Increasing security awareness of Chrome extension users; Introduction Zen Permissions

Many Chrome users, especially less technical ones install countless of Chrome extensions without knowing what kind of risk that may bring. In ideal world, all the extensions would be safe, but sadly that is not the world we live in.

In the wild we can still find many malicious extensions and extensions which require overly broad permissions. I want to change this and improve security awareness of the less technical Chrome extension users so I have built an extension which should help with that, called Zen Permissions.

Motivation & History

In the browser world, past couple of years have been very interesting. Fierce competition between different browser vendors such as Mozilla, Google and Opera and project such as V8, JägerMonkey and others have made the web faster, more secure and brought a lot of improvements and cool new feature to the developers and end users.

You could even argue that some of those project also played an important role in improving the speed of not just the client side, but also the server side applications.

Among other factors, innovation and competition between different vendors is also reflected in the shifts of browser usage shares

All those improvements allowed browser vendors to expose new and more powerful APIs not just to the web developers, but also to the browser extension developers. As such, browser extensions have been played an important part in the ecosystem and acted as an important driver for the browser adoption.

I can confirm this myself. I have been an early adopter of Mozilla browser and later on, Mozilla Firefox. First version of Chrome became available in the late 2008, but I have only been using it for the past ~3 years. The main reason for that were browser extensions. Mozilla Firefox had a large browser extension ecosystem and many awesome extensions such as NoScript, AdBlock, Firebug, YSlow, TamperData and others. Being a web developer myself meant I have used Firebug and other extensions on a daily basis. I have finally fully switched to Chrome once Developer Tools have become more mature and more extensions became available.

Firebug extension control panel; good friend of many web developers

Today Chrome extension ecosystem is very active and there are many different extension available. Google has done a lot to improve end user security by exposing relatively fine grained extension permissions to the developers and more recently by scanning extensions before publishing them to web store.

Nevertheless there are still many malicious extensions and extensions which require overly broad permissions out there.

Zen Permissions

Being a Chrome user myself, I decided to do something about it. I developed an extension called Zen Permissions which is available on Google web store.

Keep in mind that is an early MVP which has been developed over night, but I plan to continue hacking on it and release many other features in the future.

As such, the main goal of the MVP is to increase security awareness of the less technical end users. The way this extension does that is by providing at-a-glance overview of all the installed extensions and the permissions they require.

Quick, at-a-glance overview of the permissions required by different extensions

Keep in mind that this information is already exposed in the browser, but accessing it requires many clicks and it’s buried deep in the chrome://extensions page which is rarely visited by less technical users.

chrome://extensions page is not really friendly for the end users and viewing permissions requires multiple clicks

I encourage you to try it out by heading to the Google Web Store and installing it.

Plans for the future

First release is simple and only works in a retroactive mode, but I plan to continue to hack on it and make it more useful, both, for less technical end users and for the developers.

First of all, I want to make it proactive and even more approachable to the less technical “mom-and-pop” type of end user which might have installed a bunch of extensions a while back without really knowing what they do or what kind of risk they bring.

Anyone interested in the development is invited to participate and watch the repository on Github.

Conclusion

To close this, I hope this extensions will;

  • Help to increase security awareness of the less technical end users.
  • Push developers of extensions which require overly board permissions to modify their extensions to only require permissions the extensions really needs and when this is not possible, clearly document which permissions are required and why.
  • Push browser vendors to implement even more fine grain permissions.