In this guide, I will show you how you can search all installed Chrome extensions for the dangerous unsafe-eval content security policy. The method may also work for extensions installed in other browsers provided that the extension files are readable in plain text.
A new scandal surrounding a number of extensions that recorded and sold browsing data of users made the news last week. More than 4 million browser installations were affected this time and it was just the latest in a series of privacy related issues surrounding shady browser extensions.
The extensions in questions used a well documented Content Security Policy directive called unsafe-eval to download the remote payload and start the collecting and transferring of browsing data.
Chrome extensions need to declare unsafe-eval in the extension manifest to make use of it. The Chrome web store does not highlight the use and the extensions are clean otherwise when they are uploaded to the store by the developer.
For an extension to be able to execute remote code in their own context, they need to explicitly declare `unsafe-eval` in their manifest.json.
In other words: these extensions declared unsafe-eval so that they could download the payload at a later point in time.
Hill recommends that users avoid any extension that declares unsafe-eval; that requires that users check the manifest file of the extension before they hit the "add to Chrome" button, however.
We published a Chrome extensions verification guide in 2015, a good resource to verify any Chrome Web Store extension before installation.
Here is a short overview since you may not want to read the entire long guide.
While you could open the manifest.json file of each of the installed extensions to find out if any used the unsafe-eval declaration, you may also search across all of them at once to speed up the process.
Here is how that is done:
Everything searches the entire folder structure and all files for the selected phrase. Focus on manifest.json files and double-click on them to open them in the default text editor. Use the built-in search to search for unsafe-eval to verify the finding.
The same method should work for most other browsers.
Now You: do you verify extensions before you install them?Advertisement
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.