How to test if a browser add-on is safe

Question

I came across this plug-in that started some alarm bells ringing. The add-on would help submit a website to web directories. The first 100 submissions are free, then you need to pay $20 via pay-pal (no other option) to get additional submissions.

This gave me the creeps! First install this plug-in and then do a payment via pay-pal...

Is there a way to test the plug-ins behavior or view the communication it has with the browser content and / or input devices (keyboard). I've thought of using a sniffer, then go to paypal and pretend to do the payment (with a wrong password) and see if any data is going any where else than pay-pal, however the add-on might be clever enough to wait for a later moment when it "legitimately" needs to communicate with base (retrieving additional directories).

Any thoughts on alternatives?

Answer 1

Background. First off, I want to share with you some background about browser add-ins. There are two kinds of add-ins: extensions and plug-ins.

• An extension is a Javascript-based add-on that gains partial access to your browser, but is (at least in Chrome) restricted by a browser sandbox.

• A plug-in involves native executable code that gains much more intimate access to your browser, and is not restricted by any sandbox. For instance, Flash player is a plug-in.

Plug-ins are considerably more dangerous, because they have full access to your filesystem, full access to run programs on your machine, full access to your browser (and all web sites you visit, passwords, etc.); they can do anything you can do. Extensions are more limited in what they can do (at least in Chrome), and thus (in Chrome) are safer.

I suspect you are asking about an extension, not a plug-in. For instance, the extensions in the Chrome Gallery are extensions.

How to tell if it is safe. In general, there is no good way to tell if an extension is safe. You can look at reviews from other users (though this is not fully dispositive). You can look to see if the extension has been around for a while, has a significant number of users, and/or comes from a respected brand/company/developer (though this is only an indicator and certainly not a guarantee of security).

And, perhaps most importantly, in Chrome you can look at the permissions that the extension is requesting. This will tell you what information the extension will gain access to and what it could do, if it were malicious. A malicious extension will be constrained by its permissions, so the fewer the permissions, the lower the risk of the extension.

Further reading. For more information, I suggest that you read the following:

• What are the security implications of people downloading plugins, wrongly thinking that they are safe?

• How can I assess the trust worthiness of a browser add-on?.

Answer 2

There isn't a general solution to this problem. It is the same question as :

How do I know there isn't a backdoor in [operating system / software / hardware]?

You can monitor it, reverse engineer it, sandbox it but it still could be doing something you haven't thought of. Or something your combination of tools haven't picked up.

Your best bet is to leave it to the professionals and install anti-virus software that would hopefully pick it up.

But, of course, that relies on this plug-in being widely used enough to come to the attention of the anti-virus companies.

Answer 3

If you do not want spend time doing steps Andrew explained (reverse engineering) and really concerned about security - just assume all plugins are not safe unless they have solid, active user base and reputable author.

plugin you described does not sound safe for me :) If you absolutely have to use it - run in vmware to minimize possible loss and watch paypal acc.

PS: I do not believe anti virus give you good protection in this case