Professional Documents
Culture Documents
Are Ad Blockers Dangerous
Are Ad Blockers Dangerous
EN
AdGuard Blog Research says extensions can steal your password from websites. Should you be …
Home
Research says extensions can steal your
password from websites. Should you be worried?
AdGuard Ad Blocker
Blog
The researchers found that on 15% of the websites they studied — and these are not
some obscure and unknown portals, but the likes of Google and Cloudflare (among
Support
others) — passwords were “present in plain text in the HTML source code.” In the
researchers’ opinion, this careless attitude by website developers combined with
relatively lax Chrome rules for extension developers leave the door wide openMy
forAccount
attackers to exploit this vulnerability. During their research, they identified 190
extensions that were “directly accessing password fields,” including such popular
extensions as AdBlockPlus and Honey — both of them boasting over 10 million
downloads.
Source
“Analyzing the manifest files (the JSON-formatted files that provide important
information about the extension’s capabilities and the files it uses), we find that
12.5% (17.3K) extensions have the necessary permissions to extract sensitive
information on all web pages.”
While Google Chrome’s new platform for extensions, Manifest V3, has imposed
constraints on what extensions can do, the researchers found that these measures did
not mitigate risks to security in any substantial way. They said: “Despite MV3’s intended
advancements in user privacy and security, content scripts’ operations remain
unchanged. This maintains the lack of security boundary between the extension and
web page and allows an extension to be loaded on the DOM tree and gain unrestricted
access to the webpage, posing security risks for the users.”
In fact, it’s by far not the first time that alarm bells have been sounded about the extent
to which extensions can access user data. The issue is not specific to Chrome —
extensions for other browsers, such as Firefox, have the same capabilities and
permissions. Nor is it just about ad blockers: all extensions that need to modify the
content of web pages, such as password managers and productivity tools, require broad
access to the information on these web pages. The technical reason behind this is that
these extensions use JavaScript, a programming language that allows them to read and
transform HTML elements on the web page to fulfill their purpose. For example,
password managers use JavaScript to insert passwords and usernames into input
https://adguard.com/en/blog/extensions-steal-passwords-chrome.html 1/5
9/21/23, 9:30 AM Are ad blockers dangerous?
fields, while productivity tools use it to block distractions, track time, save web pages,
EN
etc. So, what about ad blockers?
Home
Ad blockers run JavaScript to scan web pages for ad scripts and other elements that
match their blocklist, so that they can block them. It also allows them to hide “ad
leftovers” — empty spaces and broken elements that may have been left behind AdGuard
by the Ad Blocker
blocked ads. This process is called “cosmetic processing.”
AdGuard VPN
In the AdGuard extension description in the Chrome Web Browser Store, we try to be
transparent about why we need certain permissions. AdGuard DNS
Other products
Purchase
Blog
Support
My Account
Thus we explain that we need permissions to read and change all your data on all
websites (“host permission” in Chrome) and to access tabs (“tabs permission”) in order
to block ads, as well as apply cosmetic rules so that web pages look clean and tidy. We
also need the webNavigation permission to catch the moment when to inject ad-
blocking scriptlets, that is before the page loads any ads.
To sum it up, the AdGuard extension, as well as many others, may require intrusive-
sounding permissions to work. Ultimately, it’s up to you if you trust their developers and
their justifications for needing these permissions enough to grant them.
In 2018, Mozilla devoted an entire blog post to extension permissions, including “scary-
sounding ones”, in which it explained why extensions like ad blockers need them for
legitimate reasons, but also highlighted the risks of installing them.
However, the Firefox maker noted that such cases, when a malicious developer claims
your extension does one thing while it actually does something else, while possible, are
still “rare.”
Source: Mozilla
You may argue that even “rare” is sometimes too often. And we agree wholeheartedly —
downplaying this problem would do nobody good. A few years ago, we ourselves
exposed several malicious ad blocking extensions that ripped off the code of legitimate
https://adguard.com/en/blog/extensions-steal-passwords-chrome.html 2/5
9/21/23, 9:30 AM Are ad blockers dangerous?
ones and could change your browser’s behavior in any way. At the time we estimated
EN
that over 20,000,000 people could be affected by these fake ad blockers. So now the
burning question is, how can you be a little more comfortable giving your extension the
Home
ability to see all of your browsing activity?
AdGuard
Well, here’s a checklist that the extension needs to meet to be considered safe in our Ad Blocker
eyes:
AdGuard VPN
The author of the extension is clearly stated, has a physical address, and, ideally, has
been in the industry for many years AdGuard DNS
The extension is open source: you can see the list of all commits and it’s always
Blog
available (for example, AdGuard ad blocker extension for Chrome is free and public)
Support
The developer maintains online presence and can be easily contacted by users (via
social media, website, or a dedicated support desk) and provides timely responses
My Account
The extension has positive ratings and favorable reviews. Although these are not an
iron-clad guarantee of it being safe, as reviews can be manipulated by bots or left by
non-inquisitive casual users who appreciate the fact that the extension works and
don’t look any deeper — but that’s another story
Upd: September 15, 2023 6 min read The more you know Data protection
Ekaterina Kachalova
Show comments
Recommended articles
https://adguard.com/en/blog/extensions-steal-passwords-chrome.html 3/5
9/21/23, 9:30 AM Are ad blockers dangerous?
EN
Home
AdGuard Ad Blocker
Purchase
Blog
Support
My Account
https://adguard.com/en/blog/extensions-steal-passwords-chrome.html 4/5
9/21/23, 9:30 AM Are ad blockers dangerous?
EN
Download
Home
Read more
AdGuard Ad Blocker
AdGuard for Windows v7.14, 14 days
trial period AdGuard VPN
Purchase
Blog
© AdGuard, 2009–2023
Support
My Account
Site map
https://adguard.com/en/blog/extensions-steal-passwords-chrome.html 5/5