Precautions to take before installing Chrome extensions
The majority of extensions are not malicious, dangerous or privacy invading. Some extensions are, however as malicious actors find new ways to take advantage of certain loopholes. The last years have seen a rise of an industry that monetizes browser extensions, often in the form of collecting and selling user data.
Companies contact extension developers to either purchase successful extensions (based on users) outright, or broker a deal with the developer to include scripts used to monetize the extension or track users of it.
This seems to happen more on Chrome than on Firefox, and one of the reasons why that is the case is that Chrome extensions get updated automatically, often without the user even noticing that this is happening or happened.
So what can you do to prevent this from happening to you?
1. Check the source
The most reliable way of verifying an extension for third-party content is to check its source. This works best before it gets installed on the user system.
You can use Chrome extension source viewer for that for example (tip: it is also available for Firefox). The add-on for the browser displays a button in the main toolbar that you can click on to display the source right in the browser or download the extension as a zip file instead to analyze it locally.
You can filter by type, for instance images, so that only code is displayed right away. While that is the best option, it only works if you understand the code. If you don't, it won't do you any good unfortunately.
2. Check the reviews
This is again something that you do before you install the extension. User reviews may reveal that the extension is monetized or is behaving in shady ways.
If you see lots of low score reviews there you may want to stay away from the extension regardless of what it promises to do. The method has its flaws as it relies on user input; new extensions may not have that many comments and if an extension was purchased or compromised, there may not be comments that reveal that fact yet.
3. Check the permissions
Whenever you hit the install button on the Chrome Web Store the permissions that the extension requires are displayed first.
You may be able to use the information to determine whether an extension requests permissions that are not required for its core functionality.
If you have an extension that improves the readability on Yahoo but requests permissions to manipulate all web pages you visit, then it is something that you need to consider before you install the extension.
It may not always be as easy to determine whether the permissions requested are required for its functionality or not.
You can check Google's support page that lists and describes all extension permissions.
The most important permissions that you need to look out for are the following ones:
- All data on your computer and the websites you visit.
- Your data on all websites.
- Your data on [list of websites].
4. Other tips
Once you have installed an extension it may be updated at any time without you having a say in it. You can install an extension such as Chrome Update Notifier Plus or Extensions Update Notifier to receive information whenever extensions were updated in the browser.
Another option is to disable all auto-updates in Chrome using system policies on Windows.
Now You: Have another tip on how to handle this? Feel free to share it in the comments below.
Unfortunately, there is no reliable way to find out if a Chrome extension is involved in malicious activities or not, specially for the non-techie users. For example, an extension could be ‘fair’ initially, and turns malicious later through updates.
I believe there are two ways to sort out this issue: First, users should come forward and support developers financially, by *buying* paid extensions and apps or by donating. This would encourage “good” developers, and create a revenue model for them. Second, Chrome team should also put Mozilla-like review system for CWS hosted items.
Examining the permissions doesn’t work too well for me, because I don’t usually know what a permission means in terms of what actually happens.
Example: I use Better History, which I think is very good at what it does, but one of the permissions is: “Manage Your Downloads” (screenshot: http://i.imgur.com/JOw5EGX.jpg )
I have no idea what that means the extension wants to do. I download things in Chrome often, and don’t notice any behavioral changes.
Here, Old Compose for Gmail : http://i.imgur.com/hRG27id.jpg
It says “Manage your apps, extensions, and themes”. But it doesn’t appear to do any of that, and I have no idea what that permission means in practical terms.
> 5. won’t help if you don’t read, analyse and understand the code.
And it is one thing to know the language , understanding a program is a completely different thing.
I’m a programmer and sometimes giving support on code someone else wrote can be of the hardest things to do, not because of the programming language but in the way that they wrote it.
This doesn’t have to mean that they write badly, just that they have another way of dooing things.
I’m not talked about the whole code, it’s pretty easy, also for non tec-ip pros to identify if an app sends any data to an hidden cc or other external servers. You don’t need to understand all things to look at the urls or the things you may not understand, because if it’s open source you can ask the dev or the community.
> Thanks for posting this, I have been looking for a good way to download the crx file
IDM can download .crx files, windows updates and many more…. Useful tool. :)
I use Extension Defender : https://chrome.google.com/webstore/detail/extension-defender/lkakdehcmmnojcdalpkfgmhphnicaonm?hl=en
The idea is great, but I wonder how well it works.
Thanks for posting this, I have been looking for a good way to download the crx files. The online downloaders aren’t that reliable.
1. Limit the number of extensions to a trusted few favorably reviewed by major sites (which can’t be bough as easily as random phony 5-star review.)
2. Regularly check Ghacks and similar sites for news about extensions being sold off and injected with malware.
I check the background.js pages before I install a new extension as well as after any updates to see if the authors tacked on malware. Most authors don’t link or tack on 3rd party installs, but for the ones that do, often I find toolbars and shopping enhancement type links like Conduit, GoSearch, Partyfinds etc… Once I find them I simply remove those extensions, then run CCleaner and MalwareBytes cleaners. Search my registry for left over traces and even do a full system rootkit scan with my virus scanner.
As of recent, the extension known as, “Awesome Capture and Annotate”, added malware and spyware to their updates so I removed them an replaced them with other versions without the junk. Our best defense against junk is looking into the background pages and looking through background scripts (js files) for mentions or links of third party sites unknown to me.
There is already a scanner, but as always it’s impossible to monitor all extensions/plugins/.. and such things. Same with an antivirus products. And another question would be, do you trust a scanner app from someone that doesn’t get any money for it (which maybe means he include “infected/comprimised” ads?!) or are you able to pay for it?
