If a Chrome Extension is installed but turned off, can it still spy on me?
When an extension is turned off, it is not loaded into memory, and as such can't do anything.
When you turn an extension on, it has access to your entire browser history, and if an extension wants, it can submit your entire history to the server.
It depends on the extension if it really will do this. Spyware type extensions will, extensions that are meant to help you will usually only submit a website you are currently browsing, but whether or not an extension will do or not is purely speculation.
If you want to be safe and not want to allow an extension to transmit your data to their server, don't turn it on, ever.
Related videos on Youtube
10 : 44
04 : 52
00 : 38
10 : 38
01 : 30
Michael d
Built websites from scratch with >1M monthly visitors. Topped 1M monthly organic search traffic through SEO. Coding in PHP, CSS, JS, AJAX, JQuery, Perl. Working in responsive UX/UI. Contact me at http://bapse.com/contact.html - I would be glad to discuss opportunities and partnerships
Updated on September 18, 2022Comments
-
Michael d almost 2 years
Say a Chrome extension is turned off and has the permissions: "Read and change all your data on the websites you visit" and "Read your browsing history", or other similar tracking permissions.
Can these Chrome extensions still access these permissions or spy on you in other ways even if they are turned off?
Let's say that you were to keep these extensions turned off, but then turned them on for 5 seconds or for up to 10 minutes. Is it possible that they could upload your entire browsing history to the developers in that short timespan if they can "Read your browsing history"?
This question goes for browsers like Firefox as well.
-
Varad Mahashabde about 6 yearsAlso maybe scroll through the programming and Ctrl-F in it, maybe. They are getting pretty readable now -
wjandrea about 6 years@Varad You mean read the source code? -
undo about 6 years@wjandrea It is possible to read the source code of chrome extensions (
.crxpackages). -
wjandrea about 6 years@rahul How would you do that? And what would you look for?
-
undo about 6 years@wjandrea See how. If you suspect that an extension is executing malicious code, you can inspect the source code to confirm your suspicions.
-
Varad Mahashabde about 6 years@wjandrea What Chrome does is download little tar-ball like packages which are then unzipped and then either built and loaded with the browser or kept in the install directory like CMD scripts (not sure which). Anyways, the source is downloaded, which could be searched for in %localappdata% or /var, or downloaded again.
-
Varad Mahashabde about 6 yearsAs for what to look for, you could open all the files at once in an editor, and then search for the command which calls the function to use the permission concerned. Also, people like to name things properly and leave comments to make things easier to maintain, so that's half your documentation
-
David Mulder about 6 years@EricDuminil Yeah, because 1) Google has no financial motivation to keep your data safe and 2) Firefox totally did not copy the Chrome extension system because it was safer...
-
IMSoP about 6 years@DavidMulder To be pedantic, Firefox mostly copied the Chrome extension system because it was simpler - they were rewriting a large part of their code base, and the existing extension APIs were closely bound with the internals so hard to keep working. Forcing every extension to be rewritten made their lives easier, and the hope is that they won't need to again as the new API is more restrictive, and more separated from the internal implementation. The permission model is a nice bonus, but given that most extensions need access to the DOM of every page you view, it doesn't prevent much. -
Eric Duminil about 6 years@DavidMulder: You're assuming it's fine that Google has all your data in the first place. -
David Mulder about 6 years@IMSoP The chrome extension API allowed far more granular permission control, that was a safety concern which was much appreciated. Additionally it naturally sandboxed extensions which was another safety advantage. All round the extension API was designed in a far more safe and modern way which was desirable.
-
David Mulder about 6 years@EricDuminil Except using Chrome in no way gives your data to Google. Logging in with a Google account and/or using Google DNS will at least pass some of your data to Google, but those are completely separate concerns from using Chrome.
-
wizzwizz4 about 6 years@DavidMulder We don't know what Chrome is doing because we can't see the code. Saying that Chrome "in no way gives your data to Google" is patently false; when typing a URL into the address bar I measured traffic to and from Google servers before I even pressed Enter! -
SE Does Not Like Dissent about 6 years@wizzwizz4 It might be worth noting SRWare Iron (a privacy focused version of Chrome) details some... troubling features of Chrome.
-
Mr Lister about 6 years@SSight3 Chrome has settings that you can turn on and off. SRWare Iron does not have some of those settings, so you are stuck with its defaults. And it is lagging behind with security updates; see also Why You Shouldn’t Use (Most) Alternative Browsers Based on Google Chrome. -
David Mulder about 6 years@wizzwizz4 Only if you have a prediction service set up and that's a single toggle in the settings. Here is more information for example: lifehacker.com/5763452/…
-
wizzwizz4 about 6 years@DavidMulder That's one setting. How does, say, the OK Google system work? What does it do?
