4

When installing any add on in Chrome, a set of permissions is needed to be granted to the add on. Many addons(including popular ones like Pocket and Adblock) have Read and change all the data on the site.

Doesn't this mean that theoretically the addon can do anything it wants in the browser, including spying and possibly working as a keylogger(in the browser)?

Mayank Singh
  • 613
  • 1
  • 7
  • 11

3 Answers3

5

Not all, but most of the extensions (addons) require a set of permissions they must declare to the manifest file. The user is not notified by a security warning unless the extension is installed from a .crx file extension. In this later or other cases, a plugin that requires the user's permissions to run is a security threat.

Similar extensions requiring user's permissions exist in other browsers and it is really a critical issue. Each browser author deals with this problem differently. For example, Mozilla requires from such extensions to be signed and listed in the Addons Mozilla where the addons are regularly scanned for the presence of malware. That helps to prevent but does not protect totally the users.

Think of what a malicious JavaScript running with your user's permissions on the browser? May be the best scenario and example I can provide you is the notorious ZombieBrowserPack which is an opensource project (addon) developed first as a POC by Zoltan Balazs, and targets some of the most used browsers (Chrome, Firefox and IE). This plugin can be manipulated remotely to steal authentication credentials, and even bypass two-factor authentication mechanisms such as the ones implemented by Yahoo and Google. It can also hijack your Facebook account, or get your bank account credentials if you perform an online purchase. You can imagine such a plugin purposed to fulfill this or that feature and doing something nefarious behind in the background.

  • Why can't the extension inject a key logger? – Neil Smithline Sep 01 '15 at 12:24
  • @NeilSmithline Actually there are extensions that act as keylogger ([This](http://sourceforge.net/projects/extensionkeylog/) is for Chrome, [that](https://addons.mozilla.org/fi/firefox/addon/keylogger-220858/) one for Firefox) –  Sep 01 '15 at 12:30
2

As you correctly assumed, installing add-ons does not come without risk. Even though Google reviews the source code of any extensions before they host it in the Chrome Web Store, malicious code still slips through (http://www.infoworld.com/article/2608717/web-browsers/many-chrome-browser-extensions-do-sneaky-things.html).

If the extension is provided by an individual or small company you know nothing about you are probably wise to at least inquire of them why they need certain levels of access. If the extension is open source and you're an experienced programmer, you might want to perform an extra review of the code before installing it.

The "Read and change all the data on the site" permissions indeed allows to inject JavaScript that forwards every keystroke to some remote server. On the other hand, extensions like Adblock need these permissions to properly function.

The question is: do you trust Adblock (etc.) with this level of privileges? (Also bare in mind the fact that the extension has the potential to remove malicious adds)

In my opinion, it's basically a matter of trust...

Some excellent related security.se answers to be found here: Is Adblock (Plus) a security risk?

Stef Heylen
  • 1,726
  • 1
  • 14
  • 16
0

As Stef says it's a question of trust and also understanding risk.

If you code - you probably like to try out stuff including Chrome extensions. That is totally legit.

What I would suggest is separating your development environment from your production environment. Two separate browsers - one (say FF) for home banking and fB and #2 (say Chrome) for trying out cool and dangerous stuff.
If you are really careful - then setup a separate VM and do the cool and dangerous stuff there but still separating it out from your FB/home banking environment.

Danny Lieberman
  • 388
  • 2
  • 6