How to check the security of your Google Chrome extensions

How to check the security of your Google Chrome extensions

The other day, a friend called me and said that his Google Chrome browser is acting weirdly and may need reinstalling. According to him, every time he searched for something on Google some unknown website appeared with suspicious results. I asked him to remove every Chrome extension and only add those few that he really needs. But it occurred to me that this friend of mine will probably be hit by more scams brought by other malicious Chrome extensions unless he looks out for a few things.

And I can assure you my friend is not alone.

According to statcounter.com, Chrome has become the de facto standard of browsers with nearly 60 percent of market share across all platforms as of June 2018.

statcounter-chrome-usage

Aside from its speed, ease of use, clean interface, and security, one of the main selling points of Google Chrome is the vast arsenal of tens of thousands of extensions that virtually cover every niche and need. Chrome extensions are fun and make you more productive at the same time. You don’t need to order tailored software for your needs because you’ll find similar ones on Chrome Web Store. Right?

What are Chrome extensions?

Chrome extensions are small applications that reside inside Google Chrome. They can automate repetitive tasks or add specific functionalities to Google Chrome’s broad capabilities. Chrome extensions are built on web technologies like HTML, JavaScript, and CSS. This lowers the entry barrier for developers or even hobby coders and enables them to write extensions with relatively little assets and resources.

Why can Chrome extensions be dangerous?

Chrome extensions are small plugin apps that reside within your browser. Therefore, they could potentially have full access to all your data in your browser, such as the websites you visit, the content of these websites, what you enter in forms (e.g. passwords), and more.

Chrome extensions have a layered permission system that could potentially narrow an individual extension’s access to your data to what the extension really needs. But such a system is only as effective as the people who are using it. If you accept every permission a Chrome extension asks for without a second thought nothing can be done.

While Google scans every Chrome extension that is submitted to Chrome Web Store, there are still some malicious ones that slip through the net. And as if things are not bad enough, Google Chrome allows extensions to be installed from third-party websites through something called the inline install API. The good news is that the search behemoth has announced that this functionality will be gradually phased out. From Chrome 71 in early December 2018, the inline install API for Google Chrome will be completely removed from developers’ options.

But that’s not the whole story. Chrome extensions are automatically updated. So, even if you took the necessary precautions and did your research before installing, the extension could be turned around at a later phase. The extension can also change hands. The developer may sell their extension to another company or it may even get compromised and become the target of a supply chain attack.

All in all, there are a lot of scenarios that could make an extension dangerous, even after it has been installed. So you have to keep an eye on your Chrome extensions, not only when installing, but also after they have been installed.

Things you should check before installing a Chrome extension

Make sure you really need the extension

This one is not about the extension you intend to install but rather proper security hygiene. Every functionality that you add to your system will increase your possible attack surface. There are a lot of cool and funny things out there but if you don’t really need it don’t install it.

Create a dummy Chrome profile to check out possible extensions first

If you are like me, you can’t always adhere to the previous rule. Checking new software is not only fun but may be part of your day-to-day work. After all, how would you know if a Chrome extension will help you increase your productivity without installing it? Creating a new dummy Chrome profile for testing purposes is a reasonable precaution that can help prevent a lot of tears. Separate your real business browser, where you have all your accounts open, from the testing profile and you have added an additional layer of security.

Never install an extension from outside of the Chrome Web Store

Google has already enforced this policy for Chrome extensions that are published after June 12th, 2018. But if you have previously installed an extension from somewhere outside of Chrome Web Store, uninstall it now and look for an official alternative on Chrome Web Store.

Google says that by September 12, it will disable this functionality for existing extensions. Regardless of where you click for installing an extension, you will be led to Chrome Web Store and that is a good thing. According to Google, the inline install API that is necessary for installing extensions outside Chrome Web Store will be removed from Chrome 71 altogether in early December 2018.

Google says that the descriptions and feature lists in the Chrome Web Store are vital to help users make informed decisions on whether or not they really need a particular extension.

Please note that developers will still be able to locally install their extensions for testing by enabling developer mode.

