If a Chrome Extension is installed but turned off, can it still spy on me?

50

5

Say a Chrome extension is turned off and has the permissions: "Read and change all your data on the websites you visit" and "Read your browsing history", or other similar tracking permissions.

Can these Chrome extensions still access these permissions or spy on you in other ways even if they are turned off?

Let's say that you were to keep these extensions turned off, but then turned them on for 5 seconds or for up to 10 minutes. Is it possible that they could upload your entire browsing history to the developers in that short timespan if they can "Read your browsing history"?

This question goes for browsers like Firefox as well.

Michael d

Posted 2018-05-14T10:04:40.040

Reputation: 519

4Question is, could an extension modify a browser in such a way that, it could either make the turn-off button do basically nothing (only 'appear off'), or turn itself back on at a later stage? If the answer to either yes, then the answer to the above is also yes. (I'll leave whether it's possible to those more knowledgeable than me). – SSight3 – 2018-05-14T12:31:30.457

6@SSight3 Extensions are not allowed to run on the chrome://extensions page as far as I know, so it's not possible for an extension to fake the state of the enabled/disabled toggle. – Ash – 2018-05-14T12:34:39.373

2Everyday use of Google — Facebook, Twitter, whatever — has plenty more opportunities for information collection than some upstart Chrome Extension. Not that the author behind that extension couldn't have grandiose ambitions, but … – can-ned_food – 2018-05-15T00:35:58.637

4Please don't mark a question as answered and a day later as unanswered and edit it to ask a new question. If you change your mind about the question, you really should ask a new separate question, once you have accepted an answer. – LPChip – 2018-05-15T14:29:11.337

2@can-ned_food Worth noting if the fear is datamining, MITM can be deployed from anywhere (HTTP sniffer, dodgy CA, bad DNS, malicious Wifi hotspot, backdoored router, so on, so forth) and if a person's concern on a browser made by a company infamous for datamining, is 'are my extensions leaking?' I strongly suspect they might be overlooking much bigger issues. – SSight3 – 2018-05-15T19:24:16.860

@Michael d, please reaccept my answer. – LPChip – 2018-05-18T09:09:05.543

Answers

58

When an extension is turned off, it is not loaded into memory, and as such can't do anything.

When you turn an extension on, it has access to your entire browser history, and if an extension wants, it can submit your entire history to the server.

It depends on the extension if it really will do this. Spyware type extensions will, extensions that are meant to help you will usually only submit a website you are currently browsing, but whether or not an extension will do or not is purely speculation.

If you want to be safe and not want to allow an extension to transmit your data to their server, don't turn it on, ever.

LPChip

Posted 2018-05-14T10:04:40.040

Reputation: 42 190

1Also maybe scroll through the programming and Ctrl-F in it, maybe. They are getting pretty readable now – Varad Mahashabde – 2018-05-14T16:50:07.330

@Varad You mean read the source code? – wjandrea – 2018-05-14T18:03:29.930

2@wjandrea It is possible to read the source code of chrome extensions (.crx packages). – rahuldottech – 2018-05-14T18:31:31.047

@rahul How would you do that? And what would you look for? – wjandrea – 2018-05-14T18:36:38.330

@wjandrea See how. If you suspect that an extension is executing malicious code, you can inspect the source code to confirm your suspicions.

– rahuldottech – 2018-05-14T18:41:29.447

1@wjandrea What Chrome does is download little tar-ball like packages which are then unzipped and then either built and loaded with the browser or kept in the install directory like CMD scripts (not sure which). Anyways, the source is downloaded, which could be searched for in %localappdata% or /var, or downloaded again. – Varad Mahashabde – 2018-05-14T18:45:00.807

1As for what to look for, you could open all the files at once in an editor, and then search for the command which calls the function to use the permission concerned. Also, people like to name things properly and leave comments to make things easier to maintain, so that's half your documentation – Varad Mahashabde – 2018-05-14T18:47:05.553

@EricDuminil Yeah, because 1) Google has no financial motivation to keep your data safe and 2) Firefox totally did not copy the Chrome extension system because it was safer... – David Mulder – 2018-05-15T11:51:00.313

7@DavidMulder To be pedantic, Firefox mostly copied the Chrome extension system because it was simpler - they were rewriting a large part of their code base, and the existing extension APIs were closely bound with the internals so hard to keep working. Forcing every extension to be rewritten made their lives easier, and the hope is that they won't need to again as the new API is more restrictive, and more separated from the internal implementation. The permission model is a nice bonus, but given that most extensions need access to the DOM of every page you view, it doesn't prevent much. – IMSoP – 2018-05-15T12:05:12.007

2@DavidMulder: You're assuming it's fine that Google has all your data in the first place. – Eric Duminil – 2018-05-15T12:08:52.377

@IMSoP The chrome extension API allowed far more granular permission control, that was a safety concern which was much appreciated. Additionally it naturally sandboxed extensions which was another safety advantage. All round the extension API was designed in a far more safe and modern way which was desirable. – David Mulder – 2018-05-15T12:23:56.200

@EricDuminil Except using Chrome in no way gives your data to Google. Logging in with a Google account and/or using Google DNS will at least pass some of your data to Google, but those are completely separate concerns from using Chrome. – David Mulder – 2018-05-15T12:24:41.423

4@DavidMulder We don't know what Chrome is doing because we can't see the code. Saying that Chrome "in no way gives your data to Google" is patently false; when typing a URL into the address bar I measured traffic to and from Google servers before I even pressed Enter! – wizzwizz4 – 2018-05-15T15:42:47.887

2

@wizzwizz4 It might be worth noting SRWare Iron (a privacy focused version of Chrome) details some... troubling features of Chrome.

– SSight3 – 2018-05-15T19:14:30.763

@SSight3 Chrome has settings that you can turn on and off. SRWare Iron does not have some of those settings, so you are stuck with its defaults. And it is lagging behind with security updates; see also Why You Shouldn’t Use (Most) Alternative Browsers Based on Google Chrome.

– Mr Lister – 2018-05-16T07:13:08.633

@wizzwizz4 Only if you have a prediction service set up and that's a single toggle in the settings. Here is more information for example: https://lifehacker.com/5763452/what-data-does-chrome-send-to-google-about-me

– David Mulder – 2018-05-16T13:03:24.720

@DavidMulder That's one setting. How does, say, the OK Google system work? What does it do? – wizzwizz4 – 2018-05-16T16:06:12.443

Asked: 2018-05-14T10:04:40.040

Viewed: 8 990 times

Active: 2018-05-15T17:37:03.060