Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to audit a chrome extension's open-source code?

Tags:

ubuntu

google-chrome-extension

firefox-addon-webextensions

I am concerned that a chrome extension is providing users with different code than that in its open-source repo. The extension is MetaMask, a cryptocurrency wallet that was recently found to be injecting unique identifiers into every website a user visits, despite saying they weren't. I've now heard that MetaMask can also act as a DNS resolver, which is a lot of power for a deceitful app.

What's the best way for me to download this Chrome extension from the web store and compare it's hash to the build of the open-source code? Are there any existing Chrome extensions or websites where you can do this easier, i.e. compare the github repo directly to what's on the chrome web store?

like image 642
nick carraway Avatar asked May 18 '19 13:05

nick carraway

People also ask

Can you see Chrome extension source code?

When the page loads, click on the CRX icon in the extensions bar in Chrome and select “View source.” 4. You should be able to see the selected extension's source code in the Chrome window.

How do I inspect Google extensions?

To view the Chrome Developer Tools for a pop-up, right-click the extension icon to the right of the browser address bar, and select Inspect Element. (In earlier versions of Chrome, this was done by selecting Inspect pop-up.)

Can you trust Google Chrome extensions?

It's important to make sure that the extensions you install come from official repositories, such as the Chrome Web Store or the Firefox Browser Add-Ons portal. It gives you some degree of certainty that the software you're installing is legitimate and safe, so be a bit warier of extensions that you find elsewhere.

Can a Chrome extension steal data?

Yes, it can. Extensions asks for permission(s) just before you install them. Permission like tabs, read and change all your data.., etc.

1 Answers

Disclaimer: This guide assumes the usage of Chrome and a UNIX-style operating system.

Step 1: Get shipped source code

  1. Go to chrome://extensions/ and activate Developer mode in the top right corner.
  2. Click on Details of the extension and find its ID (it will be a long string of random characters)

  3. Locate your chrome profiles' extension folder

    find ~ -type d -iname <extension_id> (fill in the extensions ID)

  4. The results of find will show a folder with the extensions (most likely compressed) source-code.

Step 2: Build the source-code yourself

  1. Clone the source-code via git (git clone [email protected]:MetaMask/metamask-extension.git)
  2. Follow the steps from the extensions build guide

Step 3: Compare the two

  1. Run diff recursively on the two folders. folder1 could be the shipped source-code and folder2 your self-built source-code.

    diff -r folder1/ folder2/

  2. diff will give you the exact differences in code/files/etc. this can be a lot and will manually have to be checked, to find out what the real differences are...

P.S. I am very interested in the results and will run the comparison myself later...

like image 160
janniks Avatar answered Sep 28 '22 03:09

janniks
Sign in to Comment

Related questions

Unable to install PHP packages with apt-get, gives "E: Unable to locate package"
How to Install compiler g++-4.8.5 in ubuntu 20.04
how to download all the python packages mentioned in the requirement.txt to a folder in linux?
Why virtualbox fails to install on Ubuntu20.04
Can I install Ruby on Rails 2.x and Ruby on Rails 3 side by side
How to install wxPython using virtualenv
REQUEST_URI unexpectedly contains FQDN
How to analyze core dump
In C on Linux, popen / system to "ps all > file" truncates all lines to 80 characters
What is a robust installation process for Nokogiri (on Ubuntu)?
How do I package a Ruby application for Ubuntu, including its gem dependencies?
The method getResourceAsStream returns null on ubuntu
Django WSGI Apache VirtualHost, returning a 404 Error
How to recompile php with ZTS enabled on ubuntu?
Run multiple elasticsearch nodes as a service on one Ubuntu-Server
How to securely use pip (with SSL) on Ubuntu Trusty?
What are triple equal signs and ubuntu2 in Python pip freeze?
How to use Process() in Swift 3 for Linux?
NameError: name 'hasattr' is not defined - Python3.6, Django1.11, Ubuntu16-17, Apache2.4, mod_wsgi
can't understand [Errno 111] Connection refused

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!