Disclaimer: My intention with this article is to raise the awareness of a few things that are happening and/or could happen to you when you are installing any Chrome extension that you find. I am not saying that Chrome extensions that we recruiters are using are all bad, most of them are awesome, but it’s better to be cautious.
Almost every person, recruiter or sourcer has some Chrome extensions installed in their browser and I am no exception. These extensions help us find contact details for our potential candidates, save us time when we are creating messages for them, and most of them help us to be more effective in what we do.
Chrome with those extensions has become our everyday tool at work and at home. Particularly in recruitment, these extensions are quite handy and very useful for sourcing activities. Some of them find email addresses or phone numbers; others generate the right Boolean string for our search or collect and enrich the data we find.
We love them, especially when lots of them offer things like “Free credits to reveal candidates’ email.” Who could say no, right? They are easy to use and offer credits for free! But as I am always saying to my friends, if something is free then you are probably the product.
And things like DataSpii Report are confirming that. This report describes an investigation that uncovered an online service selling the collected browsing activity data to its subscription members in near real-time. In that report, they delineate the sensitive data source types relevant to the security of individuals and businesses across the globe.
This is one example of the reasons why it is important to think and double-check what extensions you are going to install or service you are going to use. Even if somebody you know recommended the service or plug-in, check their site first and see who is behind it.
There are sites offering things like “enrich your exported LinkedIn connection,” and those sites are recommended by people from our field to their clients and course attendees. And when you visit such a site, there is no info about GDPR and how they are going to work with your data, no contact page showing who is behind that service.
The domain data are hidden, but when you check old DNS records, check the code of that website and do a few other things, you will eventually find who is behind these tools and services. And if you find that information, you will understand why they are hiding who they are and why you shouldn’t upload any data to those sites at all.
Of course, it’s hard to find enough evidence against them, but you can use a unique email and dummy LN profile and see where those data (like email) are going to appear. And if that company is the only one who has that unique email because of that “enrichment” you can guess why suddenly you are starting to get personalized email offers with the name of that fake profile that belongs to this email.
Why You Should Care?
First, it’s your data that these people can exploit and sell. People are always saying that they don’t have anything to hide, but your data and data about your contacts could be easily used for scam or phishing emails. And that is only the beginning of how your personal data and your online activity could be exploited. Your GPS location, credit card information and other things could create for you some serious problems. One interesting article about that topic is “I need your facebook data, location, and your browsing history“.
The worst case is when you are using shady Chrome extensions at work. Most people at work are using one browser to access everything, their private email, LinkedIn, all social sites and also internal company systems, systems like sites on an intranet, ATS (applicant tracking system) and other internal sites and tools. And because lots of those systems and applications are hosted in the cloud, people can access them via a web browser.
Yes, that same browser that has installed all those free extensions that promise free credits to reveal the email addresses of your candidates, those that you installed some time ago and are not using. Those little extensions that have access to your browser history and the whole data you are accessing via your browser.
How is this possible? Because when you installed them some time ago, those Chrome extensions requested access to “Your data on all websites,” or “Your tabs and browsing activity,” and you gave them permission to access those data. You gave them access to your history for a few free credits. Some of those extensions even ask permission to “Add, Delete, Edit data on your Google Drive.” Yes, they need to store the data they collect, but if you are using Google Drive like most of us, then giving that access to some Chrome extension is like giving a key to your flat to a random stranger on the street just because that person promised you to clean your house cheaper than others.
And imagine that this is the same browser (with those extensions) that you are using to access your LinkedIn, your private and company emails, and your company ATS; the same ATS that has all the information about your candidates’ emails, phone numbers, etc. Those data in your ATS have real value for many people (hackers, spammers, competitors…).
How to Protect Your Data
It doesn’t matter if you are not the owner of the company, protecting company assets and data should be the number one priority of every employee. There are many things you can do to protect the data and most IT departments are trying hard.
This is one trick I have been using for years to limit any issues that could happen by using those Chrome extensions, even from companies that I trust and know their extensions are GDPR compliant.
That’s why I recommended using more browsers. One browser you will use only for internal things and accessing your ATS—the browser without those extensions that you have installed everywhere else because you don’t need to access your ATS with Chrome extensions that are revealing contact details. And the second browser for the rest of your activities or only for sites where you can use those plugins.
And if you can’t live without Chrome, you should know that there are many other web browsers based on Chromium that you can use. They are using the same system as Chrome, but their browsers are customized.
My recommendation will be Brave, Ghost Browser, Vivaldi, Iridium, etc. And in the near future, you can also expect the Edge browser from Microsoft to be using Chromium so you will be able to use the same Chrome extensions that you are using in Chrome.
Browsers like Brave browser block unwanted content by default, so you don’t need to use AdBlock or any other extension. Most of those browsers are also faster. Browsers like the Epic Browser block not only ads but also various trackers, fingerprinting, cryptomining, ultrasound signaling and more. And they also stop 600+ tracking attempts in an average browsing session. Those other browsers block the software that follows you around so your activities will be safer. However, some plug-ins that work in Chrome cannot work in them.
There are many things you should do to be safe and here is a small list of them.
1. Keep Your Browser Updated
Keeping your web browser up to date may seem like an unnecessary chore, yet those small browser updates can make a considerable difference to your browsing experience, especially in terms of security. And use a Firewall and Antivirus too!
2. Uninstall the Plug-ins You Don’t Use
The plug-ins that you don’t use should be deleted. Not only will your browser load faster, but you will also minimize any problems that could appear because of those plug-ins.
Plug-ins like Java and Microsoft’s Silverlight are becoming less popular, only used by a few sites; you can uninstall such plug-ins unless you really need them. To view the installed plug-ins in Google Chrome type chrome://extensions in a URL and disable or remove those that you are not using anymore.
3. Passwords Should Not Be Stored in Your Browser
All modern web browsers and websites offer auto-complete functionality. This feature requires you to store your passwords, making your sensitive data prone to cyber-attacks. If your auto-completion feature is enabled, disable it and delete your passwords. If you want to protect your data use password managers to store your passwords, along with your unique password for each site.
And even though Google has banned the installation of Chrome extensions via third-party sites you can still install Chrome extensions manually. But if you don’t know the source, always install the extension from the official Chrome Web Store.
Using two browsers for different activities is the easiest way to limit access to your data. It’s not going to protect you against every attack, but it’s the start!
And if you want to find out more about the Chrome extensions you are using, you can do it via a new website built by the company Duo Labs, the site is called CRXcavator.
Researchers of that company scanned the entirety of the Chrome Web Store and analyzed the source code and Web Store listings of 120,463 Chrome extensions and applications. They checked what permissions those Chrome extensions requested from users and also they analyzed what external domains the extensions used to communicate, and they checked more information besides. The results of this research are available on the CRXcavator web portal.
And if you are using Chrome extensions for LinkedIn, you should know that this could put your LinkedIn account in jail because LinkedIn doesn’t permit the use of any third-party software, including “crawlers”, bots, browser plug-ins, or browser extensions (also called “add-ons”). These plug-ins are those that LinkedIn is tracking so when you are going to heavily use LinkedIn this could limit your account.
Keep in mind that the problem with extensions is not only connected with the Chrome browser but also with other browsers like Firefox.
Stay safe online!