A new study analyzes the privacy risks of over 400 of the top AI-powered Google Chrome browser extensions and finds that 52 percent of analyzed extensions collect user data, while nearly one in three 29 percent collect personally identifiable information (PII).
The study from Incogni identifies Grammarly and QuillBot, two of the most popular extensions with over two million downloads each, as the most potentially privacy-damaging due to the scope of data collection and the permissions they require.
AI-powered browser extensions, ranging from writing assistants and translators to meeting notetakers and programming helpers, have become routine for millions of users. Most users assume that extensions available through Google’s Chrome Web Store are inherently safe. However, in the wrong hands, they can be used to exfiltrate sensitive data or even modify what the user sees, as well as inject text (including code) into input fields presumed to be under the user’s control.
Incogni researchers analyzed 442 extensions across eight categories, assessing each based on the permissions it requires, the personal data its user agreement admits to collecting, and its risk-impact and risk-likelihood scores, which estimate both the potential harm an extension could cause and the likelihood of malicious use.
“AI-powered extensions can be genuinely useful, but most users have very little visibility into how much access they’re granting when they install them,” says Darius Belejevas, head of Incogni. “Some of these tools can read everything you type, see every page you visit, or inject code directly into websites. That level of access deserves far more attention than it typically gets.”
Among other findings 10 extensions were found to have both a high risk likelihood and high risk impact, meaning they have access to potentially dangerous permissions and could cause serious harm if misused; these include tools such as Nily AI Sidebar and EaseMate.
Programming and mathematical helpers ranked as the most privacy-compromising category on average, followed closely by meeting assistants and audio transcribers. At the other end of the scale audiovisual generators and text and video summarizers were, on average, the least privacy-invasive categories.
You can read more on the Incogni blog.
Image credit: FoxArtBox_studio/depositphotos.com
