It’s about a week that I am working on developing a Chrome extension. Actually, this was my first experience developing an extension. During the process of R&D, I’ve checked out some of existing Chrome extension for learning purposes. While searching, I’ve found some extensions which had suspicious activities. Actually, some of them has access to users’ sensitive information such as files on their computer!
The fact is that, extensions are one of the most dangerous piece of software I’ve ever worked with because of the access level they can get. A Chrome extension can get access to almost anything on your computer. from file system, to your web history. Even most desktop apps don’t have access to such resources. Here are some of things an extension can do and you may want to consider:
- It can have direct access to all of your Chrome stuff: including your tabs, websites you visit, your password and a lot more.
- It can have access your file system. This means that an extension can access all of your personal files in your computer.
- It can execute a file: The extension developer can also include an executable file inside a chrome extension and run it in background without notifying you about. This can be very dangerous. Assume that extension developer develops a keylogger using C++ and run it on your computer. As a result, it can gather all of your password and personal information and then send it to a server.
- It also can access system memory and CPU as well. This is ridiculous because only some low-level apps and services can have access to such resources.
- And a lot more…
The following is an example of a chrome extension that has access to your computer resources more than it really needs (I’ve omitted the extension name and logo):
As you can see in the above picture, This extension want to have access to nearly everything on your computer:
- It can access your USB devices!
- It can communicate with native applications such as kernel processes.
- It can access your entire Google Drive account including all of your personal documents, photos, and etc.
- It has full access over your network connections.
Permissions in a Chrome extension can be gained in the manifest.json file. The extension developer can request any access he/she wants. Google reads this file when a user attempts to install the extension and shows the above dialog.
You MUST check out an extension’s permissions before attempting to install it. An extension can be very dangerous. make sure it only asks for permissions it needs. For example, a game don’t need access to the browser proxy. You should not allow such permissions.
Even extensions which are downloaded from Chrome Web Store are not safe since there’s no review process behind them.
Note that everything I’ve mentioned in this post works the same in Firefox; consequently, a Firefox extension can also have unlimited access over your computer.
Hope it helps.