Browser Extensions & Permissions
Browser extensions have the potential to have access cookies, clipboards and even physical storage of the client. To review an extensions permission you need to go to “Settings > Extensions > Details (of the application)”
In this example Wappalyzer has access to the browsing history of the browser.
Extension permissions should be reviewed on the principle of least privilege, as an example if an extension has the permission to access the users clipboard or storage device, this could be used by a malicious attacker.
This information is also available in the manifest.json as it contains metadata about the plugin. Below has the different permission available on
Declare extension permissions – Declare permissions – Chrome Developers
Third Party Scripts
Extension may use third party scripts loaded from an external server (Original Source), this is a potential risks and if the third party is compromised the extension is probably compromised as well.
Any third party scripts (or calls) should be secured by supported SSL/TLS version, if this is not in place then there is a possibility an attacker could intercept traffic.
Personally Identifiable Information and Data
A frequent privacy issue is around the Analytics tools that send PPI, visited pages, social media usage to servers (non-eu) which could breach data protection regulations and General Data Protection Regulation (GDPR).
If you review the “chrome web store” extensions page, there is a “Privacy Practices” section which gives some information on how PII and data is used (or not at all): –
Find the Extension Source Code
Open a chrome browser and type “chrome://extensions” in to the address bar
In the right hand corner enable “Developer mode”
This will show the extensions ID
Open file explorer and go to %localappdata%\Google\Chrome\User Data\Default\Extensions in there you will need to find the folder with the matching ID
Once you enter this folder, you should see another folder titled with the version of the extension, click on this.
To view the code you will need an application or you can download Source Code Viewer extension, more information here –
We should be careful when using extension and follow the below guidelines: –
- Follow the Principle of Least Privilege for permissions
- Avoid extension using third-party scripts
- Avoid extension with analytics tools
- Use SSL/TLS for all requests (including third party scripts)
- Follow Secure Coding Practices
- Use Application Security testing tools