Login/Register
How to view / audit a Chrome extension's source code?
Asked Answered
ubuntugoogle-chrome-extensionfirefox-addon-webextensions
T

3

10

I am concerned that a chrome extension is providing users with different code than that in its open-source repo. The extension is MetaMask, a cryptocurrency wallet that was recently found to be injecting unique identifiers into every website a user visits, despite saying they weren't. I've now heard that MetaMask can also act as a DNS resolver, which is a lot of power for a deceitful app.

What's the best way for me to download this Chrome extension from the web store and compare it's hash to the build of the open-source code? Are there any existing Chrome extensions or websites where you can do this easier, i.e. compare the github repo directly to what's on the chrome web store?

Tannenwald answered 18/5, 2019 at 13:23 Comment(6)
Sounds like a very basic file management operation. Download the extension (either by installing it or using a special downloader), unpack and do a recursive diff.Crease
Yea. I was hoping for explicit instructions. Particularly when it comes to "unpack"ing the code back to source; Since it's probably compressed, you would have to actually build the source and then compress it, then a recursive diff would only show you changes to the minified version. And downloading the extension itself is not clear either. Hopefully there is a repo or existing tool to make this easierTannenwald
Since chrome extensions can auto-update, a chrome extension that automatically audited other chrome extension's code once per day would be very useful. Ideally the browser itself would provide this featureTannenwald
There's no way to unpack a minified code. You can only minify the source using exactly the same toolchain.Crease
That naturally happens when your question is too vague and broad. FWIW by "unpacking" I originally meant unzipping.Crease
As for downloading from the web store, it's trivial to google up various solutions. Personally I'm using CRXViewer. P.S. the question is also off-topic for StackOverflow unless you're writing such an auditing tool yourself.Crease
H
9

Disclaimer: This guide assumes the usage of Chrome and a UNIX-style operating system.

Step 1: Get shipped source code

  1. Go to chrome://extensions/ and activate Developer mode in the top right corner.
  2. Click on Details of the extension and find its ID (it will be a long string of random characters)

  3. Locate your chrome profiles' extension folder

    find ~ -type d -iname <extension_id> (fill in the extensions ID)

  4. The results of find will show a folder with the extensions (most likely compressed) source-code.

Step 2: Build the source-code yourself

  1. Clone the source-code via git (git clone [email protected]:MetaMask/metamask-extension.git)
  2. Follow the steps from the extensions build guide

Step 3: Compare the two

  1. Run diff recursively on the two folders. folder1 could be the shipped source-code and folder2 your self-built source-code.

    diff -r folder1/ folder2/

  2. diff will give you the exact differences in code/files/etc. this can be a lot and will manually have to be checked, to find out what the real differences are...

P.S. I am very interested in the results and will run the comparison myself later...

Hanson answered 27/5, 2019 at 13:8 Comment(0)
C
1

2020 was a bad year for Chrome extension trustworthiness, but it also revealed some of the malicious techniques that are being used in the wild. Most common being loading and executing dynamic scripts or conditionally executing obfuscated code when certain conditions are met.

It’s very unlikely that you would find out if extension is malicious just by performing a static analysis. Otherwise, Chrome Web Store would have flagged the extension at submission time. I would argue that only a security expert led Chrome extension security scan can truly determine if extension is secure.

Cowan answered 27/2, 2021 at 20:50 Comment(0)
F
1

On Mac, Go to cd ~/Library/Application\ Support/Google/Chrome/Default/Extensions

Folk answered 1/2 at 21:17 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.