How do I know if a Google Chrome extension is leaking data?

According to

[Chrome Extensions] are built on web technologies such as HTML, JavaScript, and CSS.

This means, anything that could affect the behavior of an extension will exist in a plain-text format (as opposed to a binary). Chrome allows you to debug extensions, giving you a comparatively easy way to see what an extension is doing, and whether or not some behavior of an extension is potentially malicious.

This requires the user to be somewhat fluent in the above-mentioned technologies. There are certain attacks, purely using CSS, which can be used to exfiltrate data. Without knowledge of CSS or understanding of these attacks, it would be hard to identify them among megabytes of auto-generated CSS code.

A non-technical user will likely not be able to carry out such an analysis. In this case, it helps to follow typical security advice:

  • Only install extensions from credible sources (i.e. the Chrome Web Store)
  • Popular extensions are more likely to get audited than unknown extension
  • Only install extensions where the benefit greatly outweighs the risk
  • Pay attention to the permissions required by the extensions and if it makes sense that those permissions are requested

Tracing your browser traffic using a free proxy like fiddler can show some eye opening things. I could see an outbound request to an unfamiliar domain after every page I visited. Looking at the headers of the unfamiliar requests in Fiddler, i could see the URL of the page i visited! I disabled my chrome extensions one by one until I found the culprit. Turns out developer was monetizing - see git issue report. ... Further, he was injecting the code into the store manifest so it wasn't visible in git repo. This is a rather large "supply-chain" style attack vector where a 3rd party maintainer gives up rights to code or even gets breached and malicious code is introduced to existing packages/extensions.

I was developing extension for Chrome working with network of browser (not only current window). And I was surpriset how many data are transfered even when I don't do any actions.

There was communication of:

  • inactive tabs
  • closed tabs (through service worker)
  • extensions

but it's hard to determine what is leaking of data and what is communication necessary for extension working. Because there's so much traffic.