New Update Extension Police

How many active Chrome Extension do you currently have:


  • Total voters
    26
Status
Not open for further replies.

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
NEW defender for your Chrome: Extension Police
GolxeKUA_vFIP361wZeNSdjvlnMCAd2nlNYBk9VnpjyDDwfMsjcciaLnv7ULyn8E0e5KAX235Q=w26-h26-e365
GolxeKUA_vFIP361wZeNSdjvlnMCAd2nlNYBk9VnpjyDDwfMsjcciaLnv7ULyn8E0e5KAX235Q=w26-h26-e365
GolxeKUA_vFIP361wZeNSdjvlnMCAd2nlNYBk9VnpjyDDwfMsjcciaLnv7ULyn8E0e5KAX235Q=w26-h26-e365
GolxeKUA_vFIP361wZeNSdjvlnMCAd2nlNYBk9VnpjyDDwfMsjcciaLnv7ULyn8E0e5KAX235Q=w26-h26-e365
GolxeKUA_vFIP361wZeNSdjvlnMCAd2nlNYBk9VnpjyDDwfMsjcciaLnv7ULyn8E0e5KAX235Q=w26-h26-e365

On Chrome Web Store: Extension Police
offered by extensionpolice.com
Version: 0.1.0
Updated: January 31, 2018
Size: 91.17KiB

Detect and block malicious Chrome Extensions
Keep chrome fast:
> quickly enable/disable Google Chrome extensions

Security and Privacy check of your all your Chrome Extensions:
> It detects all Extensions threats: Ads-injecting, Facebook credentials hijacking, insert tracking pixels, google scraping in the background, privacy issues, malware, mining of crypto currencies in the background, etc.
Then you decide which extension you want to enable/disable.
Enable/disable all your chrome extensions in 1 click
> secure your browser when you visit critical websites (bank, email,..) and disable all Google Chrome extensions in 1 click.

IT IS IMPORTANT THAT YOU TAKE CONTROL OF YOUR CHROME EXTENSIONS:
Most of your Chrome Extension have unlimited access of all your browsing:
- they could potentially steal your personal data, the content of all your emails, your banking details, your customer's data and all the content of all the websites open in all your tabs, even when you do not visit them.
- They have an easy access to all your passwords as you insert them. They could potentially stole them.
- They could very easily store your cookies and access, on your behalf, all your apps, emails, bank accounts, from remote servers.

While monitoring the activity of certain popular extensions like Hola Internet , counting 9 millions users (don't install !), we found that certain Extensions are visiting websites on our behalf, in the background of our browsers, without our explicit consent.

FREAKY ISN'T IT ?

Then we found that 80% of extension's developers don't have websites or don't have a support email or are hiding their personal data behind anonymous services. Many are located in countries where data privacy is not a concern.
So, it is time to take control on your extensions.

____________________________________

.. but for now: 10 users, and "Offers in-app purchases" - it's legitimate and safe I hope, I don't have installed it for now... what do you think about

Today on store , this extension "Extension Police" has 16 users, and first comments:

"Great extension: I had 7 potential threats! I cleaned the mess with all my extensions. Super useful."
... and another user wrote: 'Excelente."


- So it's time to download it, and get impressions here, I think

EDIT:
Well, downloaded it.
I have one extension with "Safe" rate, if not all my other extensions are "Medium potential risk" or "High potential risk".

- "Safe" - it's TrafficLight - Bitdefender extension.

Example of "High potential risk" rate:
BehindTheOverlay - "High potential risk"
Chrome Extension:
chromestore24.png

Description: One click to close any overlay on any website.
1 permission granted:
Tip: use this extension only if you trust the publisher.
This extensions has access to all the content of all the pages that you are visiting, including: your emails, banking details, any software that you use, password, cookies. It can also visit any website, from your computer, with a hidden browser, and without your knowledge.
activeTab: Read and modify all your data on all active tabs

- well, I use my BehindTheOverlay extension, I'm taking the risk, cause I trust the publisher NicolaeNMV: GitHub - NicolaeNMV/BehindTheOverlay: One button to close any overlay on any website - thanks for this tip.

