In light of the recent DataSpii browser extension leak, where millions of users had their data tracked and sold by seemingly benign browser extensions, it’s worth running a check on other Chrome add-ons you may have installed, or are thinking of installing, to sniff out any bad actors.
To do so, we’ll be using a piece of lightweight software called Chrome Extension Source Viewer that can uncover potentially shady behaviours, like the ability to execute remote code.
The abuse I've seen repeatedly is not of webRequest API: unethical blockers ripping the code base of legitimate blockers, but with an added permission which allows execution of remote code in extension context. https://t.co/8T2gmoBpr9
— R. Hill (@gorhill) June 13, 2019
Before we get to the steps, we should point out that this tool may not catch every dangerous browser extension. The DataSpii add-ons got away with widespread data-tracking by tricking Google and hiding their malicious activity, and it’s possible others could, too. Also, the tool might identify extensions that are completely fine. This is only one item in your security toolbag. Some due diligence will still be required to separate good extensions from bad extensions, but at least you’ll have a better idea of what to look up.
Getting started with Chrome Extension Source Viewer
Install the Chrome Extension Source Viewer add-on
Open the Chrome Web Store page for each extension you wish to check.
While on the Chrome Web Store page for an extension, click on the Chrome Extension Source Viewer “CRX” icon next to the URL bar.
Click “View Source”.
Wait for the new page to fully load, then find and open the “manifest.json” file.
Press F3 or “CTRL+F” to open the page search, and look for “unsafe-eval.”
What does this mean? The “unsafe-eval” content security policy indicates that a particular extension can execute remote code. That can be a security risk depending on what the extension is actually doing — a big enough one, to note, that Mozilla doesn’t allow Firefox extensions in its directory that are set up like this:
“…extensions with ‘unsafe-eval’, ‘unsafe-inline’, remote script, blob, or remote sources in their CSP are not allowed for extensions listed on addons.mozilla.org due to major security issues.”
Again, “unsafe-eval” doesn’t necessarily mean an extension is operating in bad faith. However, it does indicate that you might want to give that extension more scrutiny. Search the web to see if there are any problematic reports about it. If you’re looking to dial down on the number of browser extensions you use — a great security practice — this might help you identify potential extensions you don’t really use all that much and can safely remove.
Never install an extension declaring `unsafe-eval`/`unsafe-inline` in its manifest.json file.
— R. Hill (@gorhill) July 18, 2019