Advice Request Are my chrome extensions safe?

[shmu26]

I have a few chrome extensions that I have been using and trusting for a long time.
Now I am wondering whether they might be harvesting login credentials or other sensitive info, or perhaps they are being exploited by third party actors for that purpose.

For instance, I have an extension called Disable HTML5 Autoplay
It has permissions like this: read and change all your data on the websites you visit.
The dev seems to have a respectable presence on Github, but how do I know whether he uses the right security measures?

I have another extension, for Gmail, called Gmelius
It has similar permissions, but limited to certain google domains.

I don't really care if someone finds out what I am planning on buying my wife for her birthday, but I don't want them to finance their own purchases from my banking account...

 

[Evjl's Rain]

I have a few chrome extensions that I have been using and trusting for a long time.
Now I am wondering whether they might be harvesting login credentials or other sensitive info, or perhaps they are being exploited by third party actors for that purpose.

For instance, I have an extension called Disable HTML5 Autoplay
It has permissions like this: read and change all your data on the websites you visit.
The dev seems to have a respectable presence on Github, but how do I know whether he uses the right security measures?

I have another extension, for Gmail, called Gmelius
It has similar permissions, but limited to certain google domains.

I don't really care if someone finds out what I am planning on buying my wife for her birthday, but I don't want them to finance their own purchases from my banking account...

I think with HTML5 autoplay disabler, those permissions are reasonable because it has to read the contents in the websites and disable html5 videos
I suggest if you wanna check if the extensions are relatively safe or not, you can scan the crx files with herdProtect or reasoncore because their engine can detect bad google chrome extensions. if there is detection, we should avoid them but if no detection, we should also be careful

 

[_CyberGhosT_]

This can't be answered difinitively shmu26
Lets say you do your homework and the Dev's all check out
and you feel good trusting them, who's to say later they don't
get paid or motivated to change sides ?
It's a game of hit and miss, I would say just be careful with the
lesser known publishers and decide weather it's a Plug in or add on
that you "want" or "need"
Remember they can be exploited by 3rd parties as well, so answering this
with any certainty is not possiable

 

[shmu26]

I think with HTML5 autoplay disabler, those permissions are reasonable because it has to read the contents in the websites and disable html5 videos
I suggest if you wanna check if the extensions are relatively safe or not, you can scan the ocx files with herdProtect or reasoncore because their engine can detect bad google chrome extensions. if there is detection, we should avoid em but if no detection, we should also be careful

how do I find the ocx files?
I have use zemana and hitmanpro scanners, and they didn't flag my extensions, if that means anything.

 

[SHvFl]

This can't be answered difinitively SHvFI
Lets say you do your homework and the Dev's all check out
and you feel good trusting them, who's to say later they don't
get paid or motivated to change sides ?
It's a game of hit and miss, I would say just be careful with the
lesser known publishers and decide weather it's a Plug in or add on
that you "want" or "need"
Remember they can be exploited by 3rd parties as well, so answering this
with any certainty is not possiable

It's not me

On topic if you don't trust something @shmu26 don't install it. If you trust it install and relax. We can't have 100% guarantee on anything in life.

Also gmail apps should use oauth. If they need you to login don't.

 

[shmu26]

truth is, even some of our favorite extensions, like ublock origin, have the same kind of super permissions. But we have placed our trust in their hands because we need them.

 

[Evjl's Rain]

how do I find the ocx files?
I have use zemana and hitmanpro scanners, and they didn't flag my extensions, if that means anything.

sorry my mistake .crx file
you can follow the guide here
What's a CRX File and How Do You Open One?

 

[SHvFl]

truth is, even some of our favorite extensions, like ublock origin, have the same kind of super permissions. But we have placed our trust in their hands because we need them.

Yeah we need to trust them at some degree. Not much you can do it's not like you can inspect the code. It's like trusting any other application you use and those have way more permissions and ability to track you.

 

[shmu26]

Yeah we need to trust them at some degree. Not much you can do it's not like you can inspect the code. It's like trusting any other application you use and those have way more permissions and ability to track you.

I have a little app on my PC called gmail notifier pro. I always wondered whether that is secure or not.

 

[SHvFl]

I have a little app on my PC called gmail notifier pro. I always wondered whether that is secure or not.

Never used it but i don't see the point in using it either. If you want it for notification gmail can already do that with Chrome even when it's closed. If you want it as desktop email client get a proper one.

 

[shmu26]

Never used it but i don't see the point in using it either. If you want it for notification gmail can already do that with Chrome even when it's closed. If you want it as desktop email client get a proper one.

I have always found the gmail chrome notifications on desktop to be extremely erratic and unreliable. I could never figure out why one out of four messages coming into my inbox would trigger a notification.

 

[SHvFl]

I have always found the gmail chrome notifications on desktop to be extremely erratic and unreliable. I could never figure out why one out of four messages coming into my inbox would trigger a notification.

Hmm weird. I would try Checker Plus for Gmail then if i was you. It's solid.

Checker Plus for Gmail™

 

[shmu26]

Hmm weird. I would try Checker Plus for Gmail then if i was you. It's solid.

Checker Plus for Gmail™

I decided to give the built in notifications another try, and so far, so good. I noticed they added an extra link to click on, when you enable the notifications. Maybe that solved my prob...

 

[SHvFl]

I decided to give the built in notifications another try, and so far, so good. I noticed they added an extra link to click on, when you enable the notifications. Maybe that solved my prob...

Yeah it asks you to enable notifications. It's 100% reliable for me tbh.

 

[cruelsister]

Shmu- Sadly it's hard to say if your browser extensions are good or malicious. Totally aside from those creating malicious extensions from inception (fairly easy to do with either BeEF or Ravan), a developer may sell a formerly non-malicious extension to some third party, and the new owners can re-code the extension into something nasty while still using the valid credentials from the original coder.

This year in Cisco's Annual Security Report they highlighted the browser extension issue, a taste of what they said here:

"Across the 45 companies in our sample, we determined that in every month we observed more than 85 percent of organizations were affected by malicious browser extensions—a finding that underscores the massive scale of these operations. Because infected browsers are often considered a relatively minor threat, they can go undetected or unresolved for days or even longer—giving adversaries more time and opportunity to carry out their campaigns."

 

[Dirk41]

Better to use as less extensions as possible . Ublock origin ( adding some filters ) and maybe VT are enough . I removed even bitdefender TL
And SBIE . Everything else maybe is too much