Another example:
Nano Adblocker: "High potential risk"
Chrome Extension:
chromestore24.png

Description: Just another adblocker
8 permissions granted:
Tip: use this extension only if you trust the publisher.
This extensions has access to all the content of all the pages that you are visiting, including: your emails, banking details, any software that you use, password, cookies. It can also visit any website, from your computer, with a hidden browser, and without your knowledge.
All URLs: Read and modify all your data on All URLs
privacy: Manipulate privacy-related settings
webNavigation: Access your browsing activity
webRequest: Observe and analyze traffic and to intercept, block, or modify requests
storage: Store, retrieve, and track changes to your user data
tabs: Create, modify, and rearrange Tabs in the browser
webRequestBlocking: Block traffic requests in-flight
contextMenus: Gives access to your main Chrome menu: File, Edit, View,...
unlimitedStorage: Provides an unlimited quota for storing HTML5 client-side data

- OK., I love nano Adblocker, if I love it, there's nothing to do...:)

[Some of] these risks we see during download of extensions... but all these rates and comments are enlightening my knowledge about each one, sure. If I trust publishers of my extensions, I use these.
Thank you developers, it's nice of all of you to give us this enlightening extension!
 
Last edited by a moderator:

212eta

Level 9
Verified
Well-known
May 11, 2011
444
"Tip: use this extension only if you trust the publisher."
- so if you trust the developer, everything's fine.
I have trust in him, I trust him.
O.K. for gorhill of uBlock Origin.

But
is there a reason for Not Trusting jspenguin2017 (Hugo Xu)
(i.e. the Developer of Nano Adblocker & Nano Defender)
especially when you introduced Nano Adblocker & Nano Defender HERE? :unsure:
 
Last edited:
  • Like
Reactions: given

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
O.K. for gorhill of uBlock Origin.

But
is there a reason for Not Trusting jspenguin2017 (Hugo Xu)
(i.e. the Developer of Nano Adblocker & Nano Defender)
especially when you introduced Nano Adblocker & Nano Defender HERE? :unsure:

I trust jspenguin2017 (Hugo Xu) developer, of course.
I have never been talking otherwise....
So no reason for not trusting...

- I wrote in another topic:
"my Chromium forks are below version 59 so I'm not able to download Nano Defender, but Nano Adblocker only" - here: Nano Adblocker with Nano Defender
 
Last edited:
  • Like
Reactions: given

JuanitoES

From Extension Police
Verified
Developer
Feb 27, 2018
9
Hi Guys,

I am the developer of Extension Police , a new Chrome Extension to monitor what other Chrome Extensions can do in your browser.

Why I developed this extension?

I already developed 5 other Chrome Extensions. Some of my extensions are quite popular with 50.000+ users. Then, while testing the security aspect of the Chrome Extensions I developed, I figured out that the permissions of these extensions allowed me do scary things. For anyone who installed my extensions, I could:
- take screenshot of any screen from any tab (even if he did not visit the tab)
- I could save their cookies and place the cookie in any server to to login into their facebook, or any other password protected websites (expect if there was a second security like a second factor, or a token,...).
- Injecting JS, I could steal their passwords while they where writing them , I could steal any information while they were filling forms.
- I could visit website in the background without asking for their permission. By the way, a very popular extension "Hola Internet" is actually make a business out this feature and is scraping google with your IP in your background and is selling the data to customer through luminati.io , their sister company.

DISCLOSURE: actually I am a good guy, so I did all the testing with a friend and I never intruded into my user's browsing.

Other things can be done:
- using your facebook account I could "like" anything in your name, without your permission.
- I have been contacted by monetizus.com an Ukrainian advertising network, specialized in ad injection. They offered me to inject ads; basically they would use the authorizations of my extension to replace ads on any websites with their ads, for anyone who installed by extensions. They offered to share revenue.
- You have certainly heard of extensions mining crypto using your browser in the background

If you are interested in this field, I suggest you read this report from Google researchers: Trends and Lessons from Three Years Fighting Malicious Extensions

How to protect yourself ?
1) when you install a new extension, if the extension ask the permission to "Read and change all your date on the websites you visit" -> Watch out, this permission could potentially do all the things mentioned above.
2) If you accept and install this extension, make sure you trust the publisher.
3) Use Incognito windows anytime you access critical websites: your bank, your email, your linkedin, your CRM and all your company Web Services.


The future of Extension Police ?

