9/21/23, 9:30 AM Are ad blockers dangerous?

EN
AdGuard Blog Research says extensions can steal your password from websites. Should you be …

Home
Research says extensions can steal your
password from websites. Should you be worried?
AdGuard Ad Blocker

September 14, 2023 6 min read AdGuard VPN

Recent research by the University of Wisconsin-Madison found that “a significant

AdGuard DNS
percentage” of extensions in Chrome — about 12.5% — have received permissions from
users that enable them to access sensitive personal information. The paper mainly
Other products
focuses on passwords that the researchers say are often stored in plaintext within the
source code of even reputable websites. These unprotected passwords, they argue, can
Purchase
become easy targets for malicious data-hungry extensions.

Blog
The researchers found that on 15% of the websites they studied — and these are not
some obscure and unknown portals, but the likes of Google and Cloudflare (among
Support
others) — passwords were “present in plain text in the HTML source code.” In the
researchers’ opinion, this careless attitude by website developers combined with
relatively lax Chrome rules for extension developers leave the door wide openMy
forAccount
attackers to exploit this vulnerability. During their research, they identified 190
extensions that were “directly accessing password fields,” including such popular
extensions as AdBlockPlus and Honey — both of them boasting over 10 million
downloads.

Source

The researchers said:

“Analyzing the manifest files (the JSON-formatted files that provide important
information about the extension’s capabilities and the files it uses), we find that
12.5% (17.3K) extensions have the necessary permissions to extract sensitive
information on all web pages.”

While Google Chrome’s new platform for extensions, Manifest V3, has imposed
constraints on what extensions can do, the researchers found that these measures did
not mitigate risks to security in any substantial way. They said: “Despite MV3’s intended
advancements in user privacy and security, content scripts’ operations remain
unchanged. This maintains the lack of security boundary between the extension and
web page and allows an extension to be loaded on the DOM tree and gain unrestricted
access to the webpage, posing security risks for the users.”

Sounds ominous, doesn’t it? So, let’s set things straight.

It’s a trust issue, there’s no getting round it

While it might be true that ad blocking extensions (like many others) require some
scary-sounding permissions, it’s not because they are inherently malicious or hell-bent
on stealing your data. It’s just they have no other way to do their job. And you have to
trust them to do it right.

In fact, it’s by far not the first time that alarm bells have been sounded about the extent
to which extensions can access user data. The issue is not specific to Chrome —
extensions for other browsers, such as Firefox, have the same capabilities and
permissions. Nor is it just about ad blockers: all extensions that need to modify the
content of web pages, such as password managers and productivity tools, require broad
access to the information on these web pages. The technical reason behind this is that
these extensions use JavaScript, a programming language that allows them to read and
transform HTML elements on the web page to fulfill their purpose. For example,
password managers use JavaScript to insert passwords and usernames into input

https://adguard.com/en/blog/extensions-steal-passwords-chrome.html 1/5
9/21/23, 9:30 AM Are ad blockers dangerous?
fields, while productivity tools use it to block distractions, track time, save web pages,
EN
etc. So, what about ad blockers?

Home
Ad blockers run JavaScript to scan web pages for ad scripts and other elements that
match their blocklist, so that they can block them. It also allows them to hide “ad
leftovers” — empty spaces and broken elements that may have been left behind AdGuard
by the Ad Blocker
blocked ads. This process is called “cosmetic processing.”
AdGuard VPN
In the AdGuard extension description in the Chrome Web Browser Store, we try to be
transparent about why we need certain permissions. AdGuard DNS

Other products

Purchase

Blog

Support

My Account
Thus we explain that we need permissions to read and change all your data on all
websites (“host permission” in Chrome) and to access tabs (“tabs permission”) in order
to block ads, as well as apply cosmetic rules so that web pages look clean and tidy. We
also need the webNavigation permission to catch the moment when to inject ad-
blocking scriptlets, that is before the page loads any ads.

To sum it up, the AdGuard extension, as well as many others, may require intrusive-
sounding permissions to work. Ultimately, it’s up to you if you trust their developers and
their justifications for needing these permissions enough to grant them.

So, should you be worried?