Make sure you are installing the right extension

This may sound too easy but it isn’t. Earlier this year AdGuard, a company that offers ad blocking products, revealed a list of five malicious Chrome extensions that in all had compromised over 20 million users. Here’s the list of the malicious extensions:

  • AdRemover for Google Chrome™ (10M+ users)
  • uBlock Plus (8M+ users)
  • Adblock Pro (2M+ users)
  • HD for YouTube™ (400K+ users)
  • Webutation (30K+ users)

Now have a look at the following list of legitimate extensions:

  • AdBlock (10M+ users)
  • Adblock Plus (10M+ users)
  • AdBlocker Ultimate(750K+ users)
  • uBlock (500K+ users)
  • uBlock Origin (10M+ users)
  • uBlock Plus Adblocker (800K+ users)
  • And many, many more…

As you can see, it’s really important to make sure you install the extension you intend to install. It is really difficult to tell the first list from the second. Don’t rely on something you vaguely remember.

chrome-extension-description

Carefully read the extension’s description and privacy policy

Read the extension’s description on Chrome Web Store carefully and read it to the end. One of the reasons Google insists on installing extensions only from Chrome Web Store is that providing a transparent description is mandatory. There may be extensions that aren’t outright malware and pass Google’s security scans but still follow dubious security and privacy procedures like tracking info or data sharing. When you read the extension’s description you’ll be able to assess whether it makes sense to trade off some of your privacy and security for its added functionality.

chrome-extension-website

Check out the extension’s website

Not every Chrome extension has a website. There are some popular ones that are programmed and maintained by individual developers. A professionally made website for a bogus extension is also something that malicious actors can create. But checking the website of an extension gives you a more informed picture and can help you make a better decision. Look out for telltale signs of unprofessional work like spelling mistakes or bad English.

chrome-extension-number-users.jpg

Check the extension’s user number

Avoid extensions which have only a few users. They may be good and innovative projects but if you don’t have the skills or time to thoroughly investigate the extension, don’t bet on that. For common functionalities, there are normally a bunch of extensions for Chrome that vaguely do the same thing. In these cases go with the more popular ones.

Read the extension’s reviews on Chrome Web Store

Malicious actors can and have created good reviews on Chrome Web Store to make their piece of malware look good. If you just see reviews that declare their love for an extension without giving specific use cases and every review gives a five-star rating, think twice before installing. Here are some of the reviews you would have found on AdRemover’s page on Chrome Web Store before it was removed by Google:

Jowanna S. – ★★★★★
“Nice adblocker! Highly recommended for chrome users!”

Ruand S. – ★★★★★
“My favorite ad blocker.”

Lewis A. – ★★★★★
“I hated theese facebook ads so much, so installed ad blocker. Thank you”

Cecilia – ★★★★★
“Excellent Adblocker !! Blocked all the unwanted & irritating pop ups! Never without Adblock.”

Patricia D. – ★★★★★
“Not pestered by anymore unwanted ads. Great app. The best adblock.”

Alden D. – ★★★★★
“I love AdRemover Adblocker. It’s brilliant! It’s also the best. No more ads. Used other Adblocker but this is good.”

 

There are always a few users that think they’ve found the next best thing since the invention of the internet, but all in all, citizens of the cyberspace are more tech-savvy than that.

chrome-extension-permissions

Check the permissions when installing

The permissions an extension asks for should make sense and be as narrow as possible (e.g. a screen capture extension doesn’t need read access to all your data). Keep the extension’s description in mind. If it claims to add functionality to a specific service like Gmail but wants access to all your data on all the domains you visit, don’t install it.

Check the extension’s code

And finally, if you have the skills and necessary time, check the extension’s code. Chrome extensions are built on web technology like JavaScript, HTML, and CSS. So the code is usually readable unless the developers have somehow obfuscated it. Many extensions are hosted on GitHub where you can easily view and download them. The rest you can view in your browser’s Developers tools or find them on your hard drive.

Final thoughts

An open infrastructure where you can build on well-known technologies for a software product that is used by over a billion users spurs innovation and diversity. But it’s also a double-edged sword. Google Chrome’s huge user base, ease of extension building, and the relatively liberal guidelines and checks Google has put in place, draw also bad actors to get on for a quick buck.

Don’t get me wrong, but Chrome Web Store is a jungle full of wonders, both good and bad. So if you go out exploring, go prepared and if you decide to take something extraordinary home with you, think twice. It could be a deadly Autumn Crocus flower you’ve picked instead of a Crocus.

This story is republished from TechTalks, the blog that explores how technology is solving problems… and creating new ones. Like them on Facebook here and follow them down here:

Read next: The web alienates non-English speakers — and we need to change that