The next development steps are:
- providing more informations about the developers for each Chrome Extensions, maybe create a whitelist.
- Critical websites: users provide a list of their critical websites (Bank, email, facebook, company database,..) and "Extension Police" will block all the "potentially dangerous" extensions while the user visit their critical websites.
- Monitor what other extensions are doing in the background: this seems a bit more complicated since I will need to access the console for each extension and monitor if they preform strange activity in the background.

As of today, Extension Police is 100% free, maybe in the future I will add a pricing for companies, but single users will always be able to use it for free.

Your feedbacks are very welcome :coffee:

Thank

Juanito
 

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
Hello JuanitoES - you're welcome in this thread about your extension, you can ask the moderators to merge your another thread here...
- as I already said, it's with confidence, that I posted this topic 3 days only after the release of your extension, it's a record for me! a record of confidence, I trust the publisher, you see.;)

Feature request: Could you increase the usefulness of your extension, by giving feature to hide extensions, please?

I remember an extension that could hide the extensions - I can't remember details... This extension was called "User Agent Switcher" by Glenn Wilson; "But -- the big news! The user-agent switcher extension has been acquired by Google."
Here you have the link of "Glenn's Blog" article about: Glenn's Blog: The User-Agent Switcher Has A New Owner: Google!
This extension is called now: User-Agent Switcher for Chrome : User-Agent Switcher for Chrome
Another link about: spoofer-extension.appspot.com/about: User-Agent Switcher for Chrome
 
Last edited:

show-Zi

Level 36
Verified
Top Poster
Well-known
Jan 28, 2018
2,463
In my case, compared to the mysterious executable file, vigilance of the extension to appeal the convenience I feel loose.
It is an official one, and the recognition that it is safe is amplifying the idea.
However, the beginner who includes me does not have the knowledge which asks the truth.
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
...of course they can. Search and you will find the same extensions on FF and Chrome. Check this >> Firefox Extensions Are Malware Magnets :devil:
Let's bring you into 2018.

Source: Why is Firefox moving to web extensions and why addon developers don't like that? • r/firefox
TylerDMozilla - Mozilla Employee said:
The current way add-ons are developed gives add-ons complete control over almost anything in the browser. This makes for very powerful add-ons, but add-ons can also do really bad things (accidentally or on purpose) and we can't make major changes to the browser without breaking all sorts of add-ons (which makes people sad).

Web Extensions is a sort of building block set. It means add-ons can't touch anything in the browser, but can only play with the blocks we provide. We can make all sorts of blocks of different shapes, but it will never be as powerful as the old system of add-ons (where developers could play with anything in the house). However, this lets us do major changes to Firefox without having to worry about breaking add-ons (since we know what the blocks are), and keeps add-ons from doing bad things (accidentally or on purpose)

Add-on developers are not happy that they can only play with the blocks we provide, and we are making them rebuild their add-ons using the official blocks rather than whatever they had been using before.

I've glossed over a TON of details, but that's a simple explanation.

As with any App or Extensions be careful about it's Permissions and check the Reviews before installing.
How to stay safe when downloading Firefox extensions - gHacks Tech News
 

JuanitoES

From Extension Police
Verified
Developer
Feb 27, 2018
9
Hi Prorootect , thank you again for discovering my extension and for publishing it in ML.

I did not know about the acquisition of User-Agent Switcher. I will review the article now.

About your suggestion of "hiding extensions", could you please be more specific ?

As of today, Extension Police gives you the option to activate/deactivate your extension in 1 click, you can also keep your favourite extensions on top of the screen.
I am adding a feature to auto-deactivate all "potentially dangerous extension" when you browse critical pages like your bank, your gmail,...

It would be very nice to know what you mean with "hiding extensions". Thx
 

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
Hi, my feature request to hide extensions - I meant to hide from all potentially bad external visitors (hackers)... I think.
If hackers would like to change something in my extensions - forbid this, hide my extensions...to defend from attacks directed at legitimate extensions.

In my old notebook from September, 2016 I noticed that User Agent Switcher 'could hide extensions' - but I don't remember any details unfortunately...
 
Last edited:

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
So to develop idea: incognito, sandboxed extensions? Is this possible?..

- that would be good idea for another extension rather...would be too heavy for a single extension, I think...

Your extension is complete and very good as well.
 
Last edited:
  • Like
Reactions: Sunshine-boy
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top