1

I want to install a Chrome extension called metamask. I do not trust this kind of software. (Maybe because I am a newbie)

What can a Chrome extension do on my computer? Is it possible, for example, for a Chrome extension to read a local file, sniff my network interface, perform keylogging?

Does Chrome extension run in a sandbox (like a javascript in a webpage for example)

schroeder
  • 123,438
  • 55
  • 284
  • 319
Bob5421
  • 127
  • 3
  • 3
    Does this answer your question? [Worst case scenario, what can a Chrome extension do with "Your data on all websites" and "Your tabs and browsing activity"?](https://security.stackexchange.com/questions/15259/worst-case-scenario-what-can-a-chrome-extension-do-with-your-data-on-all-websi) – Steffen Ullrich Sep 18 '20 at 10:15
  • Okay so if a am using Chrome just for metamask and Firefox for everything else, it is safe ? – Bob5421 Sep 18 '20 at 10:17
  • An extension does not get magically get more save if you only use the browser for some sites. This only might reduce the time the extension is active but not what it can do in this time. – Steffen Ullrich Sep 18 '20 at 10:36
  • I have read your link: it says the extension can see my visits, my forms, etc. but only for chrome. If i am working with Firefox for everything else, they won't see anything ? – Bob5421 Sep 18 '20 at 10:49
  • Correct, it will not see what you are doing with Firefox. It will also not share cookies or cached authentication information with Firefox. – Steffen Ullrich Sep 18 '20 at 11:05
  • Also be advised that with the large quantity of CPU exploits being discovered allowing an extension to execute arbitrary Javascript code can potentially lead to full system compromise (this is in addition to Javascript engine exploits and web browser exploits). – user Sep 18 '20 at 12:55

1 Answers1

1

The extension injects the Ethereum web3 API into every website's javascript context, so that dapps can read from the blockchain.

Because it adds functionality to the normal browser context, MetaMask requires the permission to read and write to any webpage.

Like many Chrome extensions, metamask works by adding extra JavaScript to every page you visit. The metamask script has access to everything that happens to every loaded page. It could record keys and form inputs and transmit that, or read your password or session token and take over your account.

However, it still runs somewhat sandboxed, so it is limited to the browser. It can't sniff your network interface, or read a local file. Keylogging is limited to keys entered within the browser.

Even if the plugin itself is not malicious, it could contain a vulnerability that could then be exploited by any page on the internet you visit.

So browser plugins are fairly powerful. Chrome and Mozilla do some checks before adding extensions to their app repositories, but that does not provide guarantees.

Sjoerd
  • 28,707
  • 12
  • 74
  • 102