Search Chrome extensions for unsafe-eval



  • An informative article on ghacks based on a tweet by Raymond Hill (uBlock Origin, uMatrix), that explains an easy method to inspect Chrome extensions for the dangerous remote code execution method.

    The long and short of it, search your extensions manifest.json files for the following line:

    unsafe-eval

    and if this line is present in the manifest.json file, delete the extension and never use it again.


  • Moderator

    Thanks for such insights and the useful article ๐Ÿ™‚



  • A closer read of Raymond Hill's tweet shows that an extension can also call remote code execution by using:

    unsafe-inline

    in the manifest.json file, so you need to search for both:

    unsafe-eval

    and also search for:

    unsafe-inline


  • Ambassador

    โš  Be very careful before deleting any extension just because it has either of the terms mentioned above.
    I found the term in the first manifest.json I opened. This happened to be my bank's recommended security software (Windows and chrome extension)!
    It is there to secure my connection to the bank's website and ensure it is not compromized (that some other application is not taking a screenshot or there is no keyboard logger present).
    Without this "unsafe-eval" term the extension will not have the necessary functionality to do what is intended.

    From MDN::

    "'unsafe-inline'
    Allows the use of inline resources, such as inline <script> elements, javascript: URLs, inline event handlers, and inline <style> elements. You must include the single quotes.

    'unsafe-eval'
    Allows the use of eval() and similar methods for creating code from strings. You must include the single quotes."

    And from lifehacker:

    "...This is only one item in your security toolbag; some due diligence will still be required to separate good extensions from bad extensions..."
    and
    "...Again, โ€œunsafe-evalโ€ doesnโ€™t necessarily mean an extension is operating in bad faith. However, it does indicate that you might want to give that extension more scrutiny."

    So do your due diligence before any arbitrary deletions.

    P.S.
    You can do a Search through Windows Explorer to find all "manifest.json" files in the Vivaldi\Default\ folder then open in any text editor to find the terms above.



  • @greybeard
    If it took you to actually look to find it, and your bank is executing remote code on your computer without your knowledge and without your prior consent, I suggest you change your bank.



  • The only one I found was in the hidden (and not removable) Chrome Media Router extension, I guess more baggage inherited from good ol' Chrome courtesy of our friend Google...

    "content_security_policy": "default-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
    

    Then again, I wouldn't take this one extension as a major issue, and if I understand the above correctly, it will just allow 'unsafe-inline' from only the fonts.googleapis.com host.

    Generally I would also say deleting an extension just because it happens to contain one of the strings seems a bit of a knee-jerk reaction.

    That doesn't mean a user shouldn't carefully consider whether the need for an extension outweighs the potential security risk. A lot of users have way too many extensions installed. And we know many of them are shady. Sadly, most users lack the ability to tell a shady extension apart from a trusted one. So this might be a reasonable thing to ask them to do.

    Problem is, the same users who are unable to make an educated decision on the safety of an extension, are probably also not capable of finding their installed extensions folder, let alone how to search text files for some string ๐Ÿ˜‰


  • Vivaldi Translator

    This isn't a new added threat. It is part of the design specifications that has always needed to be used responsibly.

    It is a matter of context just same as when installing apps.
    Does the problem permission or feature belong, or is the feature required for the app to work ?
    If not, then delete.
    However most users won't know if it is a required feature.

    If you trust the extension and author, then you trust them not to abuse the function.

    The official Google Translate extension uses it.
    The clone of old Opera "RSS Aggregator" uses it
    The Shodan extension uses it
    Helperbird Dyslexia & Accessibility Tool uses it
    Chrono download and Ultimate Video Saver use it
    InVID video and image forensics extension uses it.



  • @Dr-Flay said in Search Chrome extensions for unsafe-eval:

    The official Google Translate extension uses it.

    Can you explain how does the official Google Translate extension use remote calls, since its manifest.json file does not include unsafe-eval nor does it include unsafe-inline.



  • @raed said in Search Chrome extensions for unsafe-eval:

    Can you explain how does the official Google Translate extension use remote calls, since its manifest.json file does not include unsafe-eval nor does it include unsafe-inline.

    $ cat manifest.json | grep unsafe
       "content_security_policy": "script-src 'self' 'unsafe-eval' https://translate.googleapis.com; object-src 'self'",
    

    Again, no big deal, because it only allows it for the translate.googleapis.com host. Well... depending how paranoid you are about Google, that is ๐Ÿ˜‰



  • @Pathduck said in Search Chrome extensions for unsafe-eval:

    ...Well... depending how paranoid you are about Google, that is ๐Ÿ˜‰

    Thanks, and very.๐Ÿ˜‰


  • Moderator

    @Pathduck You do not need a pipe for searching in a file, Too much typing.
    grep unsafe manifest.json



  • @Gwen-Dragon I'm O|d SCH00l ๐Ÿค“


  • Moderator

    @Pathduck Oh Stian boy, the pipes the pipes are calling ... ๐Ÿ˜‰
    https://www.youtube.com/watch?v=XnfmagQoYrA



  • @Gwen-Dragon I do like me some Uilleann pipes! ๐Ÿ‡ฎ๐Ÿ‡ช



  • These 3 extensions got it, are they safe or should i stop using 'em?

    noscript
    "content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'none'",

    tabsets
    "content_security_policy": "script-src 'self' 'unsafe-eval' https://ssl.google-analytics.com; object-src 'self'",

    green eye
    "content_security_policy": "script-src 'unsafe-eval' 'self' https://www.google-analytics.com; object-src 'self'",



  • @dude99

    I would look for alternative extensions on Chrome web store, that provide the same functionality without using the remote code execution method.

    Even if the extension is safe, there is no way to guarantee that it will not get compromised by malicious code in the future.

    For example, you can use uMatrix to block scripts, (how to link).

    WhiteBuster instead of green eye.

    I have never used tabsets, but I would imagine that Vivaldi's save session has the same functionality?


Log in to reply
 

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.