Extension Police for Chrome vets installed extensions
Extension Police is a relatively new Chrome extension that vets all installed browser extensions and gives you actionable advice for each.
Chrome extensions are limited in what they can do and Chrome's extension system limits the scope to the browser. Extensions can request additional permissions -- beyond the default scope -- which is required for some functionality.
The developer of Extension Police created other extensions prior to it and noticed that Chrome extensions could be abused for all kinds of unwanted behavior. They could be used to take screenshots of any tab open, save and place cookies, inject JavaScript, like stuff on Facebook, or visit sites in the background.
Extensions need extra permissions for that, for instance the dreaded "read and change data on all websites you visit" permission which is a blank check.
Extension Police for Chrome
Extension Police requests only one permission and that is to control installed extensions and themes. It adds an icon to Chrome's toolbar that lists all installed extensions sorted into the two groups active and not active.
Active extensions are enabled in Chrome whereas not active extensions are disabled.
Extension Police lists extension icons and names, a security rating, and a toggle to enable or disable individual extensions when you click on the icon or disable all of them using the global toggle.
Users who have installed lots of extensions can use the built-in search to find specific extensions quickly.
Ratings range from safe to high potential risk and danger. A click on any extension reveals detailed information about the extension, its permissions, and the security rating.
Extension Police offers the following information for each installed extension:
- Lists all granted permissions.
- Interprets the granted permissions to provide a description for non-developers.
- Lists the developer name, email address, and privacy link.
- Lists users, rating and description.
- Links to the extension page, report option, and delete.
Not all extensions that the extension highlights as dangerous or a potential risk are malicious in nature or abused for marketing purposes.
Extension Police gives uBlock Origin a high potential risk rating for instance. While that is certainly justified when you look at the requested permissions, it is not if you know the extension or the developer.
The tip to only use the extension if you trust the developer may help users form a decision.
Extension Police audits extensions installed in Google Chrome. While that is its main purpose, it does support extension management options as well. I mentioned the ability to change the state of extensions already but also for the "secure your critical websites" feature.
You need to give Extension Police permission to access browser tabs to use the feature. Basically, what it does is auto-disable extensions on websites you select. The main idea behind the feature is to prevent extensions to interact with certain sites open in the browser.
You could use it to block extension access to online banking, shopping, or social sites to avoid the leaking of data or misuse.
It is possible to achieve the same by accessing critical sites in incognito mode as extensions are disabled in that mode by default in Chrome. You may use a browser extensions to always open specific websites in Incognito Mode.
Closing Words
How useful is an extension like Extension Police? It depends largely on your extension use. The extension is probably not that interesting if you are an advanced user as you probably vet extensions before you install them.
Chrome users who do not may use it to get an overview of installed extensions and may use the security ratings that Extension Police gives to prioritize the manual vetting process.
It is not a good idea to trust the ratings blindly which means that you need to look at each extension individually anyway.
Now You: Would you use a browser extension like Extension Police?
Hi Martin, I am a developer at Extension Police. Thank you for covering our extension and for pointing out the issue with the Privacy Policy. We have updated the policy, improved the transparency, added more protection and anonymity to our users. Our user’s data are not collected and will never be shared.
On the other hand, we found a bunch of security flows in Chrome , therefore we have developed a very advanced Security Tool for Chrome
JUSTBLOCK SECURITY for CHROME (Justblock.org)
Please feel free to test it and to leave your feedback at support(at)justblock(dot)org
Cheers,
Kevin
It looks like Extension Police (“EP”) is removing points if an extension does not have an official website, which is the case for uBO. Not convinced having an official website is meaningful, I have seen a lot of unethical extensions having an official websites (often a single page site).
Unfortunately, EP is not open source, hence it can’t benefit from outside ideas and arguments — I sure would argue that having a website is not a very useful indicator.
Moreover, EP does not seem to check the value of “content_security_policy” (“CSP”) in a manifest, a pretty good indicator of “highly suspicious” in my opinion: a lot of malicious extensions out there relax their own CSP in order to allow remote code execution from within the extension context.
It made me suppress nearly all my extensions
If I understand well, uBlock origin is a false positive ? Can you confirm it ?
I try to limit the extensions I use when browsing. Yet this requires me to add another extension to police extensions!
I’d be much more interested in this if it was a stand-alone program that I could run occasionally (or even schedule weekly) or use it online.
A lot of my extensions are considered as dangerous : disable javascript, miner block, share button for Facebook, share link via email, share on twitter plus, tabs to the front, ublock origin, video downloader professional, view image, windows defender browser protection
Among them, a lot you recomended here…
Impressionant ! No longer use Chrome ?
(Adblock is safe, says the extension)
Yes, “extension police”, not “policy”. I spent several minutes to find it
I find their privacy policy (https://www.justblock.org/privacy.html) rather off-putting.
“[…] Non-Personal Information which is being collected includes the user’s /aggregated browsing usage/ information and technical information transmitted by the user’s device.
When you install or use the Product, we collect from you: the type of device, operating system and browsers you are using; the date and time stamp; /browsing usage/, including /visited URLs/, clickstream data or /web address accessed/; the browser identifier; and your Internet Protocol address.
We may disclose or share this information with third parties as specified below and solely if applicable.”
“In order to block unwanted popups and overlay banners, we need to scan the webpages you browse. Meaning, we use the data collected from you, as detailed and specified above, and transmit it our servers solely for the purpose of enable the Product and to know when and where there is a popup to block! We also use Non-Personal Information, aggregated information or statistics regarding user browsing behavior as a measure of interest in, and use of, the Product in the form of aggregated data, such as overall patterns or demographic reports, which do not describe or identify any individual user.”
Much of this seems to be intended for their primary extension, JustBlock Security. However, reputable security addons like UBlock Origin, HTTPS Everywhere, Privacy Badger, and DecentralEyes do not demand nearly this much data be collected, especially not visited URLs. UBlock Origin is able to block pop-ups and overlay banners absolutely fine with local filters. Hopefully I’m being paranoid, but I’d advise proceeding with caution.
The extension does not request url or tabs permissions so it cannot read browsing data. This looks like the privacy policy is mainly for justblock extension and they have just re-linked it.
“In order to block unwanted popups and overlay banners,..”
This extension is NOT an ad blocker so why the need to read browser’s data ?
The extension doesn’t conform to GDPR rules and should be banned in EU :
1. users should have the right to reject data collection.
2. users should have the right to view all data collected
3. users should have the right to delete all data collected…
“Extension Policy gives uBlock Origin a high potential risk rating for instance. While that is certainly justified when you look at the requested permissions, it is not if you know the extension or the developer.”
Yes, just noticed that. And Disconnect and Canvas Defender and nearly every one of the extensions for privacy.
The problem is that “we do not know the developer.” No matter, we do not know and never will know.
In short . . . don’t know.
OMG. Read their privacy policy… /smdh
One thing disturbs me about this extension. I love UBO. It tells me UBO is a high potential risk?!?!?!?!?
Yea it appears to only look at the permissions given to an extension, not how reputable it is.
https://imgur.com/a/N3eCnUN
@Martin Brinkman … “Extension Police” occurs at 2 locations.
Thanks!
Oops, my bad. “Brinkmann” Sorry :-(