How do I know my chrome extensions can be trusted?

(Alex) #1

Today I saw an ad for Grammarly . A spelling and grammar correction chrome extension. I wanted to install the app but stopped at the stage where I had to give certain permissions.

Following permissions were concerning for me:

  • Modify data you copy and paste
  • Read and edit all data on the websites you are visiting

(lets ignore third party site communications and notifications here)

I understand those permissions are required to enable this app to work. But what if this app had a malicious hidden agenda ?

Is there any way to know for sure this app is safe to use in combination with Nash and other crypto interactions online ?

=> feature request. Add honeypot fields and data to the DOM and monitor with the Nash chrome extension wether those fields were altered to detect Man in the middle attacks. (or whatever such attack would be called)

(Alex) #2

Additional questions: What if Grammarly gets hacked and hackers push a malicious update into the chrome marketplace. Will it auto-update to the latest version and is there a way to disallow such automatic update behaviour to prevent this ?

  • Can chrome extensions auto-update ?
(NATENEX) #3

These are general questions that you can contact google for find online yourself most of which don’t pertain to NASH. The short answer is just be smart, you shouldn’t be allowing anything to have access to your data unless you trust it. Before downloading the NASH extension make sure it is supplied by the team.

(Alex) #4

Who is Google ? I posted this in community. Would like to hear what Nash people need in order to trust a third party extension.
From Nash itself I would like to learn what they can eventually do about extensions trying to steal information revealed on the exchange.nash.io domain. I wonder for example if private keys are shielded somehow from the browsers Document Object Model.

1 Like
(NATENEX) #5

But this is unrelated to NASH specifically outside of specific discussion about the extension…everyone has their own trust policy if you are worried about extensions that request access to your info just don’t accept them unless you trust them. In addition, Google is responsible for hosting all the browser extensions so they have their own security requirements and extension listing procedures when it comes to hosting extensions; including the NASH extension.

If you are looking for info directly related to the NASH extension, do a simple search of the forum because it has been discussed regarding phishing and security; particularly here:

1 Like
(FCC) #6

Never allow a extension “all sites” access unless you absolutely trust it, it should not have access to your crypto and banking websites. In general avoid extensions at all on browsers you deal with financial transactions. I personally use all extensions only with “on click” setting.

6 Likes
(Alex) #7

Thank you. This answer was very helpful. Great tip, because I wasn’t aware of this possibility <3

(.) #8

thanks for this …it might worth adding this to some kind of ‘security tips’ section. I guess people’s knowledge of extensions can vary alot.

1 Like