Fighting off clones / how can a website determine an extension is legit?

[Francois Devatine 馮韋元 (法國台客)]

Would like to ask for opinions on this topic. Per my understanding it is very difficult for a website to determine that the extension installed is legit.

By design, extensions can use powerful APIs which allow them to interact with websites in almost any way. They can modify http headers, inject javascript, modify the DOM, interact with cookies, etc.

Say that a website is supposed to communicate with a single, official, chrome extension.

What could the website do to determine that the extension it is interacting with, is the official one?

Per my understanding, it is very easy to download a copy of the extension in the chrome store. Even if the code is obfuscated, it will still be possible for a third party to look at the types of interactions between the extension and the website, and mimic them in a clone extension.

The only mechanism I could think of, is to often change the mechanism in place to determine the extension is authentic. Third parties trying to mimic the extension will have to keep updating their extensions as well to follow the same patterns and hopefully one's extension could always be one step ahead, with that way.

Thanks,

Francois

[Cuyler Stuwe]

Answering this question depends on a bit more context, the most crucial being: "Who are you primarily concerned with trying to protect?"

If you're trying to prevent your own backend systems from interacting with a motivated user who has reverse-engineered and spoofed your extension (including e.g., with an altered Chromium browser), this is one thing.

But if you're just trying to protect your Chrome users from interacting with faked clones of your Chrome extension, that's another thing altogether.

Once you lock your ID on the Chrome Web Store, it's stuck in place "permanently" (the only way another extension can arrive at the same ID even for a local install is to have the private key of the public key this ID is derived from).

If you're using the "official mechanism" (externally_connectable) to communicate between your extension and a webpage you control, communication is gated by this ID.

If this doesn't resolve your concern, you've gotta provide a bit more detailed context on what exactly it is you're trying to do.

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/4c74e9ac-3e40-4918-be53-03279d8d2eb8n%40chromium.org.

[Francois Devatine 馮韋元 (法國台客)]

Thanks for the reply,

I would say this request is mostly from the point of view of my company as a publisher, we want to know that the extension is legit and authorized. But regarding our users, we also want to be sure they are interacting with a good extension, and not one doing additional unwanted features.

You mentioned externally_connectable, but I think even with a permanent id, it is easy for an extension to pretend it is an official extension.
Assume my extension id is id=12345
Exemple: my website has a script.js where it executes runtime.connect(12345) to connect to my extension, and executes some logic.
A fake extension with id=88888 can easily inject another javascript function to my website using content script to interact with window, making it use runtime.connect(88888) instead, basically modifying the websites's scripts to make it do what it wants.