Have you ever found out that your chrome is acting weird after adding an extension or you discovered you are being served with malicious content after making a search in google.
The question is "do you have chrome extensions installed", "do you bother verifying the source of this extensions before installing"?
It is no doubt that Google chrome has become a de facto standard of browsers with nearly 60 percent of market share across all platforms as of June 2018.
Aside from its easy to use interface, security and speed, one of its main features is its wide range of extensions that covers wide range of niche and needs.
What are Chrome extensions?
Chrome extensions are small applications that reside inside Google Chrome. They are build on web technologies like HTML, JavaScript and CSS. They add specific functionalities to Google Chrome’s broad capabilities.
Can Chrome Extensions be dangerous?
Chrome extensions are small plugin apps that reside within your browser. Therefore, they could potentially have full access to all your data in your browser, such as the websites you visit, the content of these websites, what you enter in forms (e.g. passwords), and more.
Chrome extensions have a layered permission system that could potentially narrow an individual extension’s access to your data to what the extension really needs. But such a system is only as effective as the people who are using it. If you accept every permission a Chrome extension asks for without a second thought nothing can be done.
While Google scans every Chrome extension that is submitted to Chrome Web Store, there are still some malicious ones that slip through the net. And as if things are not bad enough, Google Chrome allows extensions to be installed from third-party websites through something called the inline install API. The good news is that the search behemoth has announced that this functionality will be gradually phased out. From Chrome 71 in early December 2018, the inline install API for Google Chrome will be completely removed from developers’ options.
There are a lot of scenarios that could make an extension dangerous, even after it has been installed. So you have to keep an eye on your Chrome extensions, not only when installing, but also after they have been installed.
WHAT TO DO BEFORE INSTALLING CHROME EXTENSION
Make sure you really need the extension
This one is not about the extension you intend to install but rather proper security hygiene. Every functionality that you add to your system will increase your possible attack surface. There are several cool and funny things out there but if you don’t really need it don’t install it.
Create a dummy Chrome profile to check out possible extensions first
If you are like me, you can’t always adhere to the previous rule. Checking new software is not only fun but may be part of your day-to-day work. After all, how would you know if a Chrome extension will help you increase your productivity without installing it? Creating a new dummy Chrome profile for testing purposes is a reasonable precaution that can help prevent a lot of tears.
Never install an extension from outside of the Chrome Web Store
Google has already enforced this policy for Chrome extensions that are published after June 12th, 2018. But if you have previously installed an extension from somewhere outside of Chrome Web Store, uninstall it now and look for an official alternative on Chrome Web Store.
Make sure you are installing the right extension
This may sound too easy but it isn’t. Earlier this year AdGuard, a company that offers ad blocking products, revealed a list of five malicious Chrome extensions that in all had compromised over 20 million users. Here’s the list of the malicious extensions:
AdRemover for Google Chrome™ (10M+ users)
uBlock Plus (8M+ users)
Adblock Pro (2M+ users)
HD for YouTube™ (400K+ users)
Webutation (30K+ users)
Now have a look at the following list of legitimate extensions:
AdBlock (10M+ users)
Adblock Plus (10M+ users)
AdBlocker Ultimate(750K+ users)
uBlock (500K+ users)
uBlock Origin (10M+ users)
uBlock Plus Adblocker (800K+ users)
And many, many more…
Check out the extension’s website
Not every Chrome extension has a website. There are some popular ones that are programmed and maintained by individual developers. A professionally made website for a bogus extension is also something that malicious actors can create. But checking the website of an extension gives you a more informed picture and can help you make a better decision.
Check the permissions when installing
The permissions an extension asks for should make sense and be as narrow as possible (e.g. a screen capture extension doesn’t need read access to all your data). Keep the extension’s description in mind. If it claims to add functionality to a specific service like Gmail but wants access to all your data on all the domains you visit, don’t install it.
Check the extension’s code
And finally, if you have the skills and necessary time, check the extension’s code. Chrome extensions are built on web technology like JavaScript, HTML, and CSS. So the code is usually readable unless the developers have somehow obfuscated it. Many extensions are hosted on GitHub where you can easily view and download them. The rest you can view in your browser’s Developers tools or find them on your hard drive.
Final thoughts
Chrome Web Store is a jungle full of wonders, both good and bad. So if you go out exploring, go prepared and if you decide to take something extraordinary home with you, think twice.
0 comments:
Post a Comment