Are official browser add-ons really safe?

Question

Almost any browser addon/extension that I install on my Chrome or Firefox (be it Firebug, RESTClient, ...) warns me, saying:

It [the add-on] can:

• Access your data on all website
• Access your tabs and browsing activity

Now, practically speaking, I have no time (or the skill) to read through their source-code and verify absence of malware (such as one placed in by its original author).

Given this, can I safely assume these add-ons won't violate my privacy because they are coming from standard/well-known and thus implicitly trusted places, such as the Chrome Web Store, the Firefox add-on site, Opera's add-on site, Safari's extension gallery, or the EFF site.

Even an add-on like HTTPS Everywhere, which you install to maintain privacy and prevent MiTM attacks, warns similarly.

Is there any way to quickly tell what add-on to install and what not to, without having to read their source code?

Answer 1

You cannot assume that an add-on is safe "because it's hosted in one of the official extension galleries".

In this answer, I start with the explanation of how extensions end up in the extension galleries for the popular browsers. At the end, I dedicate an extra section to Chrome.

How does an item get listed in the official stores?

• Anyone with Google Wallet can pay 5$ to upload up to 20 extensions/apps to the Chrome Web Store. Extensions with binary components (NPAPI) are always reviewed manually. Other extensions are only checked by Google's secret scanner, which may put an extension on hold ("Pending review") if needed. This scanner is not perfect: Two months ago, I found many malicious extensions that violate the Developer Program policies. (I've filed some Report abuse forms; some apps were taken down, others weren't even though they contained the same kind of adware).
• All Firefox add-ons on AMO are put in a review queue upon submission. All editors who review add-ons have to follow the guidelines as stated in Performing a review. Extension developers are supposed to follow these instructions.
• Safari extensions can be submitted to the Apple Extension gallery. Developers have to adhere to the requirements of this document ^pdf. After passing the review, the extension will be listed in the gallery. Apple does not host the extension files themselves. After passing review, the extension will receive a prominent location in the relatively quiet extension gallery. Upon click, the extension from an external location is immediately installed without confirmation. As of Safari 9, extensions can choose to host the extension data in the extension gallery if they wish.
• All extensions in Opera's extension gallery are manually reviewed. Extensions will only be listed if they pass review (acceptance criteria).
• Extensions and add-ons on IEGallery.com are manually reviewed. The review criteria are very vague though. Further, IE extensions are compiled code, so the reviewers can't even know for sure that the add-on is safe.

Auto-updating

All of these four galleries support automatic updates of extensions. Unless stated otherwise, the updates will automatically be installed (unless turned off by the user).

• Updates to Chrome extensions are automatically checked, sometimes followed by a manual review. When an extension requests more permissions, they're automatically disabled until a user confirms the new requirements. The developer documentation provides list of permission warnings and their meanings. Google has also created a page (with fewer details) to explain the warnings to users - see Permissions requested by apps and extensions.

• Updates to Firefox add-ons are manually reviewed.

• Updates to Opera extensions are manually reviewed. Opera abandoned their old extension ecosystem and switched to a Chromium-like extension API in Opera 15. Before Opera 15 (Opera 12.xx and earlier), updates were automatically installed. Starting from Opera 15, extensions are disabled when a new permission is added, just like Chromium (see this comment on Github).

• Safari extensions hosted in the extension gallery itself are probably checked by Apple¹, (updates to) Safari extensions hosted elsewhere are not. As of Safari 9, extensions can only be auto-updated if they are hosted in Apple's extension gallery.

• Internet Explorer extensions are not automatically updated, unless the developer has built this feature.

External code

Reviews are useless if vendors allow the use of external JavaScript code. So, which galleries allows the use of external code?

• Chrome extensions may contain external code.
• Firefox and Opera forbids the use of external JavaScript code in add-ons.
• Safari extensions are hosted on servers not controlled by Apple, so the developer is free to include whatever they want.
• Internet Explorer extensions are generally closed-source compiled binaries, so developers can run whatever code they want.

Privacy

Many extensions collect usage statistics without the user's consent. Chrome even offers a tutorial on setting up tracking in extensions...

Chrome

Firefox and Opera are doing quite well with the security of their extension platform. I don't put as much trust in the Chrome web store, because it does not manually review all extensions.

The only way to be sure that an extension is safe is to review it yourself. For this purpose, I've created the "Chrome extension source viewer" Chrome extension. This extension allows one to view the source code of an extension in the Chrome Web Store. It ships with a code beautifier to make it more readable.

The first place to look at it a file called manifest.json, because it defines the capabilities of an extension. Do you see anything suspicious? For instance, does an extension which promises to add smileys to Facebook define a content script for *://*/* (=match pattern for every page)? Don't install the extension.

Look at the list of files. Do you see a file called analytics.js? Know that you're going be tracked. This is not necessarily wrong, but it's good to know. Look in the files for _gaq.push, which is the standard way to use Google Analytics.

Final note: Do not blindly trust an extension because it has a high number of users. Look through recent reviews and look for any red flags. Ignore the usual trolling comments and "1 star - does not work!" (unless there are heaps of them), and focus on comments that raise concerns about privacy or security.

---

^{1. Apple likely performs these checks, but it is unconfirmed.}

Answer 2

There are two issues here which make me say no you can't trust them 100%. Now the reason being is that you haven't reviewed the code on one side. It might contain some malicious code which was slipped in by a rogue developer or intentionally by the organization. For standard organisations this is normally very uncommon, but there have been cases such as Apple sending tracking data to their servers.

Now rogue stuff normally (hopefully) will get found during the Quality Assurance (QA) process ( I can't imagine Google and Mozilla not having a rigorous QA process). But nothing is 100% water tight.

Even when you have the source code, are you up for the job to scrutinise every single line of code? No you can't you probably since you don't have the time nor the skill.

And then there is another issue... vulnerabilities, regardless if the project is closed or open source vulnerabilities, which could allow attackers to gain access to your data, exist. Either in the plugin itself, the engine to run the plugin, the browser or if we pull this even wider, the operating system.

Security has always been a trade off with usability. Someone told me once that the most secure server is one in a locked bomb shelter surrounded by mines which is switched off. Meaning that while it's secure it's not usable. This is something you need to keep in mind. There might be a risk to your privacy, but does that risk weigh up versus being able to normally use programs? Not really.

Answer 3

No, they are not. But if they are open-source (some of them are) you can ask the developer to give you the code (if it's not already published on his website or some repository and you can compile it by yourself; or just use if it's something for the web etc.) and you or somebody else can help you analyse the code and what it does. There is no other way to be 100% sure unless you use open source or in the ideal case free software, where you can see the code. Never trust 100% to the proprietary software, because nobody except the authors have reviewed the code (except maybe some reverse engineers ;). There were occurences of "bad" borwser addons e.g.

http://www.pcadvisor.co.uk/news/internet/3212049/firefox-browser-add-ons-contained-malware/

or more recently

http://thenextweb.com/facebook/2013/05/13/microsoft-warns-users-of-new-malicious-chrome-extension-and-firefox-add-on-that-hijack-facebook-accounts/

But realistically speaking, we are all forced to use these addons if we want to keep the speed/efficiency with others. So in the end, you need to take some risk and install them, unfortunatelly.