and figure out if there's

00:02:53.200 --> 00:02:58.000
something wrong. So if you're trying to pick between several extensions that all appear to offer

00:02:58.000 --> 00:03:03.040
very similar functionality, it's not a bad idea to stick with the ones that have lots of positive

00:03:03.040 --> 00:03:09.440
reviews as a quick way to avoid problems. Another sound strategy is to limit your exposure by asking

00:03:09.520 --> 00:03:14.400
yourself whether you really need a particular extension in the first place. Like don't get me

00:03:14.400 --> 00:03:20.560
wrong, some extensions that manage your tabs or give added functionality to specific websites

00:03:20.560 --> 00:03:26.880
are extremely useful and can't really be replicated. But if you just want to be served inspiring quotes

00:03:26.880 --> 00:03:32.880
or get reminders or convert files like we mentioned before, those are things that can all be

00:03:32.880 --> 00:03:37.840
accomplished through just browsing the web or using a program that you can download to your

00:03:37.840 --> 00:03:42.400
computer. Again, please make sure you find a reputable one. Additionally, be sure to have a good

00:03:42.400 --> 00:03:47.680
hard look at the extensions page before you download it. Extensions that are really just vehicles

00:03:47.680 --> 00:03:52.080
from malware can often have clunky looking interfaces and poorly written descriptions

00:03:52.080 --> 00:03:57.520
riddled with grammatical errors, similar to what you might see in a spam email or on a phishing page.

00:03:57.520 --> 00:04:02.160
Now, of course, we expect Google to improve its vetting procedures, especially because it's kind

00:04:02.160 --> 00:04:06.000
of a bummer that we're going to lose some of those diamonds in the rough if we say,

00:04:06.000 --> 00:04:12.000
hey, just make sure you only install mainstream extensions. But sometimes in life, you've just

00:04:12.000 --> 00:04:16.800
got to put your own safety first, lest you end up like that poor fellow who lost over 100 grand

00:04:16.800 --> 00:04:22.320
worth of Bitcoin thanks to a shady crypto client extension. Maybe I should just go back to stuffing

00:04:22.320 --> 00:04:28.160
all my cash into my mattress. It's very comfortable. Thanks for watching, guys. Like, dislike,

00:04:28.160 --> 00:04:32.160
check out our other videos, or leave a comment if you have a video suggestion for something you'd

00:04:32.160 --> 00:04:36.480
like to see here on TechWiki. If you haven't already subscribed, make sure you do that,

00:04:36.480 --> 00:04:39.280
because otherwise ants are going to bite you.