Why Do Chrome Plugins Need Access To ‘All My Data’ and ‘Browsing Activity’?

Ads by Google

chrome plugin privacyIf you’ve installed Chrome plugins, you’ve probably seen a warning that they can access your data on all websites, your tabs and browsing activity, or even all the data on your computer. This warning can be scary, especially if you’re installing a simple browser extension that looks harmless.

Chrome has a permissions system, just like Android does. Unfortunately, the way web browsers and web pages work means that extensions must ask for quite a few permissions to do simple things. Chrome’s permissions system is not particularly fine-grained.

Plugin Permissions

Unlike Mozilla Firefox and Internet Explorer, both of which allow extensions to do anything they want, Chrome uses a permission system for its extensions. All Chrome plugins must declare the permissions they need. When you install a plugin, you’ll see a list of the permissions it requires. This gives you some idea of what a plugin can do. For example, if an extension doesn’t require any permissions, it’s definitely safe to install. If an extension requires permission to access all the data on your computer, you should be sure the extension was created by someone you trust.

Very simple plugins, such as the Timer plugin, which displays a timer button on your browser toolbar and doesn’t interact with any websites, don’t need any permissions.

chrome plugin privacy

Other plugins need different types of permissions, depending on what they do.

Access Your Data On All Websites

Plugins that interact with web pages need to declare the permissions “Access your data on all websites.” Plugins that need to see the addresses and titles of the websites you visit must declare the permission “Access your tabs and browsing activity“.

For example, LastPass is a password manager that needs to detect what website you’re visiting, automatically fill forms with your saved passwords, and detect when you’ve entered a password and offer to save it. The LastPass Chrome extension must ask for all these permissions because it needs to view the websites you’re accessing and run JavaScript code on the pages you visit.

Ads by Google

better privacy plugin chrome

Other less-invasive extensions may also request these permissions. Any extension that works by running JavaScript code on the websites you visit must be able to “Access your data on all websites“. For example, the colorPicker plugin allows you to select a color used on the current website and view its exact color code. It functions by running JavaScript code on the current page, so it must be able to access all your data.

Google has no way of knowing whether an extension that manipulates the pages you visit is doing something innocuous, like picking a color, or doing something more dangerous, such as spying on your credit card number and payment information.

better privacy plugin chrome

Extensions that only work on a single website, such as an extension that adds additional features to Gmail, will only have the permission to access your data on that specific website. Extensions like LastPass and colorPicker must run everywhere and need more permissions.

better privacy plugin chrome

Access All Data On Your Computer

Some Chrome plugins aren’t just Chrome extensions. They include NPAPI plugins. NPAPI plugins are essentially just programs that run on your computer. Browser plugins like Adobe Flash, Oracle Java, and Adobe’s PDF reader are all NPAPI plug-ins.

When a Chrome extension contains an NPAPI plugin, it has the permission to “Access all data on your computer and the websites you visit.” The NPAPI plugin runs just like a program on your computer with access to your everything on your system. You should be careful about installing Chrome plugins with this permission – it’s just like installing a program on your computer.

For example, LastPass has a special version of its Chrome plugin available from its website. This plugin has the ability to share your LastPass login state with other web browsers running on your computer. It works by using an NPAPI plugin that runs as a program on your computer.

chrome personal data

Plugins In Other Browsers

While Chrome’s permission warning messages can seem a bit scary to some users, it’s important to consider that the situation is worse with other web browsers.

For example, when you install a Firefox add-on, the add-on has full permission to access your entire computer, if it wants. There’s no permission system in Firefox. The only limitation is Windows’ User Account Control, which prevents the add-on from running with administrator privileges.

If you pay attention while installing a Firefox add-on, you’ll see a similar warning message, although it’s less specific than Chrome’s warning message.

chrome plugin privacy

This also applies to all other software on your computer. When you install a Windows desktop application, it has full access to every file on your computer and the ability to monitor your browsing activity – if it wants to.

While it would be nice if Chrome’s extension permission system was more fine-grained, it would be extremely difficult to limit what more powerful extensions can do. To see a full list of Chrome plugin permission and a short explanation of each, read this page on Google’s website.

How much attention do you pay to permissions when you install Chrome plugins? Have you avoided installing plugins when they ask for lots of permissions, or does Chrome’s permission system provide so many warnings that you ignore them? Leave a comment and share your thoughts!

Ads by Google
Comments (17)
  • gemini

    i cannot install ant addons asking for access all data. i may not have a problem if they collect my browsing history, since their function may well depend on it, but the thought that they can collect passwords (when it is not their main function) is quite scary. basically i can own a rolls royce that has a renault interior and i cannot buy any options because of these permissions.

  • mohit kumar

    Firefox is the best browser in terms of usability of addons.

    Further I don’t like Chrome because of privacy concerns. Why the hell I need a google account to install addons. Chrome webstore takes minutes to load. And if I use other chromium-based browsers, google doesn’t allow to install extensions, nor user scripts.

