Ask LH: Why Do Chrome Extensions Need To Access All My Data?

Ask LH: Why Do Chrome Extensions Need To Access All My Data?

Dear Lifehacker, I’m a big fan of Google Chrome, and I love using extensions. However, I’ve noticed that a lot of them request permissions to access all of my data on every site. Why is this? Should I be worried? Sincerely, Afraid to Extend

Dear AE,

We’re right there with you. Extensions are an amazing way to customise your Chrome experience, but some of them ask for a lot of data for no apparent reason. I talked with programmer Joe Flores and Meldium co-founder Boris Jabes to get insight into how permissions work, and see if it’s something you should be worried about or not.

Why Chrome Extensions Need Permissions

10 different

For example, an extension like Pocket needs access to “Your data on all websites” and “your tabs and browsing activity”. This sounds like a lot, but since Pocket is a read-it-later service, it needs those permissions just to operate. Without them, it couldn’t save the URL link from the site you’re on.

So, why do some extensions need broader access than others? Jabes notes that part of the issue is just the wording Chrome uses:

Chrome’s warnings when you install an extension are overly conservative in their text. For example, one of the extensions I use, ChromeReload, is a very simple tool that asks for “Your data on all websites” and “Your tabs and browsing activity.” All it needs is to attach a marker on each tab that keeps track of when it was last reloaded, but Chrome doesn’t provide a “polite” prompt for this.

Simply put, Chrome doesn’t offer any granularity with permissions requests — it’s an all-or-nothing approach for extension makers, and sometimes the broader permission requests are just easier to program for.

The sad truth here is that it’s pretty difficult to really track down why an extension needs the permissions it does. Sometimes it’s obvious — with an RSS Reader like Feedly, the extension can’t work without accessing “your data on all websites”, because that’s the fundamental permission it’s built on. Every time you visit a site, a bit of JavaScript code runs, and Feedly does its business. In order for that to work properly, it needs to run on every website. But other times, it isn’t so easy to tell.

When You Should Be Careful About What Extensions You Install

That said, pretty much any extension that asks for all data on your computer and the websites you visit is probably worth a very close look. These extensions aren’t inherently bad. Any extension, like the screenshot tool Lightshot, that accesses your hard drive needs this permission. But it’s worthwhile to pay closer attention to any extension that asks for data on your computer.

Thankfully, an extension that’s capable of really scraping your data is going to set off alarms. Flores notes:

Chrome will prompt you for “access to your data on all websites” which sounds really scary, but is technically BS — the sheer scale of most of the APIs required for the big boys (Facebook, Twitter, etc) would result in a large, more unwieldy plugin that would set off alarm bells. No one would likely be able to cram enough code into a single plugin to manage to get “all” your information and still have a functioning plugin in only JavaScript.

While an extension might not gun for all your data, it’s certainly possible to grab specific information, like a password, so before you download anything, it’s worth looking through an extension’s reviews to see what other people are saying. Chances are someone will notice an overreaching extension pretty quickly.

If you want to be extra careful, only install extensions from verified authors. You’ll see a little check mark on the extension’s Chrome Web Store page that verifies it’s official. Not every “good” extension has this verification though. For example, LastPass doesn’t have a verification, even though it’s a trustworthy extension. But it helps you separate the official extensions from the unofficial ones.

If you have a little technical knowledge, you can also dig into an extension’s code to see what it’s doing, or install an extension like Extension Gallery to inspect the code easily. You can get a closer look at what code causes Chrome permission warnings on the developer site as well.


Special thanks goes out to programmer Joe Flores and Meldium co-founder Boris Jabes for providing their expert assistance and knowledge for this article.

Got your own question you want to put to Lifehacker? Send it using our contact tab on the right.

Log in to comment on this story!