if you have a cookie that automatically signs you into Google then the keylogger extension will not be able to grab your password. It works by reading each keypress you make, so when you type in a password box, you're owned!
I don't know if Google scans for this type of malware. There are legitimate uses for the basic techniques the extension uses, and there are probably many ways for an extension to grab your data if you give it sufficient permissions. So an automated scan would be very tricky, and I don't know if Google does manual scans. According to someone who probably should know..."I am sure Google automatically screens any extension uploaded -- but the bad guys will, of course, do their best to trick automatic screening," so he doesn't know either!
The quote is from here: http://www.linuxinsider.com/story/81925.html
Facebook Notifier (https://chrome.google.com/webstore/detail/facebook-notifier/dfjbdahfeiockocfngedbadjgjncidag
Chrome actually lets you see the code! If you turn on Developer Mode in the extensions page the ID will be shown (dfjbdahfeiockocfngedbadjgjncidag for this extension). This is the same as you see in the URL for the Web Store and can also be used as a path to the files which make up the extension.
For example, the Manifest file, which describes the extension name and its permissions, is
The bit which gives the scary message when you install it is this line in the Manifest
"permissions": [ "webRequest", "webRequestBlocking", "tabs", "http:///
The extension works by showing a "page action" badge in the address bar whenever you have a new Facebook notification. This type of extension is intended for when an extension adds functionality to a specific website. So if you design an extension to work on youtube.com
, your Manifest file would ask permission for that particular site alone and the extension's badge would appear whenever the user went to Youtube.
The Facebook Notifier developer is doing something slightly different - they allow the badge on every site but show or hide it depending on whether you have a notification. The extension code only references facebook.com
, but it needs permissions on every site in order to show the badge there.
What they could have done was to have a button in the toolbar, visible all the time, and change the button (or have an overlay) when there is a new notification. This would mean the permissions could be restricted to give the extension access only to facebook.com
It's fine for now, but the worrying thing is that it has far more permissions than it needs and can be auto-updated to include malicious code. In April last year someone pointed out in the Support section that the extension does not meet the criteria for a "page action" and that requesting access to all websites "is unnecessary and suspicious," but the developer has made no changes since then. I would choose not to install this extension.
The extensions I've written have as few permissions as possible, even when it compromises functionality. For example, my dictionary extension (linked above) opens a definition page in a new tab and has no special privileges. Other dictionary extensions show definitions in a nice popup, which is better for the user, but require the same permissions as the keylogger.