Browser Extensions Have More Power Than We Realize
Millions rely on browser extensions like The Great Suspender — it’s time for their security to match their popularity.
When someone unexpectedly asks me for my social security number, a little alarm bell goes off in my head. Why exactly do they need it? If they can’t give me a good enough reason, I don’t give out my info.
I bet you’re the same way — you carefully guard your personal information, knowing that if it falls into the wrong hands, you’re in for a world of hurt.
So why aren’t we more careful with our browser extensions?
If you add a browser extension and see this little line, does it set off the same alarm bell? It should.
What that means is exactly what it says: The extension has permission to see and change all your data on every website you visit.
Yes, that means credit card numbers, birth dates, bank account information, passwords, purchases — not to mention sensitive business data like CRM records.
That’s a lot of power and trust you’re giving to that extension with a single click.
What happens if that trust is violated?
Is it worth the risk?
To find out, let’s look at The Great Suspender. It was one of Google Chrome’s most popular extensions, boasting more than 2 million users. And all of those users recently found out they’d been duped — their personal data put at risk, tabs lost, and no one to answer for it.
Why did 2 million people have an extension that suddenly contained malware? And how can you make sure the same thing doesn’t happen to you?
Want to read this story later? Save it in Journal.
What happened to The Great Suspender?
On February 4, 2021, Google disabled The Great Suspender for its millions of users, citing malware in the extension. The announcement came as quite a shock, especially since it resulted in users’ tabs being closed automatically with no warning. Twitter, GitHub, and a sizable chunk of the internet blew up as people desperately tried to restore their lost work.
While the loss of users’ tabs was unexpected, The Great Suspender had been under suspicion for months. After the original creator sold it to an unnamed party last year, some questionable code additions were made by the new owners.
The user community raised red flags, but even with their sleuthing, it was unclear exactly what data the new owners were collecting or what they planned to do with it. Since no one could prove it was malware, most users remained unaware. That is, until Google made the call and everyone’s tabs went up in digital smoke.
This isn’t the first time a popular browser extension has been sold to a shady new owner and transformed into something malicious. Browser extensions with access to lots of personal data, such as your browser history or the content of every page you visit, are a natural target for bad actors looking to harvest and exploit it.
So, do we just remove all of our extensions and go back to using the internet like we did in 2006? Back then, we thought IE7 was cutting edge for having tabs at all.
Or do we let any interested party have at our personal data, accepting that data mining is the price of admission on the internet?
Thankfully, those are not our only options.
Extension developers can lead the way
The tides are beginning to turn in the right direction when it comes to the extension market. Better controls have been introduced by browser vendors. For example, extensions are now required to publicly display their privacy practices in the Chrome Web Store, as well as comply with stricter requirements for how they handle user data.
But if you’re not careful, you can still get burned. Consider this: When you type your social security number into a site like TurboTax later this year, if you have an extension with permission to view the content of your page, that extension can also see your SSN.
Next time you go to install an extension, pay attention to the permission warning the browser provides. Look for signs of potential data access overreach (like the permission to “read and change all your data on the websites you visit”), and take a minute to decide if it’s worth it.
Extension developers should also do things differently by only requesting access to what’s actually necessary. As bad actors get more sophisticated in their methods, we have to clearly distinguish ourselves as the good guys.
Let me give you an example.
My company Workona believes the out-of-the-box browser experience is outdated. Many of us work all day in the browser, but it wasn’t built for work. Workona’s extensions supercharge the browser with new powers — not just suspending tabs, but organizing, saving, and sharing them.
But unlike The Great Suspender, Workona’s extensions don’t request access to the content of the page. Which means we can’t see any of the information on the pages you visit and can’t run code on those pages, either.
What you might not realize is that most tab-related extensions request this all-encompassing level of permission, not just The Great Suspender. Go ahead, check.
As CTO at Workona, it’s been a challenge for me personally to work within the restrictions we’ve placed on ourselves. Expanded permissions could make some features easier to develop or simply nicer to use. But we’re not willing to compromise on privacy or security, so we find novel ways to make it work. We hold ourselves to a higher standard because it’s the right thing to do.
Your work in the browser deserves better
If you work in the browser, you know that tabs are where work happens.
That’s why The Great Suspender had 2 million users. It offered modern workers a way to keep zillions of tabs open without getting slowed down. All they had to do was click a button and value was instantly delivered. It was simple and brilliant — but ultimately not secure.
When we launched Workona, my co-founder Quinn Morgan explained that work has steadily shifted to the cloud in the last decade. In the past few years, that shift has only accelerated.
We believe it’s possible to leverage the power of browser extensions while maintaining user privacy. While Workona’s tab manager extension includes tab suspension, many of our users have requested a standalone tab suspender. So we’re offering a forever free alternative to The Great Suspender. It’s secure and requires no commitment. You can start using it today and stop using it whenever you want, without fear of losing any of your suspended tabs (plus, it will also repair any broken Great Suspender tabs it finds).
We can all ask more of our extensions. Demand trustworthiness as the default, not the exception.
There’s nothing wrong with indie developers or open source extensions. But as an extension gets bigger, it’s worth asking if it’s supported by a sustainable business model, so no one’s tempted to sell your personal data to pay the bills. Be wary of unknown extension owners who hide in the shadows. Better yet, look for companies backed by credible investors, with employees who are proud of what they do.
As work continues to move to the cloud, millions more will come to rely on browser extensions. It’s time to invest in their quality and security so we can all work with confidence.