How To Verify That A Browser Extension Is Not Phoning Home

Martin Brinkmann
Feb 19, 2012
Updated • Feb 19, 2012
Software, Windows, Windows software
|
9

Extensions are little helper programs that make life on the Internet a tad more comfortable for the user. Some change the way we access information on the Internet, others add extra features and functionality to a website, and others help you stay safe and secure online. Most Internet users who use extensions never bother to look at the extension's source code to verify that it is only doing what it is supposed to do, and nothing else.

The official extension repositories verify extensions before they are made available for public download. And while that often works well, we have seen extensions slip through that verification process in the past.

This guide looks at one of the ways that normal Internet users have to verify that their extensions are not phoning home. Phoning home in this context means communicating with sites that they should not communicate with in first place.

Here is what we need: Fiddler, a web debugger that you need to install on your system. Please note that Fiddler is only available for the Windows operating system, and that it requires the Microsoft .Net Framework.

Once you have installed Fiddler start it up. You see all http connections that your system makes in the left column. Listed here are the return code, the requested host and url on the host, and the process responsible for making that connection.

I suggest you close down all applications besides the web browser that you want to check up on. For new extensions that you are not sure about, you may want to consider creating a blank profile containing no user related data. I also suggest to start with a blank browser, that is a browser with no open websites. This ensures that you won't get overwhelmed by dozens or even hundreds of initial connections the browser makes on startup.

Wait a few seconds and you should see that the list is being populated by all connections the browser makes shortly after it has been launched. In the example below, you can see that the browser connects to the pinterest.com website, which I could link to one of the installed extensions quite easily.

It can happen that you do not know which extension is trying to connect to the host. If that is the case, disable all browser extensions but one and check if it is responsible for making the connections. Repeat the process until you find the responsible extension.

A few things need to be considered at this point. You first need to find out if the connection that is being made is legit or not. Since you see the host name the connection is made to, it is a good start to check up on that host name. A good starting point is the url verification module of Virus Total. Just enter the host name in there and see what the connected scan engines return.

You can naturally check other services as well, Web of Trust for instance, or run a search for the host name in your favorite search engine.

The second thing you may want to consider is that some extensions may not make a connection when the browser starts. You may want to browse to a few sites and use the browser for some time to see if any of the installed extensions make connections some time after the browser has been started.

Fiddler can also be helpful for other purposes. The Pinterest extension that made the initial connection to the site during browser start? It did try to connect to the site every five seconds ever since, which means it was using system resources.

This may look like overkill to users who analyze the source code of extensions instead. And that is true, but it may also be the only way to find out for users who cannot analyze the code directly. It might pay off though to check if your browser is making connections to sites that you did not request.

Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Sputnik said on March 4, 2012 at 2:45 am
    Reply

    An easier way to verify this is to make sure that the name of the extension is not “ET”…

  2. MadBalloon said on February 21, 2012 at 7:09 pm
    Reply

    PortableApps versions of browsers are a good way for a blank browser with blank profile.

  3. somedude1 said on February 20, 2012 at 6:18 pm
    Reply

    Port Explorer

  4. Crodol said on February 20, 2012 at 9:36 am
    Reply

    Installed the program.
    WinPatrol is complaining that Fiddler wants to install an add-on and
    Fiddler is “complaining” that WinPatrol connects to the internet. A vicious cycle has been triggered!!!

  5. boris said on February 20, 2012 at 5:34 am
    Reply

    I am glad that you suggested this software. I found out that site searchgby.com was tracking my every search for years.

  6. SFdude said on February 19, 2012 at 11:07 pm
    Reply

    thanks Martin!
    this is really a good way
    to track “extension” phone-home activity.

    Any equivalent tool not using .NET?
    (I expunged .NET & Java
    from my systems a long time ago,
    = less security updates and headaches…).

    I know, that’s just me…

    1. Martin Brinkmann said on February 19, 2012 at 11:52 pm
      Reply

      You can use a program like SmartSniff from Nirsoft http://www.nirsoft.net/utils/smsniff.html

  7. Damirora said on February 19, 2012 at 10:39 pm
    Reply

    Is there a way to check all the connections made on my router?
    I’ve been using fiddler for my system, but what can I use to find out what my game console/phone/ipod connects to?
    Should I install something like tomato on my router so I can do this? Can DD-WRT do that?

    1. Martin Brinkmann said on February 20, 2012 at 12:00 am
      Reply

      You could try a program like Wallwatcher http://wallwatcher1.com/

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.