Yes, in the grand scheme of things, you should. You should be mindful when installing
extensions that can access your data on web pages. Even if rather slim, there’s a chance
that the extension you want to install is a malicious one and will steal your password or
banking details that are stored in plaintext in a website’s HTML source code. With
additional functionality come additional risks, and this applies not only for add-ons, but
also for other services and devices: take WiFi-enabled vacuums or modern cars with
sensors, for example. So, to cut to the chase, you will have to accept a higher level of
risk to your security and privacy when you allow your add-on to work its magic, such as
blocking ads. Regardless of whether you think such a trade-off is fair or not, it is just
unavoidable.

In 2018, Mozilla devoted an entire blog post to extension permissions, including “scary-
sounding ones”, in which it explained why extensions like ad blockers need them for
legitimate reasons, but also highlighted the risks of installing them.

However, the Firefox maker noted that such cases, when a malicious developer claims
your extension does one thing while it actually does something else, while possible, are
still “rare.”

Source: Mozilla

You may argue that even “rare” is sometimes too often. And we agree wholeheartedly —
downplaying this problem would do nobody good. A few years ago, we ourselves
exposed several malicious ad blocking extensions that ripped off the code of legitimate

https://adguard.com/en/blog/extensions-steal-passwords-chrome.html 2/5
9/21/23, 9:30 AM Are ad blockers dangerous?
ones and could change your browser’s behavior in any way. At the time we estimated
EN
that over 20,000,000 people could be affected by these fake ad blockers. So now the
burning question is, how can you be a little more comfortable giving your extension the
Home
ability to see all of your browsing activity?

AdGuard
Well, here’s a checklist that the extension needs to meet to be considered safe in our Ad Blocker
eyes:
AdGuard VPN
The author of the extension is clearly stated, has a physical address, and, ideally, has
been in the industry for many years AdGuard DNS

The privacy policy is present, clear, and user-friendly

Other products
The reasons for permissions are clearly stated, and match the purposes of the
extension Purchase

The extension is open source: you can see the list of all commits and it’s always
Blog
available (for example, AdGuard ad blocker extension for Chrome is free and public)
Support
The developer maintains online presence and can be easily contacted by users (via
social media, website, or a dedicated support desk) and provides timely responses
My Account
The extension has positive ratings and favorable reviews. Although these are not an
iron-clad guarantee of it being safe, as reviews can be manipulated by bots or left by
non-inquisitive casual users who appreciate the fact that the extension works and
don’t look any deeper — but that’s another story

Liked this post? Subscribe to our newsletter

Upd: September 15, 2023 6 min read The more you know Data protection

Ekaterina Kachalova

By downloading the comments you agree the terms and policies

Show comments

Recommended articles

AdGuard for Mac

AdGuard for Mac is the world’s first standalone
adblock app designed specifically for macOS. It
blocks all ads and pop-ups in all browsers and other
apps.

https://adguard.com/en/blog/extensions-steal-passwords-chrome.html 3/5
9/21/23, 9:30 AM Are ad blockers dangerous?

EN

Home

AdGuard Ad Blocker

What is my IP address AdGuard VPN

Check your public IP address and its location on this
page. Learn more about IP and protect yourself with AdGuard DNS
AdGuard VPN.
Other products

Purchase

Blog

Support

My Account

The cost of a ‘free’ VPN: When

cheap is expensive
Free VPNs promise to hide your location and protect
your privacy. But they don't ask for money. How is this
possible? The answer is in this article.

How to unblock porn sites: All

working methods in 2023
How to unblock porn sites? There are a number of
methods. Some of them are universal, some also
protect your browsing history from the eyes of
network administrators. Keep reading for the details.

AdGuard for Windows

https://adguard.com/en/blog/extensions-steal-passwords-chrome.html 4/5
9/21/23, 9:30 AM Are ad blockers dangerous?

EN
Download
Home

Read more
AdGuard Ad Blocker
AdGuard for Windows v7.14, 14 days
trial period AdGuard VPN

AdGuard for Windows is more than an ad blocker. It is a multipurposeAdGuard DNS

tool that blocks ads, controls access to dangerous sites, speeds up
page loading, and protects children from inappropriate content.
Other products

Purchase

Blog

© AdGuard, 2009–2023
Support

My Account
Site map

https://adguard.com/en/blog/extensions-steal-passwords-chrome.html 5/5