53

Say a Chrome extension is turned off and has the permissions: "Read and change all your data on the websites you visit" and "Read your browsing history", or other similar tracking permissions.

Can these Chrome extensions still access these permissions or spy on you in other ways even if they are turned off?

Let's say that you were to keep these extensions turned off, but then turned them on for 5 seconds or for up to 10 minutes. Is it possible that they could upload your entire browsing history to the developers in that short timespan if they can "Read your browsing history"?

This question goes for browsers like Firefox as well.

Improve this question
6
  • 5
    Question is, could an extension modify a browser in such a way that, it could either make the turn-off button do basically nothing (only 'appear off'), or turn itself back on at a later stage? If the answer to either yes, then the answer to the above is also yes. (I'll leave whether it's possible to those more knowledgeable than me).
    – SE Does Not Like Dissent
    Commented May 14, 2018 at 12:31
  • 6
    @SSight3 Extensions are not allowed to run on the chrome://extensions page as far as I know, so it's not possible for an extension to fake the state of the enabled/disabled toggle.
    – ash
    Commented May 14, 2018 at 12:34
  • 2
    Everyday use of Google — Facebook, Twitter, whatever — has plenty more opportunities for information collection than some upstart Chrome Extension. Not that the author behind that extension couldn't have grandiose ambitions, but …
    – can-ned_food
    Commented May 15, 2018 at 0:35
  • 4
    Please don't mark a question as answered and a day later as unanswered and edit it to ask a new question. If you change your mind about the question, you really should ask a new separate question, once you have accepted an answer.
    – LPChip
    Commented May 15, 2018 at 14:29
  • 2
    @can-ned_food Worth noting if the fear is datamining, MITM can be deployed from anywhere (HTTP sniffer, dodgy CA, bad DNS, malicious Wifi hotspot, backdoored router, so on, so forth) and if a person's concern on a browser made by a company infamous for datamining, is 'are my extensions leaking?' I strongly suspect they might be overlooking much bigger issues.
    – SE Does Not Like Dissent
    Commented May 15, 2018 at 19:24

1 Answer 1

Reset to default
65

When an extension is turned off, it is not loaded into memory, and as such can't do anything.

When you turn an extension on, it has access to your entire browser history, and if an extension wants, it can submit your entire history to the server.

It depends on the extension if it really will do this. Spyware type extensions will, extensions that are meant to help you will usually only submit a website you are currently browsing, but whether or not an extension will do or not is purely speculation.

If you want to be safe and not want to allow an extension to transmit your data to their server, don't turn it on, ever.

Improve this answer
17
  • 2
    @wjandrea It is possible to read the source code of chrome extensions (.crx packages).
    – undo
    Commented May 14, 2018 at 18:31
  • 7
    @DavidMulder To be pedantic, Firefox mostly copied the Chrome extension system because it was simpler - they were rewriting a large part of their code base, and the existing extension APIs were closely bound with the internals so hard to keep working. Forcing every extension to be rewritten made their lives easier, and the hope is that they won't need to again as the new API is more restrictive, and more separated from the internal implementation. The permission model is a nice bonus, but given that most extensions need access to the DOM of every page you view, it doesn't prevent much.
    – IMSoP
    Commented May 15, 2018 at 12:05
  • 2
    @DavidMulder: You're assuming it's fine that Google has all your data in the first place.
    – Eric Duminil
    Commented May 15, 2018 at 12:08
  • 4
    @DavidMulder We don't know what Chrome is doing because we can't see the code. Saying that Chrome "in no way gives your data to Google" is patently false; when typing a URL into the address bar I measured traffic to and from Google servers before I even pressed Enter!
    – wizzwizz4
    Commented May 15, 2018 at 15:42
  • 2
    @wizzwizz4 It might be worth noting SRWare Iron (a privacy focused version of Chrome) details some... troubling features of Chrome.
    – SE Does Not Like Dissent
    Commented May 15, 2018 at 19:14

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .