Status
Not open for further replies.

JuanitoES

From Extension Police
Developer
Verified
Joined
Feb 27, 2018
Messages
9
Operating System
MacOS High Sierra
#1
Hi Guys,

I am the developer of Extension Police , a new Chrome Extension to monitor what other Chrome Extensions can do in your browser.

Why I developed this extension?

I already developed 5 other Chrome Extensions. Some of my extensions are quite popular with 50.000+ users. Then, while testing the security aspect of the Chrome Extensions I developed, I figured out that the permissions of these extensions allowed me do scary things. For anyone who installed my extensions, I could:
- take screenshot of any screen from any tab (even if he did not visit the tab)
- I could save their cookies and place the cookie in any server to to login into their facebook, or any other password protected websites (expect if there was a second security like a second factor, or a token,...).
- Injecting JS, I could steal their passwords while they where writing them , I could steal any information while they were filling forms.
- I could visit website in the background without asking for their permission. By the way, a very popular extension "Hola Internet" is actually make a business out this feature and is scraping google with your IP in your background and is selling the data to customer through luminati.io , their sister company.

DISCLOSURE: actually I am a good guy, so I did all the testing with a friend and I never intruded into my user's browsing.

Other things can be done:
- using your facebook account I could "like" anything in your name, without your permission.
- I have been contacted by monetizus.com an Ukrainian advertising network, specialized in ad injection. They offered me to inject ads; basically they would use the authorizations of my extension to replace ads on any websites with their ads, for anyone who installed by extensions. They offered to share revenue.
- You have certainly heard of extensions mining crypto using your browser in the background

If you are interested in this field, I suggest you read this report from Google researchers: Trends and Lessons from Three Years Fighting Malicious Extensions

How to protect yourself ?
1) when you install a new extension, if the extension ask the permission to "Read and change all your date on the websites you visit" -> Watch out, this permission could potentially do all the things mentioned above.
2) If you accept and install this extension, make sure you trust the publisher.
3) Use Incognito windows anytime you access critical websites: your bank, your email, your linkedin, your CRM and all your company Web Services.


The future of Extension Police ?

The next development steps are:
- providing more informations about the developers for each Chrome Extensions, maybe create a whitelist.
- Critical websites: users provide a list of their critical websites (Bank, email, facebook, company database,..) and "Extension Police" will block all the "potentially dangerous" extensions while the user visit their critical websites.
- Monitor what other extensions are doing in the background: this seems a bit more complicated since I will need to access the console for each extension and monitor if they preform strange activity in the background.

As of today, Extension Police is 100% free, maybe in the future I will add a pricing for companies, but single users will always be able to use it for free.

Your feedbacks are very welcome :coffee:

Thank

Juanito
 

Prorootect

Level 53
Verified
Joined
Nov 5, 2011
Messages
4,225
#20
Thank you guys.

If you have specific requests to secure Chrome and its Extensions, I am your man ;-)

"What happened" Series Today


OK., so what happened to Chrome extension called ScriptBlock :
ScriptBlock
version 1.4
A smart extension that controls javascript, iframes, and plugins on Google Chrome.
ID: hcdjknjpbnhdoabbngpmfekaecnpajba

- in my extensions page, this extension has note: "This extension violates the Chrome Web Store policy."
I've disabled it for now, but it works, if enabled...is it safe to use, please?
--------------------------------------------------------------------------

Another question, if you wish:
What happened with the "Remove Redirects" extension: chrome_extensions/Remove-Redirects at master · eladkarako/chrome_extensions · GitHub
... and what happened with home pages of the developer, please?
-------------------------------------------------------------------------

Where you are, my AdBlock...
AdBlock
10.0.6
"AdBlock with bonus functionality" (...Safe Preview of each link on Google results page, with 7 engines, showed SafePreview icon near cursor:
Enable "Is it Safe"
Enable "Live" Preview
Show "Icons" near cursor
- with these engines:
Google Advisory
McAfee
Norton
WOT
Avast Online
Trustwave SecureBrowsing
DrWeb


ID: icmbdchmgaaihfdlphhcdlecjehdngbk

So Why we have the error page, of very good AdBlock Chrome extension, removed by Google from my browsers: https://chrome.google.com/webstore/detail/icmbdchmgaaihfdlphhcdlecjehdngbk
------------------------------------------------------------------------

... and 4rd question if you have the patience with me... what happened with:
Insight™ (brief website analytics)
version 0.1.4
Provides website information such as Rank, and checks URLs against suspected pages.
ID: dhmaijbfhigndmlifekndpiklbgjpkgl
- popup is empty.

So Juanito, are you Police or not:cool:
 
Last edited:
Status
Not open for further replies.