10

I've been reading more and more about just how much access browser extensions can have to your data. This is a little unsettling, so I'm curious if there is a way to Vet these extensions and make sure they're not sending any personal info back to their servers.

Is there a way to check this?

I know there is a Chrome Extension called: Extension Gallery and Web Store Inspector, and it seems that it would give me some good info, but I'm not a code guy so honestly I'm not sure what I'm looking for with this info. Thoughts?

Rob W
  • 2,113
  • 18
  • 20
v15
  • 1,741
  • 4
  • 16
  • 18
  • 1
    Fiddler can show you any http requests. Wire shark is more advanced. It will take time though –  Jan 23 '12 at 22:02

1 Answers1

5

First of all I would pay attention to Permission Warnings.

Performing an analysis of an extension is a game of cat and mouse. You can sniff the network traffic and the attacker can use Stenography. You could unpack the extension and look at the JavaScript code, but the malicious code could be obfuscated or underhanded.

That being said. Chrome runs extensions in a sandbox. These extensions run JavaScript very similarly to JavaScript that run in the context of a website with only a few added permissions. These extensions don't have access to the shell or the file system or even to another extension's data store. They are limited in the number of HTTP requests that they can make to prevent DDoS. Its not a very ripe target.

rook
  • 46,916
  • 10
  • 92
  • 181
  • 1
    How to [access the filesystem](https://developer.chrome.com/apps/fileSystem) and [talk to an external executable](https://developer.chrome.com/extensions/nativeMessaging) from an extension. – gman Nov 18 '17 at 11:56