How do I know if a Google Chrome extension is leaking data?

Question

Many Google Chrome extensions require permissions to read the contents of webpages the user visits. How can the user verify whether and to what extent a certain Chrome extension leaks data?

When you say "the user", do you mean a technically apt user, or the Average Joe? — , Apr 02 '20 at 14:33
@MechMK1 I meant a technically apt user who is too lazy to look through the source code of every extension that he's using. So essentially the Average Joe, I guess? — gen, Apr 02 '20 at 14:50
Aside from my answer, you basically treat a Chrome Extension like any other binary. Ask yourself who made it, how trustworthy they are, and if the risk outweighs the benefits. — , Apr 02 '20 at 14:52
@MechMK1 I see, this is fair enough, and thanks for your answer! I guess I was hoping that Chrome implements some kind of extension containerization that requires an explicit permission for extensions that want to talk to the outside world... — gen, Apr 02 '20 at 14:57
You may find this an interesting read: **In terms of protecting your privacy, Google Chrome is somewhere between horrible and dreadful.** https://www.quora.com/How-safe-is-Google-chrome-in-terms-of-privacy?share=1 — user10216038, Apr 02 '20 at 17:03
@user10216038 All of this sounds really nice, but it's not really feasible to do - especially the "don't use Android" part. — , Apr 03 '20 at 06:21
The answer on Quora quotes: "And finally, don't use any flavor of Android device (I know, not so easy, but there you have it)." - This is the same level of advice as "To avoid skiing accidents, don't ski. It's the only way to be sure", which is technically correct, but not useful at all. — , Apr 03 '20 at 07:54
@MechMK1 When speaking about browsers, there are much better alternatives like Mozilla Firefox (which I'm using for years). Firefox collects much less data and doesn't have an conflict of interests like Google because Google is earning a lot of money by leaking as much data as possible to them. You also fight against Googles monopoly position. This is bad independent of Google. Microsofts IE was "the" browser for years and it was horrible. — Lion, Apr 15 '20 at 14:15
@Lion This gets dangerously close to "rant" territory. Also, feel free to use any browser you want. — , Apr 15 '20 at 14:35
@MechMK1 That were just facts. Of course everyone can use any browser - but with the corresponding consequences. It's well known that Googles main money source are ads, which leads in a massive collection of personal data for precise personalization. Caring about extensions collecting data where the browser itself collects much more information, doesn't seem to make much sense. When I care about privacy, then I just don't use a browser from a company, which main business model is to sell my privacy by collecting data. — Lion, Apr 15 '20 at 15:11
While I agree that don't using a browser to stay private is not practical (which would be equal to the Android answer), my recommendation of using free alternatives _is_ practical: They're there with manageable differences. And this seems to be the point in the current discussion. — Lion, Apr 15 '20 at 15:20

score 26 · Accepted Answer · answered Apr 02 '20 at 14:45

According to developer.chrome.com:

[Chrome Extensions] are built on web technologies such as HTML, JavaScript, and CSS.

This means, anything that could affect the behavior of an extension will exist in a plain-text format (as opposed to a binary). Chrome allows you to debug extensions, giving you a comparatively easy way to see what an extension is doing, and whether or not some behavior of an extension is potentially malicious.

This requires the user to be somewhat fluent in the above-mentioned technologies. There are certain attacks, purely using CSS, which can be used to exfiltrate data. Without knowledge of CSS or understanding of these attacks, it would be hard to identify them among megabytes of auto-generated CSS code.

A non-technical user will likely not be able to carry out such an analysis. In this case, it helps to follow typical security advice:

Only install extensions from credible sources (i.e. the Chrome Web Store)
Popular extensions are more likely to get audited than unknown extension
Only install extensions where the benefit greatly outweighs the risk
Pay attention to the permissions required by the extensions and if it makes sense that those permissions are requested

I think Web Extensions can now load WebAssembly, which is a binary. — Benoit Esnard, Apr 15 '20 at 15:31
> Only install extensions from credible sources (i.e. the Chrome Web Store) - but you cannot install extensions from non-store websites. — Vitaly Zdanevich, Apr 16 '20 at 16:44
@VitalyZdanevich You can install extensions in developer mode as package. — , Apr 16 '20 at 16:47

felickz · Answer 2 · 2020-04-15T16:41:51.493

12

Tracing your browser traffic using a free proxy like fiddler can show some eye opening things. I could see an outbound request to an unfamiliar domain after every page I visited. Looking at the headers of the unfamiliar requests in Fiddler, i could see the URL of the page i visited! I disabled my chrome extensions one by one until I found the culprit. Turns out developer was monetizing - see git issue report. ... Further, he was injecting the code into the store manifest so it wasn't visible in git repo. This is a rather large "supply-chain" style attack vector where a 3rd party maintainer gives up rights to code or even gets breached and malicious code is introduced to existing packages/extensions.

edited Apr 15 '20 at 16:41

answered Apr 10 '20 at 06:59

felickz

220
1
6

1

At least, if I read the GitHub issue correctly, it was now removed? – Apr 10 '20 at 07:36
The developer mentioned starting his own ad network... I can only imagine. – felickz Apr 11 '20 at 04:42
1

Or you could try [Zap](https://www.zaproxy.org/), a more opened alternative. – Déjà vu Apr 16 '20 at 04:36

score 3 · Answer 3 · answered Apr 10 '20 at 19:29

3

I was developing extension for Chrome working with network of browser (not only current window). And I was surpriset how many data are transfered even when I don't do any actions.

There was communication of:

inactive tabs
closed tabs (through service worker)
extensions

but it's hard to determine what is leaking of data and what is communication necessary for extension working. Because there's so much traffic.

answered Apr 10 '20 at 19:29

iiic

141
1
3

2

For this reason I'd recommend a browser that cares more about privacy, like Firefox. – Lion Apr 15 '20 at 14:17

score 1 · Answer 4 · answered Apr 17 '20 at 04:10

The team at Duo Security has a project out called https://crxcavator.io/. They are scanning everything in the Chrome Web Store on a regular basis and giving a "risk score" to all extensions based on both code analysis and things like having a privacy policy link in the store listing.

Can go a long way towards picking trusted extensions without having a know how to evaluate them yourself.

score -2 · Answer 5 · answered Apr 16 '20 at 16:49

-2

In Firefox store they have Recommended badge - it increases safety (and quality).

Also Editors Picks in Chrome Web Store:

answered Apr 16 '20 at 16:49

Vitaly Zdanevich

117
7

2

This does not answer the question at all. – Apr 17 '20 at 14:27
@MechMK1 I think he tries to say, that more stars in the Chrome Web Store decreases the probability of data leak. Thus, there is the attempt to reply the question -> it should survive the VLQ review. – peterh Apr 17 '20 at 20:34
@peterh-ReinstateMonica The question is "How do I know if an extension is leaking data?". "Stores have extensions that they recommend" does not answer this question is the slightest. Using only "reputable" extensions is something that other answers address as well. – Apr 20 '20 at 10:33
1

@MechMK1 Right, agreed. – peterh Apr 20 '20 at 10:35

How do I know if a Google Chrome extension is leaking data?

5 Answers5