You might be aware of the recent disaster with the DataApii browser extension leak where millions of users have had their data tracked and sold by some browser extensions which seemed harmless at first.
Lifehacker’s recent article addresses the subject of verifying the other Chrome add-ons that you might have installed, just to make sure that you are safe and to be able to sniff out hackers.
The online publication recommends using a piece of software that’s called Chrome Extension Source Viewer that is able to find the potentially bad behaviors and the ability to execute some kind of remote code.
The abuse I've seen repeatedly is not of webRequest API: unethical blockers ripping the code base of legitimate blockers, but with an added permission which allows execution of remote code in extension context. https://t.co/8T2gmoBpr9
— R. Hill (@gorhill) June 13, 2019
Using the Chrome Extension Source Viewer
- First of all, the online magazine recommends users to install the Chrome Extension Source Viewer add-on.
- After that, you will have to open the Chrome Web Store page for each one of the extensions that you want to check.
- While you are on the Chrome Web Store page for an extension, you have to click on the Chrome Extension Source Viewer “CRX” icon next to the URL bar.
- After that, click on “View Source”.
- Now, all that you have to do is wait for the new page to fully load, then find and open the “manifest.json” file.
- Press F3 or “CTRL+F” to open the page search, and look for “unsafe-eval.”
The “unsafe-eval” content security policy shows that a particular extension is able to execute remote code.
This can obviously be a security risk. But, the online publication makes sure to note that this does not always mean that an extension is “operating in bad faith.”
Lifehacker recommends that you pay attention if you come across this because it does indicate that you might want to give that extension more scrutiny.
“Search the web to see if there are any problematic reports about it,” they advise.