Reputation: 280
How to view / audit a Chrome extension's source code?
I am concerned that a chrome extension is providing users with different code than that in its open-source repo. The extension is MetaMask, a cryptocurrency wallet that was recently found to be injecting unique identifiers into every website a user visits, despite saying they weren't. I've now heard that MetaMask can also act as a DNS resolver, which is a lot of power for a deceitful app.
What's the best way for me to download this Chrome extension from the web store and compare it's hash to the build of the open-source code? Are there any existing Chrome extensions or websites where you can do this easier, i.e. compare the github repo directly to what's on the chrome web store?
Upvotes: 11
Views: 7809
Answers (3)
Reputation: 4725
On Mac, Go to cd ~/Library/Application\ Support/Google/Chrome/Default/Extensions
Upvotes: 2
Reputation: 573
2020 was a bad year for Chrome extension trustworthiness, but it also revealed some of the malicious techniques that are being used in the wild. Most common being loading and executing dynamic scripts or conditionally executing obfuscated code when certain conditions are met.
It’s very unlikely that you would find out if extension is malicious just by performing a static analysis. Otherwise, Chrome Web Store would have flagged the extension at submission time. I would argue that only a security expert led Chrome extension security scan can truly determine if extension is secure.
Upvotes: 1
Reputation: 3180
Disclaimer: This guide assumes the usage of Chrome and a UNIX-style operating system.
Step 1: Get shipped source code
- Go to
chrome://extensions/and activate Developer mode in the top right corner. - Click on Details of the extension and find its ID (it will be a long string of random characters)
Locate your chrome profiles' extension folder
find ~ -type d -iname <extension_id>(fill in the extensions ID)The results of
findwill show a folder with the extensions (most likely compressed) source-code.
Step 2: Build the source-code yourself
- Clone the source-code via git (
git clone [email protected]:MetaMask/metamask-extension.git) - Follow the steps from the extensions build guide
Step 3: Compare the two
Run
diffrecursively on the two folders. folder1 could be the shipped source-code and folder2 your self-built source-code.diff -r folder1/ folder2/diffwill give you the exact differences in code/files/etc. this can be a lot and will manually have to be checked, to find out what the real differences are...
P.S. I am very interested in the results and will run the comparison myself later...
Upvotes: 9
Related Questions
- How to inspect source code of a Chrome extension content script in devtools?
- Chrome/Firefox: access source of an extension
- Inspect firefox devtools extension
- How to trust an extension in Google Chrome without the Web Store?
- Can a Web site check if an add-on has been modified?
- how to debug chrome extension downloaded from chrome store
- How to monitor extension/addon requests?
- How to check the authenticity of a Chrome extension?
- How to track if somebody has modified my chrome extension?
- Is it possible to check the code for a Google Chrome extension before installing it?