51

Say a Chrome extension is turned off and has the permissions: "Read and change all your data on the websites you visit" and "Read your browsing history", or other similar tracking permissions.

Can these Chrome extensions still access these permissions or spy on you in other ways even if they are turned off?

Let's say that you were to keep these extensions turned off, but then turned them on for 5 seconds or for up to 10 minutes. Is it possible that they could upload your entire browsing history to the developers in that short timespan if they can "Read your browsing history"?

This question goes for browsers like Firefox as well.

DavidPostill
  • 153,128
  • 77
  • 353
  • 394
Michael d
  • 539
  • 1
  • 4
  • 11
  • 4
    Question is, could an extension modify a browser in such a way that, it could either make the turn-off button do basically nothing (only 'appear off'), or turn itself back on at a later stage? If the answer to either yes, then the answer to the above is also yes. (I'll leave whether it's possible to those more knowledgeable than me). – SE Does Not Like Dissent May 14 '18 at 12:31
  • 6
    @SSight3 Extensions are not allowed to run on the chrome://extensions page as far as I know, so it's not possible for an extension to fake the state of the enabled/disabled toggle. – ash May 14 '18 at 12:34
  • 2
    Everyday use of Google — Facebook, Twitter, whatever — has plenty more opportunities for information collection than some upstart Chrome Extension. Not that the author behind that extension couldn't have grandiose ambitions, but … – can-ned_food May 15 '18 at 00:35
  • 4
    Please don't mark a question as answered and a day later as unanswered and edit it to ask a new question. If you change your mind about the question, you really should ask a new separate question, once you have accepted an answer. – LPChip May 15 '18 at 14:29
  • 2
    @can-ned_food Worth noting if the fear is datamining, MITM can be deployed from anywhere (HTTP sniffer, dodgy CA, bad DNS, malicious Wifi hotspot, backdoored router, so on, so forth) and if a person's concern on a browser made by a company infamous for datamining, is 'are my extensions leaking?' I strongly suspect they might be overlooking much bigger issues. – SE Does Not Like Dissent May 15 '18 at 19:24
  • @Michael d, please reaccept my answer. – LPChip May 18 '18 at 09:09

1 Answers1

63

When an extension is turned off, it is not loaded into memory, and as such can't do anything.

When you turn an extension on, it has access to your entire browser history, and if an extension wants, it can submit your entire history to the server.

It depends on the extension if it really will do this. Spyware type extensions will, extensions that are meant to help you will usually only submit a website you are currently browsing, but whether or not an extension will do or not is purely speculation.

If you want to be safe and not want to allow an extension to transmit your data to their server, don't turn it on, ever.

LPChip
  • 59,229
  • 10
  • 98
  • 140
  • 1
    Also maybe scroll through the programming and Ctrl-F in it, maybe. They are getting pretty readable now – Varad Mahashabde May 14 '18 at 16:50
  • @Varad You mean read the source code? – wjandrea May 14 '18 at 18:03
  • 2
    @wjandrea It _is_ possible to read the source code of chrome extensions (`.crx` packages). – undo May 14 '18 at 18:31
  • @rahul How would you do that? And what would you look for? – wjandrea May 14 '18 at 18:36
  • @wjandrea [See how](https://www.howtogeek.com/198964/). If you suspect that an extension is executing malicious code, you can inspect the source code to confirm your suspicions. – undo May 14 '18 at 18:41
  • 1
    @wjandrea What Chrome does is download little tar-ball like packages which are then unzipped and then either built and loaded with the browser or kept in the install directory like CMD scripts (not sure which). Anyways, the source is downloaded, which could be searched for in %localappdata% or /var, or downloaded again. – Varad Mahashabde May 14 '18 at 18:45
  • 1
    As for what to look for, you could open all the files at once in an editor, and then search for the command which calls the function to use the permission concerned. Also, people like to name things properly and leave comments to make things easier to maintain, so that's half your documentation – Varad Mahashabde May 14 '18 at 18:47
  • @EricDuminil Yeah, because 1) Google has no financial motivation to keep your data safe and 2) Firefox totally did not copy the Chrome extension system because it was safer... – David Mulder May 15 '18 at 11:51
  • 7
    @DavidMulder To be pedantic, Firefox mostly copied the Chrome extension system because it was *simpler* - they were rewriting a large part of their code base, and the existing extension APIs were closely bound with the internals so hard to keep working. Forcing every extension to be rewritten made their lives easier, and the hope is that they won't need to again as the new API is more restrictive, and more separated from the internal implementation. The permission model is a nice bonus, but given that most extensions need access to the DOM of every page you view, it doesn't prevent much. – IMSoP May 15 '18 at 12:05
  • 2
    @DavidMulder: You're assuming it's fine that Google has all your data in the first place. – Eric Duminil May 15 '18 at 12:08
  • @IMSoP The chrome extension API allowed far more granular permission control, that was a safety concern which was much appreciated. Additionally it naturally sandboxed extensions which was another safety advantage. All round the extension API was designed in a far more safe and modern way which was desirable. – David Mulder May 15 '18 at 12:23
  • @EricDuminil Except using Chrome in no way gives your data to Google. Logging in with a Google account and/or using Google DNS will at least pass some of your data to Google, but those are completely separate concerns from using Chrome. – David Mulder May 15 '18 at 12:24
  • 4
    @DavidMulder We don't know _what_ Chrome is doing because we can't see the code. Saying that Chrome "in no way gives your data to Google" is patently false; when typing a URL into the address bar I measured traffic to and from Google servers before I even pressed Enter! – wizzwizz4 May 15 '18 at 15:42
  • 2
    @wizzwizz4 It might be worth noting SRWare Iron (a privacy focused version of Chrome) details some... [troubling features](https://www.srware.net/en/software_srware_iron_chrome_vs_iron.php) of Chrome. – SE Does Not Like Dissent May 15 '18 at 19:14
  • @SSight3 Chrome has settings that you can turn on and off. SRWare Iron does not have some of those settings, so you are stuck with its defaults. And it is lagging behind with security updates; see also [Why You Shouldn’t Use (Most) Alternative Browsers Based on Google Chrome](https://www.howtogeek.com/108384/6-alternative-browsers-based-on-google-chrome/). – Mr Lister May 16 '18 at 07:13
  • @wizzwizz4 Only if you have a prediction service set up and that's a single toggle in the settings. Here is more information for example: https://lifehacker.com/5763452/what-data-does-chrome-send-to-google-about-me – David Mulder May 16 '18 at 13:03
  • @DavidMulder That's one setting. How does, say, the OK Google system work? What does it do? – wizzwizz4 May 16 '18 at 16:06