82

Chrome extensions, and just like other browsers, appear to often get quite some extensive access to your browser data. In fact, most extensions I've installed require access to:

  • Your data on all websites
  • Your tabs and browsing activity

And this got me wondering what that implies, exactly.

Let's say somebody writes an evil extension, calls it "I-KNOW-EVERYTHING-YOU-DO, and a RSS Reader" (he's evil, but also honest). I really like to have a RSS reader, so I install this. I see this big warning about the extension requiring access to all of my data, but then again, so does every other extension, so I gladly grant this access.

Thinking worse-case scenario, what can this extension do? Could it:

  1. Send a list of all the websites I visit to the maker?
  2. Capture data I input into forms? (like my personal data, passwords, etc.)
  3. See how long I have been on a website, and which pages I have visited?
  4. Access cookies?
  5. Access other files on my computer? (I guess not, given the Sandbox environment, but I'm still wondering)
  6. Do anything worse?
Michael
  • 2,391
  • 2
  • 19
  • 36
please delete me
  • 1,235
  • 2
  • 10
  • 7

2 Answers2

52

  1. Send a list of all the websites I visit to the maker?

    Yes

  2. Capture data I input into forms? (like my personal data, passwords, etc.)

    Yes

  3. See how long I have been on a website, and which pages I have visited?

    Yes

  4. Access cookies?

    Updated, See the following comment from Bryan Field for this one.

    Bryan Field: Great answer, except for number 4. Cookies without the httponly flag can be accessed for sure, beyond that I don't know. I would add that it is likely that the extension could manually call, for example your Gmail page and get all your emails, even if you do not have Gmail open during the time the extension is opened. You need only to be logged in and it can call those pages. So even if the httponly cookies can not be directly viewed (number 4), it doesn't really matter, because the cookies can still be indirectly and effectively used

  5. Access other files on my computer? (I guess not, given the Sandbox environment, but I'm still wondering)

    No – like you say the sandbox will prevent that.

  6. Do anything worse?

    Read (and send) data on all the pages you visit.

Some more details on why this is often needed, but not always is discussed in this question Why do Chrome extensions need access to 'all my data' and 'browsing activity'?

Martin Prikryl
  • 493
  • 5
  • 21
Jontas
  • 761
  • 7
  • 5
  • 21
    Great answer, except for number 4. Cookies without the httponly flag can be accessed for sure, beyond that I don't know. I would add that it is likely that the extension could manually call, for example your Gmail page and get all your emails, even if you do not have Gmail open during the time the extension is opened. You need only to be logged in and it can call those pages. So **even if** the httponly cookies can not be directly **viewed** (number 4), it doesn't really matter, because the cookies can still be **indirectly and effectively used.** – 700 Software May 22 '12 at 20:03
  • 1
    @GeorgeBailey - I'm not sure how well they can effectively use an http only cookie with modern content security policy (preventing inline scripting; loading external non-https scripts) / same-origin policy. Its little difference as they can still just capture your actual username / password from whenever you actually log in somewhere. – dr jimbob May 22 '12 at 21:42
  • 3
    Whoa whoa whoa... this is really a bad situation! Incredible that browser extensions are set up this way. We should really be strongly complaining about this, and for now, I will remove all extensions I have. Thanks for the answer! – please delete me May 24 '12 at 12:22
  • You should read the link I gave in order to understand why it is like that! There is often a need for plugins to read the data, but not always - and there is a risk with installing untrusted plugins. – Jontas May 24 '12 at 18:09
  • 1
    Thanks; I did read the link and I understand the _why_. However, I just feel this is something a) people should be more aware of, and b) we should not accept! This is a situation far from ideal and it should change! Well, let me start by trying to convince others that something should be done. For now, I'll remove all plugins... – please delete me May 26 '12 at 00:01
  • 2
    So does this mean an extension with `Your data on all websites` permission can access my banking password I enter on my bank's website? – User Apr 18 '15 at 01:07
  • 2
    @User Yes - treat it more like a program that you install - extensions would not be able to do many useful things if we disabled them the right to do this. The whole point of having permissions is being able to decide how much access is required by the app, so the user is aware of it and can make the decision whether or not to trust the author. – Sebi Sep 09 '16 at 11:10
  • @GeorgeBailey Even httponly cookies can almost certainly be read using the webRequest permission. – Ajedi32 Nov 29 '17 at 17:58
  • @drjimbob An extension with permission to all websites isn't really blocked by the same-origin policy because it can run code on any origin. (And CSP isn't really applicable to extensions by design.) – Macil Nov 29 '17 at 18:51
9

Google briefly explains the security model for extensions in the following blog post:

http://blog.chromium.org/2009/12/security-in-depth-extension-system.html

Only install extensions by trusted sources.

Serdar
  • 91
  • 1
  • 1