There are lot of great extensions available for Google Chrome. When I tried to install them most of the extensions gave a warning "This extension will have access to your data …".
The extensions were approved by google and many got 4 stars and above, still I was skeptical to install them fearing what if they misuse it.. ?
After doing some research on what data they actually access, I found the following answers in Google Chrome Extension forum. Now I can install the plugins which are rated high and verified by Google team.
If we dont trust Google, why even bother using their browser or their services.
Now my Chrooooommmmmmmeeeeeeeeee is extended.
ooOoo
Chrome extensions have a manifest file, that specifies which pages that you visit, that the extension can interact with. The extension you're trying to install, might need access to all pages you visit.
Some extensions might want to access any page you visit, for legit reasons. Most, in fact. If the extension does anything with your page (modify, extend or in any way behave because of the content you see), you'll get that warning when installing the extension.
Extensions cannot access the passwords you store in the password manager that is built into Chrome. It might, however, have access to the information that you submit to websites, including passwords and other personal details. But it would have to be built for that specific purpose.
It all boils down to whether you trust the source or not. The vendor cannot hide how the extension works, so a rouge extension would probably have a short life.
Cheers!
- christianp
Hi everyone,
Thanks for the feedback on this. christianp has done a great job explaining some of this so far (thanks christianp!) and I'll reiterate/clarify on some points.
Depending on the extension you install, the extension might need legitimate access to various things to carry out its purpose. For example, if you see the message that the extension can have access to "your private data on all websites," this usually means that the extension is inserting content scripts into a page. Content scripts are used to make changes to what's being shown on a page. An extension for blocking ads is one such example since it needs to modify the execution of the page to not show ads. In this case, this ability to modify page content brings you a desired functionality. However, this same ability means the extension can have the ability to read information submitted on the page, which includes private data. This is not to say it's going to do this or do something malicious with it, but it *can* if the extension author is ill-intentioned and built his extension specifically for this purpose. This is why we always advise users to only download extensions from authors they know and trust (they have great reviews, have a lot of users, good reputation, etc).
This is no different from the risk you take when installing software in general and the same risks exist in other browsers when installing extensions/add-ons. That said, we have done and are still doing many things to try and mitigate potential damage that can be caused by malicious extensions. For example, we can enforce granular access to permissions (having access to some sites instead of all sites), we isolate extension code from web page code to reduce the ability for malicious web pages to infect good extensions, and more. You can read more about security and Chrome extensions in a very informative blog post listed in my references.
Keep in mind that Google can also remove any malicious extension from the gallery and disable the extension for existing users when discovered. You can report malicious extensions by using the 'Report abuse' link off the extension's gallery details page.
Hope this helps!
Toni (Googler)
Google Employee
7/17/10
Related Link
Google Chrome Browser Extensions for everyday user – 1
