Google-chrome – Do Chrome extensions for one User have any access to other users

browsergoogle-chromegoogle-chrome-extensionsSecurity

I am trying to isolate any installed Google Chrome / Chromium extensions from my more private web browsing activity. My thought was to have two Chrome "Users", with more private browsing done in one, and less private browsing with extensions in the other. I want to know if this is "reasonably"(*see below) secure.

Suppose I have the following setup:

I set up Chrome/Chromium so that I have two "Users" (via the Chrome settings page). Call them UserAlice and UserBob.
UserAlice has no extensions installed.
UserBob installs some extensions installed. When installed, some of them have permissions granted to them.

Given this scenario, the main question is:

Do the extensions for UserBob have any possibility of having access to even a tiny bit of the activity and content of UserAlice?
- If "yes", then which permisisions allow this cross-user access?

* By "reasonable", I mean I want to protect against the following: Suppose UserBob has a malicious extension installed that somehow can read usernames and passwords from websites that are browsed to, such as email or a bank. UserAlice browses to email and banking websites. "Reasonably secure" means that UserAlice's username and passwords, email, banking, etc. cannot be accessed by any of the malicious extensions installed by UserBob.

Best Answer

Short answer: As long as you install a Chrome extension from the Chrome Web Store and do not explicitly install a separate standalone binary, then the extension is, by default, trapped within the browser profile and cannot access nor modify other Chrome users. To say that there are "no filesystem protection in place" is inaccurate, as Chrome has never supported XUL-type extensions.

I'll address the two ways the other answer mentions as routes an extension can leverage to escape the confinement of a browser profile and access other parts of the filesystem, plus an extra. The first is through the nativeMessaging WebExtension permission, the second through triggering a file dialog, and the third is through the isAllowedFileSchemeAccess API. None are automatic (background or otherwise) and all require the user to explicitly agree to such access.

1) A WebExtension using the nativeMessaging permission cannot pull in the privileged native application on its own. Until the user explicitly decides to install the native application, the WebExtension is trapped within the browser profile it was installed in.

From the other answer, "[i]f any ... extensio[n] require[s] administrator access to install" then said software comprises more than just a pure Chrome extension, e.g., the extension taps into a standalone nativeMessaging client installed outside of Chrome, and by installing the external client (outside of Chrome) one might as well have installed a system-wide standalone keylogger binary that affects much more than just the browser. Game over, but the user's fault, since s/he has overridden the security provided by the browser.

2) From the other answer: "I was ... able to launch a portable copy of Firefox in which I installed an sqlite browser ... and browse to my old profile and see my history." File dialogs require explicit user interaction, hence this is not a security bug. If the user explicitly loads files into the browser profile for the extension to manipulate, then the user has expressed his/her agreement to having their data shared with the extension. Otherwise, the extension can do nothing but hope for the user to select a file in the Open File dialog, which the user (recalling the profile is meant to trap potentially untrustworthy extensions) can simply close.

3) The isAllowedFileSchemeAccess API on Chrome allows read-only access to the filesystem via the file:// protocol. However, "a user must explicitly permit this behavior for a given extension through the Chrome preferences pane in chrome://extensions" and as of early 2017 only 55 extensions on the CWS ask for it. (Source: Mozilla Wiki) Not only is the likelihood of encountering an extension abusing this privilege to snoop into the filesystem highly unlikely, but the privilege also requires that the user manually grants it to a browser extension.

Using separate browser profiles to isolate potentially dangerous extensions is more than good enough, as separate OS-level user accounts is overkill, unless one is defending against zero-day browser exploits that completely trash Chrome's WebExtension API permission model, in which case VM-level protections are in order. If we're playing with software that leverages exploits, then OS-level user accounts provide insufficient protection as we are now toying with malware.

Chrome Apps are an entirely different kettle of fish since they enjoy more permissions than standard Chrome extensions, but they are a deprecated technology and, more importantly, outside the scope of the OP's question since it asks about Chrome extensions. Thus, Chrome Apps are not covered in this answer.

In conclusion, a Chrome extension cannot jump across browser profiles unless 1) the user has manually installed a standalone executable external to Chrome, in which case all bets are off 2) the user selects a file in a file open dialog generated by an extension, in which case the user has explicitly granted the extension permission for arbitrary file access 3) the user manually ticks a box in chrome://extensions that extensions cannot themselves modify.

Best Answer

Related Solutions

Google-chrome – How big of a risk are popular Chrome extensions

Google-chrome – Can Google Chrome extensions access website passwords saved by Chrome

Related Question