How to search all Chrome extensions for the dangerous unsafe-eval

[Karlston]

How to search all Chrome extensions for the dangerous unsafe-eval

In this guide, I will show you how you can search all installed Chrome extensions for the dangerous unsafe-eval content security policy. The method may also work for extensions installed in other browsers provided that the extension files are readable in plain text.

 

A new scandal surrounding a number of extensions that recorded and sold browsing data of users made the news last week. More than 4 million browser installations were affected this time and it was just the latest in a series of privacy related issues surrounding shady browser extensions.

 

The extensions in questions used a well documented Content Security Policy directive called unsafe-eval to download the remote payload and start the collecting and transferring of browsing data.

 

Chrome extensions need to declare unsafe-eval in the extension manifest to make use of it. The Chrome web store does not highlight the use and the extensions are clean otherwise when they are uploaded to the store by the developer.

 

Raymond Hill, the developer of uBlock Origin described the issue surrounding these malicious extensions that downloaded a payload to the user system after installation in the following way:

For an extension to be able to execute remote code in their own context, they need to explicitly declare `unsafe-eval` in their manifest.json.

 

In other words: these extensions declared unsafe-eval so that they could download the payload at a later point in time.

Hill recommends that users avoid any extension that declares unsafe-eval; that requires that users check the manifest file of the extension before they hit the "add to Chrome" button, however.

 

 

We published a Chrome extensions verification guide in 2015, a good resource to verify any Chrome Web Store extension before installation.

 

Here is a short overview since you may not want to read the entire long guide.

1. Download the Chrome Extension Source Viewer extension.
2. Open the profile page of the extension that you want to check.
3. Click on the CRX icon of the Chrome Extension Source Viewer extension and select "View Source".
4. Select the manifest.json file and check for unsafe-eval, e.g. by using F3 to open the on-page search.

What about installed extensions?

 

While you could open the manifest.json file of each of the installed extensions to find out if any used the unsafe-eval declaration, you may also search across all of them at once to speed up the process.

 

Here is how that is done:

1. Download the great tool Everything to your system. You may also use other text editors that support searching file content, e.g. UltraSearch or Notepad++.
2. Start the program by right-clicking on it and selecting "run as administrator".
3. Select Search > Advanced Search.
4. Type unsafe-eval in the "A word or phrase in the file" field.
5. Select the 😄 drive (or the equivalent on your system), or pick the extensions directory right away.
   1. To find the path, load chrome://version/ in the address bar.
   2. Copy the profile path value, e.g. C:\Users\Martin\AppData\Local\Google\Chrome\User Data\Profile 1
   3. Paste it into the "located in" field.
6. Make sure "include subfolders" is selected.
7. Hit ok.

 

Everything searches the entire folder structure and all files for the selected phrase. Focus on manifest.json files and double-click on them to open them in the default text editor. Use the built-in search to search for unsafe-eval to verify the finding.

 

The same method should work for most other browsers.

 

 

 

Source: How to search all Chrome extensions for the dangerous unsafe-eval (gHacks - Martin Brinkmann)