Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Google Chrome extensions - Security question

Jan 29, 2011 5:23PM PST

When installing extensions in Chrome, I get warnings before downloading, such as:

"This extension can access all data on your computer and the websites you visit," and, "This extension can access your data on all websites and your browsing history." Exactly what do these mean? Literally "all data," including encrypted passwords, private messages, etc.?

I have only installed two extensions because of this, and both were from long-known, trusted sources, but I got these warnings even with these.

Am I being overly cautious? I want to try a few other extensions.

Is there any Chrome extension that can access sensitive data on my computer, such as passwords? What about keylogging, such when I enter a password into a secure website? If so, what are the warning signs?

I run Norton AV nearly constantly, and it didn't complain when I downloaded and installed the two extensions. I haven't seen any problems, but am concerned.

Discussion is locked

- Collapse -
That was clear to me.
Jan 30, 2011 4:26AM PST

It's pretty clear that extensions do have access to such things. If the source CODE is available then you could see what they use such access for.

Another good reason to keep such add-ons to a minimum since Norton may have no defense to information leaks via installed apps and plugins.
Bob

- Collapse -
Agreed...
Jan 30, 2011 6:33AM PST

An extension could contain anything from a keylogger to record everything you type in your browser to a file uploader that sends ALL of the files on your computer to a remote party. And as Bob noted, Norton and others will generally offer little protection since they are extensions, not applications, and protection in that field is still lacking.

The good news:
1.) The extensions are only a risk while your browser's open/running.
2.) The source code of the extensions are available for anyone to review, so experienced programmers often spot untrustworthy extensions and sound the alarm.
3.) You can always ask here and other reputable forums if you are in doubt about a particular extension.

Hope this helps,
John

- Collapse -
Question in response to your replies
Jan 30, 2011 2:41PM PST

Thanks, Bob and John, for your helpful replies.

May I assume it would be safe to download a couple more extensions if they are from the official Google Chrome Extensions Gallery and have, for example, 30,000 or more users? Seems either Google or a programmer who can detect malicious code would have caught any untrustworthy extensions within those parameters, but I want to be on the safe side.

Here is one I want and looks perfectly safe to me. The main reason I post the link is that it has an interesting explanation about the warning message and the developer's need for this specific plugin to access data, and how far it will go. I haven't seen an explanation like it before.

https://chrome.google.com/extensions/detail/alelhddbbhepgpmgidjdcjakblofbmce

- Collapse -
Yes, that one is trustworthy...
Jan 30, 2011 9:41PM PST

In addition to the sheer number of users using the extension with an average 5-star rating, note that:
1.) The extension page has the "verified author" logo. That means the extension was really created by diigo.com, not someone just using the name to obtain a false sense of trust.
2.) CNET gave diggo.com its Webware 100 award in 2009, so the site/company is well-ranked and well-trusted.

No harm in that one.
John

- Collapse -
proxy switchy! = Chinese, all data but hugely popular!?
Feb 5, 2011 6:55PM PST

So what about this one?
Proxy Switchy!
Mhd Hejazi

https://chrome.google.com/webstore/detail/caehdcpeofiiigpdhbabniblemipncjj

This is a proxy switcher. I would like to use it to toggle access to the medical library of our university.

It has remarkable 1017 ratings and 123,394 users and overall looks much more user friendly based on the pictures shown than the handful other proxy programs.
But: the user is not verified, it accesses all data on your computer (other proxy switchers only use browsing history).

I find it really interesting that almost all these proxy switcher extensions derive from china and only one is verified. They probably do that to get around internet censorship. But why access all data on my computer?

Thanks!

- Collapse -
Someone, please, answer this one!
Jul 3, 2012 1:38PM PDT

Hello, Everybody!

I'm very interested in an answer to this question, and I'm sure it would be very helpful to other fellow members. I guess this question will not expire even if it keeps getting old.

Thanks in advance. Happy
Touchito

- Collapse -
But what could anyone say?
Jul 3, 2012 10:52PM PDT

Extensions can be malicious.

Extensions from Google's own stores are less likely to be malicious, especially if they have the verified author logo.

If they do not have that logo then they are not verified.

I don't see that you can expect any other answer in these forums.

It is a shame that we have to even think about security for extensions or for any 3rd part software, but this is the state of the internet as we have it.

That said, this Proxy Switchy does seem to be well received as it has it's own Google Code Project ongoing here http://switchy.samabox.com/ and a well established community of bug-reporters here; http://code.google.com/p/switchy/issues/list although little activity in recent times.

This is one of those, "compare all the variables and make your mind up on what you have" decisions.

Good luck.

Mark