How to audit a chrome extension's open-source code?

Question

I am concerned that a chrome extension is providing users with different code than that in its open-source repo. The extension is MetaMask, a cryptocurrency wallet that was recently found to be injecting unique identifiers into every website a user visits, despite saying they weren't. I've now heard that MetaMask can also act as a DNS resolver, which is a lot of power for a deceitful app.

What's the best way for me to download this Chrome extension from the web store and compare it's hash to the build of the open-source code? Are there any existing Chrome extensions or websites where you can do this easier, i.e. compare the github repo directly to what's on the chrome web store?

Answer 1

Disclaimer: This guide assumes the usage of Chrome and a UNIX-style operating system.

---

Step 1: Get shipped source code

1. Go to chrome://extensions/ and activate Developer mode in the top right corner.
2. Click on Details of the extension and find its ID (it will be a long string of random characters)

3. Locate your chrome profiles' extension folder

   find ~ -type d -iname <extension_id> (fill in the extensions ID)

4. The results of find will show a folder with the extensions (most likely compressed) source-code.

Step 2: Build the source-code yourself

1. Clone the source-code via git (git clone [email protected]:MetaMask/metamask-extension.git)
2. Follow the steps from the extensions build guide

Step 3: Compare the two

1. Run diff recursively on the two folders. folder1 could be the shipped source-code and folder2 your self-built source-code.

   diff -r folder1/ folder2/

2. diff will give you the exact differences in code/files/etc. this can be a lot and will manually have to be checked, to find out what the real differences are...

---

P.S. I am very interested in the results and will run the comparison myself later...