- Once installed, they can often "see" and potentially interact with any web page you visit in that web browser.
- Plugins associated with online platforms such as Google Drive / Docs / Sheets or Microsoft Office 365 or Microsoft OneDrive often require permissions to access files stored in your online account. These permissions often give the web browser plugin to access any document or other file stored in your online account.
- These plugins can often also automatically open and display websites or other "pop-up" notification messages at any time. In general, legitimate web browser plugins only use this ability to display relevant notifications that are required to use the plugin. However, the plugins could spontaneously display websites or other notification messages for advertising purposes.
- In some cases, web browser plugins will automatically open and display a web site or a notification for malicious purposes.
Steps IT staff will perform to review a web browser plugin:
1) Check the rating of the app in the respective web browser "app" store - Apps with ratings below 3.5 are generally considered poor quality and will be rejected
2) Review sample of written ratings to determine if other users reported unwanted or malicious behavior from the app
3) Review the total number of downloads and total number of ratings. A small number of downloads or ratings could indicate more risk
4) Determine the approximate age of the web browser plugin. Recently published apps are more risky. If the app has been published less than 3 months, IT staff will likely reject it as being too risky
5) Review the reputation of the app using online tools including https://crxcavator.io/ or Trend Micro's Virus Encyclopedia or VirusTotal. If the plugin appears in searches of these sources, it is likely IT staff will reject the request due to risk.
6) Determine if the developer appears to be maintaining the app. If the app has not been updated recently, it is likely the developer is not performing regular software / security updates. If the web browser plugin has not been updated within the past year, IT staff will likely reject the request as being too risky.
7) Review the reputation of the developer/publisher by (1) checking to see if the developer has a professional-quality website with corporate and contact information
8) Determine if the developer (aka publisher) has other apps in the online store that are also relatively well rated. If the developer has other apps that are poorly rated, IT staff might reject the request to install the plugin.
9) Review the reputation of the developer by conducting web searches for the name of the developer along with keywords such as "malicious" do NOT show they are known to be malicious
10) Review the privacy policy - If the publisher does not have a privacy policy, that is seen as a red flag and will likely result in IT staff rejecting the request to install the plugin.