    Basically, I don’t like to put all my eggs in one basket.

    I prefer DuckDuckGo than google search.
    Outlook/ Rediffmail over gmail.
    Facebook/ Twitter over g+(worst social network).

  • Kyle Venter

    Ha, ha, ha, this article is brilliantly written but is quite a laugh. So, those of you who think denying an app permissions is protecting your privacy? All your information is already known by large secretive U.S corporations, they control the world and all of us like little puppets, using their media to herd us left or right. Don’t worry about plugins, Google already knows how fast you can walk, your gate and how many hairs you have on your left bumb cheek. I wouldn’t worry about plugins when military satellites can peer through your roof from space and in high definition.

    • Chris Hoffman

      Well, for the sake of argument, let’s accept that everything you said is true.

      Even if this is true, installing a bad plugin could be a bad thing — a private citizen could spy on you to get your credit card number or online banking information and mess up your life.

    • Kyle Venter

      Well, yeh Chris you are absolutely correct in that, anyone can theoretically gain access through a plugin, but then again, these days anyone can anyway, through war driving on a simple Android smartphone, even WEP, WPA etc etc keys can be cracked with the correct algorithm. A private citizen can do this all if they so wished, I reckon the problems are much deeper than a simple hacker or a poor geek who has found a way to feed his starving family, like Robin of the Hood. As long as the poor keep getting poorer, and the rich Western piggies keep getting fatter and destroying our fragile ecology even more than they have already with among other things, Nuclear weapons and the dictation of ‘proper societal structuring’, as long as this continues, there will always be a ‘robin hood’ or, if he steals money from you or I, a ‘thief’, in the woodwork. The increasing of policing of the internet is just an extension of the already chaotic police society created by Western Fear paradigm, built through using the media to propagate mass fear where, in fact, the very cause of those terrorism acts where the gestapo’s actions in the first place. I wonder who the real people are that need to be feared? Let me just make clear that I in no way condone violence to bring about any change and I believe that the central problem in our modern society is greed, plain and simple, greed, it is why, the powerful want to control and it is why those made to suffer rise up in violent protest and action. I mean, if your kids where starving, what would you do? If bombs where falling out the sky, what would you do? This I am seeing here is simply another form of control by those who have power and priveledge, trying to steer the ‘sheep’ into the little boxes of control they they see as the route to providing the greatest profit for their greedy fat pale bellies. But no matter what you or I do or say, it will never change what ‘they’ want to happen. No amount of violence, hatred, killing, bribing, can stop what those in power wish to accomplish for their own benefit. That is, I am afraid, human nature and ultimate power corrupts, completely and totally, regardless of the ‘constitution’, man will always mold words to fit his/her objective. I just wish people would listen to the words of their forfathers, who knew about things such as greed, corruption and destruction. If we followed the wise of old we would not be doing this to ourselves and to our brothers and sisters. SO, in conclusion, Google will do what they want to do, we are the sheep and must follow, what was once completely ‘free’ will be made ‘controlled’ due to greed and glutony, not privacy and safety. One day when man has turned all that was good and clean into a twisted knot of filth, hate, greed and lust, then, maybe, then we will see in the mirror what we have become, me, you and I, included, and maybe then, we will all decide in one single moment, to treat others as we ourselves would like to be treated.

    • Alberto Lerma

      Too Long/Boring/Paranoid; Didn’t Read.

      I have a ton of shit in my devices and guess what? IDGAF if anyone is watching. And I think that MUO is not the best place for your shitty pseudo-manifesto, maybe a personal blog would be better.

    • Kevin Wiley

      Wow, providing the real scoop and even using your real name… Brave

    • mohit kumar

      Thanks for opening people’s minds.

      I’m trying hard not to use google services/ products though.

  • Anonymous

    They need to take this to the next level and explain WHY? Sometimes the reasons are not obvious. But if it listed explicity why it was accessing what it does then I could at least attempt to make a good choice.

  • Arron Walker

    I never really liked how the permissions worked in Chrome. I still don’t, but now I understand at least. I didn’t realise firefox did that – guess that’s one more reason to stick to chrome.

    • Chris Hoffman

      Yup, they made an effort in Chrome, at least. It’s helpful to realize that Firefox/the Windows Desktop don’t bother trying to use such permissions at all.

Load 10 more
Affiliate Disclamer

This review may contain affiliate links, which pays us a small compensation if you do decide to make a purchase based on our recommendation. Our judgement is in no way biased, and our recommendations are always based on the merits of the items.

For more details, please read our disclosure.
Affiliate Disclamer

This review may contain affiliate links, which pays us a small compensation if you do decide to make a purchase based on our recommendation. Our judgement is in no way biased, and our recommendations are always based on the merits of the items.

For more details, please read our disclosure.