Notes about Chrome extensions.
Privacy aka Forget About Privacy
Most useful extensions can view the contents of every web page you visit. That is READ THE CONTENTS OF EVERY WEB PAGE YOU VISIT. I’m not sure people realise how significant this is.
In particular, extensions granted the ‘Read and modify all your data on the websites you visit’ will be able to see anything on any web page whether secure (HTTPS/SSL) or not e.g. your bank details, private conversations, email, usernames etc depending on what websites you use.
There are other permissions that allow extensions to view data on a set of websites, view your browsing history, read files on your computer and a lot of other dangerous stuff.
If you use your browser to access anything vaguely sensitive e.g. online banking, then either disable all extensions or visit the site in incognito mode (ensuring that no extensions were set to ‘Allow in incognito’, which you can see at chrome://extensions).
See Understand permissions requested by apps and extensions for more info.
Where to find extensions on the filesystem
On Linux you’ll find your extensions on the filesystem at the following location:
~/.config/google-chrome/[profile]/Extensions
Where [profile] is the name of your profile, ‘Default’ by default! i.e. ~/.config/google-chrome/Default/Extensions/.
On Windows they’re probably in one of these two places:
C:\Program Files (x86)\Google\Chrome\Application\[version]\Extensions\
C:\Users\[user]\AppData\Local\Google\Chrome\User Data\[profile]\Extensions
Where [version] is the version of Chrome and [user] is your username.
How to identify extensions
Each extension will be in its own directory, which has the same name as its ID.
For example:
me@pc ~/.config/google-chrome/Default/Extensions $ ls -C1
aciahcmjmecflokailenpkdchphgkefd
bepbmhgboaologfdajaanbcjmnhjmhfn
blpcfgokakmgnkcojhhkbfbldkacnbeo
coobgpohoikkiipiblmjeljniedjpjpf
dpaohcncbmkojcpcjaojcehdlnjfbjkl
mcbkbpnkkkipelfledbfocopglifcfmi
nmmhkkegccagdldgiimedpiccmgmieda
pjkljhegncpnkpknbcohdijeoejaedia
So the first extension listed there has ID aciahcmjmecflokailenpkdchphgkefd.
We can look this up on Google’s webstore using the following URL:
https://chrome.google.com/webstore/detail/[ID]
Where [ID] is the ID of the extension.
E.g. we find that extension with ID aciahcmjmecflokailenpkdchphgkefd is the Entanglement Web App (which is a bundled extension - more on that later):
https://chrome.google.com/webstore/detail/aciahcmjmecflokailenpkdchphgkefd -> https://chrome.google.com/webstore/detail/entanglement-web-app/aciahcmjmecflokailenpkdchphgkefd
Manifest.json
If an ID isn’t found in the webstore, you may get a clue as to what the extension is by looking at its manifest.json file.
E.g. here’s the manifest.json for an extension ID nmmhkkegccagdldgiimedpiccmgmieda that I found on my system, which looks like it must be Google Wallet:
{
"app": {
"background": {
"scripts": [ "craw_background.js" ]
}
},
"default_locale": "en",
"description": "__MSG_APP_DESCRIPTION__",
"display_in_launcher": false,
"display_in_new_tab_page": false,
"icons": {
"128": "images/icon_128.png",
"16": "images/icon_16.png"
},
"key": "MIGf4GNADCBiQKBgQCrKfMnLqViEyokd1wk57FxJtW2XXpGXzIHBzMA0GCSqGSIb3DQEBAQUAAv9vQI/01UsuP0IV5/lj0wx7zJ/xcibUgDeIxobvv9XD+zO1MdjMWuqJFcKuqkHq1bmje6u+pMrTuSS4SSGOSBVh0kpToN8YoJs/P/XTaFTGxQL4yrRd7FEtAC385MeXSjaQfiRiQIDAQAB",
"manifest_version": 2,
"minimum_chrome_version": "29",
"name": "__MSG_APP_NAME__",
"oauth2": {
"auto_approve": true,
"client_id": "218436803227.apps.googleusercontent.com",
"scopes": [ "https://www.googleapis.com/auth/sierra", "https://www.googleapis.com/auth/sierrasandbox", "https://www.googleapis.com/auth/chromewebstore", "https://www.googleapis.com/auth/chromewebstore.readonly" ]
},
"permissions": [ "identity", "webview", "https://wallet.google.com/", "https://wallet-web.sandbox.google.com/", "https://www.google.com/", "https://www.googleapis.com/*" ],
"update_url": "https://clients2.google.com/service/update2/crx",
"version": "0.1.0.0"
}
Bundled / component extensions
Chrome comes with a number of extensions which do not show in the list at chrome://extensions. I found the following on my system:
- Entanglement Web App
- Google Search
- Poppit!
- Gmail
- Google Voice Search Hotword (Beta)
- YouTube
- Google Wallet (not found in the webstore but indicated by its manifest.json)
Entanglement, Google Search, Poppit!, Gmail and YouTube all appear on Chrome’s Apps page at chrome://apps.
I have no idea where Google Voice Search Hotwords and Google Wallet are used.
Load extension from file system
If an extension isn’t available in Google’s webstore you can still download and install it.
WARNING: You should only install an extension if you have inspected its source code to make sure that it isn’t doing anything malicious. Otherwise be very sure that you trust its author!
- Download it to your computer. It’ll probably have a .crx extension.
- At this point Chrome will be annoying and say “Extensions, apps, and themes can harm your computer. Are you sure you want to continue?” with the options to ‘Discard’ or ‘Continue’. If you click ‘Discard’ then the file won’t be downloaded. Click ‘Continue’ to download it.
- Chrome will then refuse to install the extension, with the message “Apps, extensions, and user scripts cannot be added from this website. It will have been downloaded though.
- Go to Settings -> Extensions.
- Either open your file manager and drag then extension (.crx file) to the Extensions page.
- Or…
- Unzip the extensions (a .crx file is just a zip file).
- Tick ‘Developer mode’ in the Extensions page.
- ‘Load unpacked extension….’
- Select the directory that contains the unzipped extension.
References
- Chrome extension id - how to find it
- Worst case scenario, what can a Chrome extension do with “Your data on all websites” and “Your tabs and browsing activity”?
- Understand permissions requested by apps and extensions
- Where is chrome extension directory in windows 8?
- Where does Chrome store extensions?
- Adding extensions from other websites