As recently shown admob, doubleclick was infected by a botnet. So I guess the best is to use scripts or compile yourself to be “safe”.
Other methods are only workarounds and it’s a matter of taste how much do you trust in other people/platforms.
Why doesn’t some enterprising developer produce an extension-scanner… so we don’t have to resort to reading code ourselves?
5. Use open source plugins/extensions/themes/whatever and compile yourself directly from the source, not to difficult on ff/chrome. It take some time the first time, but after that it’s definitely worth to try, and you get some background knowledge about permissions and such things.
6. Not use chrome…. :-D ….
I don’t see any problem with the automatically update if it check against known sources, the change to get infected from there is lower as if you do it from external pages that provide “mirrors” for the extensions.
Problematically is that we can’t control the extensions as it should be, there is no option in ff/chrome or any other browser to restrict some function manually, like internet access, read/write permissions and such things which would be useful to take control over it. Some official extensions also collect “data usage info” or statistics and a normal user can’t control that if the developer not includes an option for it.
As always use as less as possible extensions and think twice about it if you really need it, some of the functions also can be merged by userscripts (the good thing is that the source is open and you can see directly before you install what you get). And it’s a lot of easier to edit.
https://greasyfork.org/scripts?per_page=100&sort=updated :)
5. won’t help if you don’t read, analyse and understand the code.
And it is one thing to know the language , understanding a program is a completely different thing.
I’m a programmer and sometimes giving support on code someone else wrote can be of the hardest things to do, not because of the programming language but in the way that they wrote it.
This doesn’t have to mean that they write badly, just that they have another way of dooing things.
Reminds me of a post I just read about ad-injecting chrome extensions:
http://www.hanselman.com/blog/CanYouTrustYourBrowserExtensionsExploringAnAdinjectingChromeExtension.aspx
“This seems to happen more on Chrome than on Firefox, and one of the reasons why that is the case is that Chrome extensions get updated automatically, often without the user even noticing that this happened.”
Actually, Firefox automatically updates extensions by default.
You can disable that though when you use Firefox. Plus I think that Mozilla audits any update that is uploaded to the store.
Absolutely. I never use auto updates so I stay aware of the addons I’ve just updated. Plus, I’m a control freak! LOL!
“You can disable that though when you use Firefox.”
Most users don’t.
“Plus I think that Mozilla audits any update that is uploaded to the store.”
This is the reason you should have listed.
“This seems to happen more on Chrome than on Firefox, and one of the reasons why that is the case is that Chrome extensions get updated automatically, often without the user even noticing that this happened.”
Actually, Firefox automatically updates extensions by default.
IMO i believe that any update on any extension or program that is done without user permission is not for me. too many times we have seen updates that immediately crash programs or result in bad results for the user. my tried and true method of updating is to wait. wait to read the results that others have had. let others be the guinea pigs…wait for the companies to tell you to wait and not install the update..this has happened many times. and most of all, to read what the update is trying to do. new for the sake of new is not always good. and continuing to use an older version that is working smoothly and without conflict is not always bad.
Personally, I think that whole google permissions policy is wrong (showing it to end users, and letting them decide based on that). It will either scare inexperienced ppl from installing it, or later when they realize that those (most of them) extensions/permissions are legit, it will result ppl disregarding permission info and clicking literally everything.
About permissions…one simple extension that will search for selected text, must read ALL your data on ALL websites,
and when end users see that, they are worried ofc (what about my privacy, can developer see my private data…etc.). Later they think those warnings are just big drama, and they click on everything.
Permissions should stay in developers domain (asking access to Chrome API’s) and then based on those permissions, someone/something at google, to check for extensions calls or whatever. And probably they do that already (they wouldn’t let malicious code just like that). But informing users in the way it is now…
The reviews are not always accurate.
Well if there are many consecutive bad reviews then its something to take note.
Sometimes a bad review could be due to other things on the user side, something unrelated to the extension.
Or some inexperienced user using Canary build installed a malicious version from a place other then the Chrome Web Store?
As for permissions, sometimes the need to use just one method of an API will require some scary permission.
The best way is still to dig into the source but it may be too techie for ordinary users.
Maybe Google can have some heuristic scanning?
But even that could be prone to some misjudgement.
I’m not suggesting to trust reviews blindly, but if there is a pattern of negative reviews, it is worth taking into account. Plus, even one negative review may provide you with information that can be useful as well.
I once purchased a pack of smartphone screen protectors after reading many mixed reviews. Some of the bad reviews included complaints about dust and air bubbles, one said the anti-glare texture felt gritty (a good review said it felt velvety), and some said they didn’t stick to their phone properly. The bad reviewers in this case also sounded unintelligent, and many didn’t give much detail, if any, about why they didn’t like them. The good reviews, on the other hand, sounded more intelligent, and some of them even explained why the bad reviewers experienced some of the problems they did (they were doing it wrong). When my protectors arrived, I held the protector up to my phone’s screen for a moment to see how it would fit, made sure my phone’s screen was absolutely clean, peeled the film off the back of the protector (which was clearly marked to signify that it was the side to stick to the phone), squeegeed it on with a credit card, then removed the front film, and guess what… it was perfect. I’ve had the same protector on my phone for 3 years, haven’t needed the other two that came in the pack, and am completely satisfied with it.
Mixed reviews can also work in reverse, especially when we’re talking about something like browser extensions. Someone may give a glowing review, not realizing that the extension came with spyware, for example.
The moral: Don’t base your decision solely on how many stars it has. Take the time to read the reviews, and try to determine which reviewers actually know what they’re talking about.