17

I really like the Chrome extension Vimium. It significantly speeds up surfing for power users. However, when you install it, Chrome warns you because this extension injects JS code on every page you visit (which is potentially unsafe).

The author responds to this with "Don't be alarmed. Vimium never talks to any servers and does absolutely nothing with your data. Read the open source code if you're paranoid."

I have no reason to be suspicious except the fact that if there is malicious JS code in this extension, it could really do a lot of damage (steal passwords etc).

One way of verifying that this extension is indeed safe is by monitoring Chrome network communication.

Other would be (as author suggested) to inspect the code. Has anybody already did this, and if yes, what are the findings (preferably published on the web)?

Joel L
  • 1,427
  • 11
  • 12
celicni
  • 173
  • 1
  • 5
  • You can use [Rob W's Chrome extension source viewer](https://chrome.google.com/webstore/detail/chrome-extension-source-v/jifpbeccnghkjeaalbbjmodiffmgedin) to check the code before installing. It is possible that the source code of an extension does not match the published source repository ([example described by Rob](http://security.stackexchange.com/a/38057/2630)). – Lekensteyn Nov 01 '13 at 14:58
  • This is a very old question, but nevertheless... I'm a Vimium contributor. It does nothing malicious. You can check the source code here: https://github.com/philc/vimium. – user260532 May 20 '15 at 05:48
  • 1
    Thank you for you comment. As I said, I don't have any reason to not trust this extension. I am aware that the code is open source and thus can be examined (and in original question I said so). However, as a contributor, could you comment the issue of auto-update? I mentioned it in my comment to the accepted answer: "It seems that you can't disable auto-update for this add-on, so even complete code survey for one version does not mean much.. you'd have to read the diffs after each update." – celicni May 20 '15 at 23:12
  • 1
    @Lekensteyn chrome extension can dynamically load any js. – Helin Wang Feb 09 '19 at 17:28
  • 1
    @celicni I guess we can checkout the code and build our own extension. It prevents chrome extension auto updates, will be fine as long as there is no auto update backed inside the js code itself. – Helin Wang Feb 09 '19 at 17:30

1 Answers1

13

It's not malicious. That doesn't mean that it's 100% safe (almost no piece of software is), but if there are any security holes, then they will be bugs, and not something the author has intended to do. It has 67 contributors on github and I'm sure a lot more people have wen't through the code without making any contributions (especially knowing the fact that it's mostly used by programmers who are used to VIM editor).

There are some 130+ reviews in the chrome webstore too.

valentinas
  • 1,038
  • 8
  • 10
  • 1
    I don't disagree that positive reviews are a good thing but as long as it does what it's supposed to, people will be happy. It's a question of what else it might be doing that's the worry. – Matt Nov 01 '13 at 16:51
  • 1
    To revisit this question. I agree that larger number of contributors to project are some kind of assurance that there is nothing "hidden" inside the code. Of course it is unlikely that they analyzed the entire code, but each of them did analyze a portion of code. On another note though, it seems that you can't disable auto-update for this add-on, so even complete code survey for one version does not mean much.. you'd have to read the diffs after each update – celicni Mar 13 '14 at 16:02