Chrome extensions can steal your data — what you can do to mitigate this
TL;DR. That video speed controller extension you have might be sending all your keystrokes to a remote endpoint. One mitigation is only have a trustworthy extension manager that turns the other extensions on only during non-sensitive browsing sessions. I still don’t know of a perfectly working solution though.
- EDIT: The per-extension “Allow site access” option is a working solution for me. Thanks Albertus!
Chrome extensions are dangerous. You can take screenshots, track keypresses, then send it to any endpoint of your choice. Even if they are not initially malicious, they could eventually be.
Mitigation. Depending on your paranoia level, you can choose not to install any extension at all, or maybe only install extensions that have a good reputation (but popularity isn’t a good metric). I’ll instead settle for the following: For sites with sensitive content (bank, email), turn off all extensions. But otherwise (e.g. youtube), it’s ok to activate extensions
Searching for a solution. To implement the above, what I need is an extension manager. Here are some requirements for the extension manager.
- Open source. Extension managers can be shady (“… minified to the point of obfuscation”). Since extension managers have to be enabled at all times, then they must be trustworthy. To me, this means they must be open source — which means you can (or rely on experts who can) verify that the code isn’t doing any sketchy.
- Version locked. We don’t want the extensions that we have initially vetted to be good to later be auto-updated into something malicious. Here are some ways to version-lock the extensions..
- All-on/off toggle. At first I wanted to be able to set rules like “If I alt tab to a bank site, disable all the extensions first before loading the page.”. Some extensions seem to approximate this, but I don’t actually know if they’re doing this correctly, or if there’s even a way to. See this and this. So, I will just settle for an extension manager that allows me to turn off all extensions, then I manually start my sensitive browsing session.
- The extension. Searching from the webstore, the closest thing I can find that fits the bill is this extension: one-click extension manager (code). I’m lazy so I didn’t get to read through all the code, but the maintainer seems to have a great track record at producing open source software that is used by many people, so I’ll just use this “trust by reputation” heuristic here :)
- Installing it. I tried installing the extension from github directly but got errors, so I went ahead and installed it from chrome webstore itself and disabled auto-update. Idk if there’s a good way to make this work across devices, or if this setting can get overwritten though.
Still an open problem. With this extension, I can at least turn off all extensions when I have a dedicated session for sensitive content (e.g. monthly finance review). But, I still don’t have a good workflow to effectively handle the case when my browsing session has a mixture of sensitive and non-sensitive sites. For example, sometimes I want to both open an untrusted extension (e.g. video speed controller), and have another tab where I have some personal content (e.g. my online notes). Hm. Are there browsers with alternative extension permission models that solve this problem? Is it possible to code up an extension manager that implements the per-page extension enablement correctly despite this challenge? I’m not sure, but if you have better ideas, let me know!
