Chrome Extensions Going Rogue

Google Chrome is a great browser, and it became my primary browser as soon as it introduced support for extensions. I’d previously been using Firefox, which had a tendency to crash and lose my open tabs at annoyingly regular intervals (it’s fair to say that I’ve always had a problem with having way too many tabs open at the same time, which didn’t help, and typically have to declare tab bankruptcy every six months or so).  I would have moved to Chrome sooner, but for me, browser extension support was a vital requirement so I could streamline my web browsing experience.

Unfortunately, extensions pose serious security and privacy risks, and my recent experiences have led to me having serious concerns about whether I should continue to use them.  I’ve now had two extensions go rogue on me in the last year, after updating themselves automatically and adding unwanted “features” in the process.  In addition, my girlfriend had one which started creating links in web page text and showing ads on mouse over (which was really hard to get rid of).  Here’s a rundown of the two extensions I personally had go rogue on me, and my tips for tracking them down.

Window Resizer

The first extension I had a problem with was Window Resizer, a really handy extension that resizes your browser to match different screen sizes, such as that of tablets and phones.  It’s a great tool for web developers who are developing responsive websites, like I do.  Unfortunately, after a while, the developer decided to cash in by having all Google search results be redirected through EcoSia, effectively tracking a huge proportion of my web activity without my permission.  I noticed this problem as my browser started randomly failing to successfully navigate to sites, getting stuck on the EcoSia redirect, and was able to track the problem down eventually to the Window Resizer extension thanks to other posts on the web about it.

I never agreed to this behaviour when I installed Window Resizer, and it didn’t do this when I first installed it.  Unfortunately, extension developers can introduce these “features” into new versions, which get automatically installed thanks to the fact that like Chrome itself, Chrome extensions automatically update silently as new versions are released.  This is a big problem, as extensions can build up a big user base from providing a useful and expected service, and then suddenly go rogue without warning (occasionally being bought by malware operators).  And it can be really hard to track down the culprit – that’s if you even realise that there’s even a problem.

In the case of the Window Resizer extension, the developer decided to make money out of his extension by having the extension send all clicks on Google results via EcoSia.  He did make this behaviour optional (it could be turned off), but turned it on by default.  With this update being pushed out to all users automatically, suddenly the browsing activity of all users was getting tracked without their express permission, with most not even realising it.  Ultimately, the developer of Window Resizer faced a huge backlash, and after attempting to defend his decision by blaming the users for not reading the release notes, he ultimately apologised and backed down under a barrage of criticism.

Quick Note

Just last night I found another Chrome extension had gone rogue.  I was using Fiddler (a web debugging tool that logs all web requests/responses) to analyse an OAuth2 negotiation workflow.  However, I started to notice all these requests to a domain named each time I navigated to a URL, which started to concern me.  After Googling the domain and discovering it was a click tracking domain I realised another browser extension must have gone rogue, and went into investigative mode to track down the culprit.


The unexpected calls being to webovernet, which I’ve highlighted in red.

Note in the image above that the requests are sent via HTTPS calls, which make them even harder to detect.  They only show in Fiddler if you are capturing HTTPS content (i.e. the Capture HTTPS CONNECTs and Decrypt HTTPS traffic options are enabled for Fiddler, which are turned off by default). So you wouldn’t even see these calls in regular use of the tool, making this behaviour hidden to even tech savvy users.

The process of tracking down the culprit was quite simple. I opened up the Google search page to use as my test.  Any page would do, but I chose this as it makes minimal additional server requests so it wouldn’t clog up the Fiddler logs.  Open Fiddler, make sure capturing HTTPS traffic is on, and start capturing your web traffic.  Each time I refreshed this page, corresponding requests would be sent to the webovernet domain, so I had a clear failing test case (for those of you into test driven development).  The task now was to disable various extensions and refresh the Google search page until I didn’t see any more requests to the webovernet domain. Disable an extension, refresh the page, check the traffic, and repeat.

Ultimately, I discovered it was an extension called Quick Note that was the offender.  This was an extension I must have installed a long time ago but never really used.  Looking at its details in the Chrome store, you can see that the developer updated their privacy policy to allow it to capture all my browsing history.  Of course, I was never made aware of this.  Bastards.


The big lesson from this is to disable or uninstall all extensions that you don’t use!

The Big Issue

The big issue I have with extensions is that developers can introduce this malware/adware/spyware without users being aware of it, and potentially never actually realising it.  It’s only because I spend a fair bit of time in the Chrome Debugging Tools and Fiddler that I notice these sorts of issues.  I’m in a position to be able to detect these problems, but these are just skills that the average punter doesn’t have.

We live a lot of our online lives in a web browser these days, including a lot of private activity such as shopping, banking, and so on.  Depending on the permissions you’ve granted them, browser extensions can have access to all of this.  We are making a lot of private information available to unknown entities, and putting them in a position of trust to not take advantage of it, which is ultimately being abused in the name of money.

To help solve problems like this, Google prevented Chrome extensions from being installed outside of the Chrome Web Store, in May this year.  Unfortunately, this doesn’t really do much, as you can see from my issue with the Quick Note extension.

You can’t trust extensions after doing an audit, because they auto update.  Just because you verified the behaviour of all your extensions and haven’t installed any new extensions recently doesn’t mean that you’re OK, as any one of those installed extensions may auto update and go rogue.

The other big issue is the amount of access that extensions have to your browsing activity.  Unfortunately, most of the useful extensions need a very wide permission base, with almost all the extensions I have installed requiring access to my data on all websites, and access to my tabs and browsing activity.  This is particularly concerning, and while I’m not an expert in this since I haven’t written an extension myself, it seems much of it is because Chrome’s permission levels are quite coarse.  The Window Resizer extension developer wrote this about the permission levels it requires just to resize the browser window:

This extension doesn’t *need* access to your browsing history or data on any site, but it *needs* access to the tabs and window in order to manipulate the window size and read its properties. Unfortunately, these are all tied together and you can’t have one without the other. So, by receiving the right to access the window properties, the extension also receives access to the browsing history and all.

If this is true, it’s indicative of a big problem with Chrome’s extension security model.

The Lesson

After seeing three browser extensions go rogue in the past year, I sense that the Chrome Web Store has a big problem in the making.  In the meantime we just need to mitigate the problem by acting wisely.  There’s a number of lessons to be learned, so here’s my advice:

  1. Treat all browser extensions as suspicious.  Check their requested permissions, and if they ask for too much for their required needs then don’t install them!
  2. Always read the reviews and details of extensions before installing them.  You’ll learn a lot.  If they have a privacy policy, read it!
  3. Disable all extensions that you aren’t currently using, or don’t really need.  Out of sight is not out of mind.  Stick with just high profile extensions.  That said, the more users extensions have, the more likely they are to be sought after by malware operators, who purchase them and abuse them.
  4. Just because you don’t see anything wrong, doesn’t mean there isn’t anything going on under the covers.
  5. The old saying of “If the product is free, then you are the product” I guess unfortunately extends to browser extensions.

Go and check your browser extensions now.


It’s worth noting that all our browsing habits are being tracked anyway by Google, which is disconcerting enough as it is.  Between my browsing history being synced back to their servers, all search links going via them, storing all my email, and so on, it’s fair to say that they know way too much about me.  However, at least I’m well aware of this situation and have made my own decision to keep using their products based upon reading and agreeing to their privacy policies, and the fact that I get a worthwhile enough benefit in exchange.  But I never agreed to allow these extensions to spy on me, and that really disgusts me.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s