Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Evaluate the Risk of Browser Extension Before Installing It by Reading the Source Code | by https://git.io/ilyaigpetrov

Evaluate the Risk of Browser Extension Before Installing It by Reading the Source Code

This post is written for Manifest v2, Manifest v3 is not yet released at the moment.

Ok, kids, today we are going to scrutinize a source code of a browser extension to speculate about its risks.
First, you will need to know how to download or view browser extension source codes:

  1. Extension for Chromium/Chrome: https://chrome.google.com/webstore/detail/chrome-extension-source-v/jifpbeccnghkjeaalbbjmodiffmgedin
  2. Right Click for FireFox: https://superuser.com/questions/771825/how-to-examine-source-code-of-firefox-extension-before-installing-it

The most important file is manifest.json (manifest version 2 standard here, not v3 yet). It looks like this:

{
  "manifest_version": 2,
  "background": {
    "scripts": [ "jquery.min.js", "background.js", "google-analytics.js" ]
  },
  "content_security_policy": "script-src 'self' 'unsafe-eval' https://ssl.google-analytics.com; object-src 'self'",
  "description": "We offer absolutely free cheese without a mousetrap!",
  "homepage_url": "http://free-cheese.com",
  "browser_action": {
    "default_icon": "cheese-icon-128.png",
    "default_popup": "popup/popup.html"
  },
  "icons": {
    "128": "cheese-icon-128.png"
  },
  "name": "Free Cheese",
  "permissions": [
    "proxy",
    "tabs",
    "webRequest",
    "webRequestBlocking",
    "management",
    "<all_urls>",
    "storage"
  ],
  "short_name": "FreeCheese",
  "update_url": "https://clients2.google.com/service/update2/crx",
  "version": "1.0.4"
}

So in this file you see mostly "field_name": "field_value" pattern and the whole document is structured in JavaScript Object Notation (JSON).

Content Security Policy

The most important field is content_security_policy or just CSP, it defines what scripting tricks are allowed inside extension.

script-src 'self' 'unsafe-eval' https://ssl.google-analytics.com; object-src 'self'

This policy is contructed of two policy directives separated by ;:

  1. script-src 'self' 'unsafe-eval' https://ssl.google-analytics.com.
  2. object-src 'self'.

The script-src directive structure is: script-src <source> <source> <source>.... It defines where the code that is executed by your browser may come from.

Remote Code Execution

If the code comes from a remote server then it means you can't analyse it before downloading and even if you downloaded it and analysed, it still may be changed by the server at any time to something dangerous that you don't expect. That's why remote code execution should be avoided whenever possible and mustn't be used without a strong reason.

Let's iterate over the sources:

  1. 'self': allows script execution if the code comes from the same origin as the current file (from the same extension archive),
  2. 'unsafe-eval': allows script execution if it comes from any string of characters retrieved from anywhere; in other words it allows execution of code that may come from anywhere, including any remote servers,
  3. https://ssl.google-analytics.com: allows execution of scripts that come from this url which obviously belongs to Google Analytics.

So after looking at the CSP policy of this extension you know that you can't analyse that part of its code that comes from remote servers, it may contain any dangerous code served from the server at any specific time interval or for any specific user identificator it receives inside the request coming from the extension.

Rule of thumb: if manifest.json contains 'unsafe-eval' steer away from this extension.

Permissions

Now let's look at permissions field. This field has many values enclosed in brackets and separated by commas:

{
  "permissions": [
    "proxy",
    "tabs",
    "webRequest",
    "webRequestBlocking",
    "management",
    "<all_urls>",
    "storage"
  ]
}

Technical documenation for developers is here: https://developer.chrome.com/extensions/declare_permissions.
Let's iterate other this example:

  1. management: allows removing other extensions and peeking into what other extensions you have installed.
  2. <all_urls>: allows extension to access any page on any site while conforming to other permissions. Native pages of the browser (settings page, extensions management page, etc.) are excluded from this rule.
  3. tabs: allows extension to run code on pages and sites declared by other permissions (like the one above). This code may read data from the page (like your passwords) and pass it to malicious remote servers or modify a page. It allows opening new tabs with unwanted content like ads. It allows spying on sites you visit.
  4. webRequest: allows spying on sites you visit, redirecting you to other sites (e.g., to an affiliate link on aliexpress).

Interesting

  1. https://securityonline.info/neto-analyze-browser-extensions/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment