AI Extensions for Chrome: Convenience at What Cost?
Incogni's recent study reveals that the majority of AI-powered Chrome extensions come with heightened risks, collecting vast amounts of user data.
The research team delved into 70 extensions spanning seven primary categories. A staggering 68% landed in the 'risky' bracket. Here, "risk" was gauged by the number of permissions sought — permissions that, in the wrong hands, could wreak havoc. For instance, if a cybercriminal taps into an extension with minimal permissions, the damage to the user could be significant.
Interestingly, about 60% of these extensions have a slim chance of being compromised. This is determined by factors like the developer's reputation, the extension's longevity on the Chrome store, and other indirect markers of security. So, while there's a plethora of risky extensions out there, a large portion are relatively benign for users. Regrettably, a mere four extensions can wear the badge of being utterly trustworthy, balancing both low risk and robust protection.
Chart illustrating the risk vs. hackability of AI Chrome extensions. Source: Incogni's official site.
On an average tangent, each AI-fueled extension knocks on the door for 3.7 permissions. These either grant access to the browser and tethered local data or green-light traffic scrutiny, encompassing the interception and halting of web requests. AI aids top the list with 5 permissions, while coding tools usually settle for just a couple.
While certain permissions might seem logical, streamlining tasks and workflow, it's essential not to let the allure of convenience blind us to potential security pitfalls. Take the 'activeTab' function, for instance: it ushers in software access to the current webpage, making way for data tweaks. Some scripts go even further, possessing the power to overhaul a webpage's very structure and content.
User Data
The significant concern with AI extensions lies in their approach to user data. Shockingly, more than 59% of these apps are involved in data collection. On average, every extension gathers around 1.4 types of data—even when they claim the opposite. Notably, at least ten extensions are known to transmit personal details, web activity, and content from various sites. However, none seem to touch upon health-related data.
A diagram illustrating user data collection by categories. Source: Incogni Official Website.
Most extensions (44% to be precise) collect personal details—names, addresses, and other sensitive data. Additionally, 21% actively monitor web traffic and mouse movements. Personal assistant tools, such as Jasper and HyperWrite, consistently record web search histories and even financial details. Among these culprits, there are some household names:
- Grammarly: Originating from Ukraine, this spell-check and text-editing tool accumulates a vast amount of personal data. This includes user location and online behavior. Although it demands extensive permissions, its risk of unauthorized breaches remains relatively low due to the strong reputation of its developers.
- QuillBot: Ranking as the second most popular AI extension for Chrome, it requires slightly fewer data than its competitors. Still, it hoards an alarming amount of superfluous information. Because of its use of the 'activeTab' permission, it's categorized as high-risk. But, much like Grammarly, the chance of it being hacked remains minimal.
Conclusion
While AI extensions provide tangible benefits, users must be wary of their potential pitfalls. Before downloading and launching any browser extension, it's essential to meticulously review their permissions, developer credentials, and data collection tactics. Taking these steps can prevent unwanted breaches of private or sensitive data.
