Day 4: The Dangers of Chrome Extensions

Today's post is going to go into the details of how permissions work for Chrome extensions and the dilemma about trading off real security vs. perceived security.

When you install a Chrome extension, the extension often needs special permissions to be able to work properly. There are two dimensions for how an extension asks for permissions:

When the extension asks for permissions
What permissions the extension asks for

The Typical Approach

The When

The most common practice used is to request permissions when the user installs the extension from the Chrome Web Store:

This is the easiest implementation for developers, but for users, there's a major downside. You simply have no idea why they're asking for the permissions they want. If you care about your privacy and security, you should know why an extension requires the permissions that it asks for. But most of the time, you get no explanation at all.

The What

And worse yet, Chrome extensions often ask for permissions that they don't need. Take the case of the "Magic Actions for YouTube" extension above. This extension provides extra features for using youtube.com. So why does it need to be able to "Read and change all your data on the websites you visit"? To be clear, that means that they can read and change data (i.e. run arbitrary Javascript) on all websites.

I don't think most people realize just how scary this permission is. When you grant this permission, the extension can do lots of things you probably didn't expect:

Log all of your keystrokes (including passwords, credit card information, etc.) on all websites
Snoop on all of your browsing activity, including what pages you visit, how long you spend on them, and what the content of those pages are (including private emails and messages)
Take screenshots of all the pages you visit
Perform any action on any page, such as sending unauthorized messages to your contacts

Those are just things I thought of in a few minutes. The possibilities for exploitation are endless.

When you try to install an extension and it asks for permissions to "read and modify all your data" on websites beyond the ones it's supposed to change, it should be a huge red flag. In the best case, the developer was too lazy to specify only the websites required (this should still be a dealbreaker). In the worst case, they're harvesting your data in ways that could be extremely harmful.

And this isn't just a hypothetical concern. Many users have reported the extension above, Magic Actions for YouTube, doing alarming things and it's not uncommon to hear about extensions gone rogue. (I've experienced this firsthand after selling an extension and discovering that the new owners were doing shady things with it, but that's a story for another time.)