Why you need to check permissions before installing extensions in Chrome
Whenever you install an extension in the Chrome browser, you see a prompt that you have to confirm before the extension gets installed. This prompt highlights the rights of the extension and may include the ability to access data on specific websites, access browsing data such as tabs, browsing activity or bookmarks, or other data.
It is likely that many Chrome users who install extensions in the browser do not pay lots of attention, if any, to the prompt. This is the same behavior of many users when they install applications on the operating system. Instead of making sure that the extension does not install toolbars and other third party offers, they simply click next next next to complete the installation as fast as possible.
Research scientists at Barracuda Networks recently discovered malicious extensions in the Chrome web store that fooled more than 90,000 users of the browser. The researchers noticed that three of the six Facebook Timeline Remover extensions requested more rights than they should. Instead of just requesting access to Facebook.com properties, these extensions requested access to all websites. This does not really make sense, as Timeline profiles are only visible on Facebook and not on third party websites. In addition, users were redirected to a web page after installation that displayed a survey to them.
The two dangers here are tracking of the user through use of the extension, and leaking information to the survey company.
The creators of the extension have used Facebook to create hype for their extensions. This was done by automatically posting contents to user profiles after installation of the extension, and events on Facebook.
Check extension permissions
Chrome extension authors can request a variety of permissions for their extensions in the browser:
- Read and modify your bookmarks
- Read and modify your browsing history
- Access your tabs and browsing activity
- Manipulate settings that specify whether websites can use features such as cookies, JavaScript, and plug-ins
- Access your data on all websites
- Access your data on some websites
- Access the content of pages you visit
- Manage your apps, extensions, and themes
- Detect your physical location
- Access data you copy and paste
- Manipulate privacy-related settings
- Access all text spoken using synthesized speech
For end users, it is often not really clear what a permission is needed for. The Facebook Timeline extension shown on the screenshot at the top for instance requires access to bookmarks as well as windows and tabs. There is not really a reason why it should be able to access the bookmarks, but what about the browsing activity and tabs? Is that needed to manipulate the Facebook profile? It seems so, if you look at the Chrome Tabs information over at Chrome Developer. This can for instance be used to detect if a tab has been updated or changed.
You do not have options to block specific permissions in the browser, so that you either accept all if you continue with the installation, or are left with the option to block the installation if permissions are not looking right. You may find a similar extension sometimes in the store that requires less rights and use this one instead.
How are you handling Chrome extension installations?
Oh, and if you have installed one of the Facebook Timeline extensions for Chrome, now would be a good time to uninstall it.
Advertisement
