- Feb 27, 2018
- 9
Hi Guys,
I am the developer of Extension Police , a new Chrome Extension to monitor what other Chrome Extensions can do in your browser.
Why I developed this extension?
I already developed 5 other Chrome Extensions. Some of my extensions are quite popular with 50.000+ users. Then, while testing the security aspect of the Chrome Extensions I developed, I figured out that the permissions of these extensions allowed me do scary things. For anyone who installed my extensions, I could:
- take screenshot of any screen from any tab (even if he did not visit the tab)
- I could save their cookies and place the cookie in any server to to login into their facebook, or any other password protected websites (expect if there was a second security like a second factor, or a token,...).
- Injecting JS, I could steal their passwords while they where writing them , I could steal any information while they were filling forms.
- I could visit website in the background without asking for their permission. By the way, a very popular extension "Hola Internet" is actually make a business out this feature and is scraping google with your IP in your background and is selling the data to customer through luminati.io , their sister company.
DISCLOSURE: actually I am a good guy, so I did all the testing with a friend and I never intruded into my user's browsing.
Other things can be done:
- using your facebook account I could "like" anything in your name, without your permission.
- I have been contacted by monetizus.com an Ukrainian advertising network, specialized in ad injection. They offered me to inject ads; basically they would use the authorizations of my extension to replace ads on any websites with their ads, for anyone who installed by extensions. They offered to share revenue.
- You have certainly heard of extensions mining crypto using your browser in the background
If you are interested in this field, I suggest you read this report from Google researchers: Trends and Lessons from Three Years Fighting Malicious Extensions
How to protect yourself ?
1) when you install a new extension, if the extension ask the permission to "Read and change all your date on the websites you visit" -> Watch out, this permission could potentially do all the things mentioned above.
2) If you accept and install this extension, make sure you trust the publisher.
3) Use Incognito windows anytime you access critical websites: your bank, your email, your linkedin, your CRM and all your company Web Services.
The future of Extension Police ?
The next development steps are:
- providing more informations about the developers for each Chrome Extensions, maybe create a whitelist.
- Critical websites: users provide a list of their critical websites (Bank, email, facebook, company database,..) and "Extension Police" will block all the "potentially dangerous" extensions while the user visit their critical websites.
- Monitor what other extensions are doing in the background: this seems a bit more complicated since I will need to access the console for each extension and monitor if they preform strange activity in the background.
As of today, Extension Police is 100% free, maybe in the future I will add a pricing for companies, but single users will always be able to use it for free.
Your feedbacks are very welcome
Thank
Juanito
I am the developer of Extension Police , a new Chrome Extension to monitor what other Chrome Extensions can do in your browser.
Why I developed this extension?
I already developed 5 other Chrome Extensions. Some of my extensions are quite popular with 50.000+ users. Then, while testing the security aspect of the Chrome Extensions I developed, I figured out that the permissions of these extensions allowed me do scary things. For anyone who installed my extensions, I could:
- take screenshot of any screen from any tab (even if he did not visit the tab)
- I could save their cookies and place the cookie in any server to to login into their facebook, or any other password protected websites (expect if there was a second security like a second factor, or a token,...).
- Injecting JS, I could steal their passwords while they where writing them , I could steal any information while they were filling forms.
- I could visit website in the background without asking for their permission. By the way, a very popular extension "Hola Internet" is actually make a business out this feature and is scraping google with your IP in your background and is selling the data to customer through luminati.io , their sister company.
DISCLOSURE: actually I am a good guy, so I did all the testing with a friend and I never intruded into my user's browsing.
Other things can be done:
- using your facebook account I could "like" anything in your name, without your permission.
- I have been contacted by monetizus.com an Ukrainian advertising network, specialized in ad injection. They offered me to inject ads; basically they would use the authorizations of my extension to replace ads on any websites with their ads, for anyone who installed by extensions. They offered to share revenue.
- You have certainly heard of extensions mining crypto using your browser in the background
If you are interested in this field, I suggest you read this report from Google researchers: Trends and Lessons from Three Years Fighting Malicious Extensions
How to protect yourself ?
1) when you install a new extension, if the extension ask the permission to "Read and change all your date on the websites you visit" -> Watch out, this permission could potentially do all the things mentioned above.
2) If you accept and install this extension, make sure you trust the publisher.
3) Use Incognito windows anytime you access critical websites: your bank, your email, your linkedin, your CRM and all your company Web Services.
The future of Extension Police ?
The next development steps are:
- providing more informations about the developers for each Chrome Extensions, maybe create a whitelist.
- Critical websites: users provide a list of their critical websites (Bank, email, facebook, company database,..) and "Extension Police" will block all the "potentially dangerous" extensions while the user visit their critical websites.
- Monitor what other extensions are doing in the background: this seems a bit more complicated since I will need to access the console for each extension and monitor if they preform strange activity in the background.
As of today, Extension Police is 100% free, maybe in the future I will add a pricing for companies, but single users will always be able to use it for free.
Your feedbacks are very welcome
Thank
Juanito
