Free-to-install browser tool restricts malicious or vulnerable Chrome extensions

Google Chrome users are now able to apply access policy controls to browser extensions through a new open source tool.

Dubbed ‘Chrome Galvanizer’ and now available on GitHub, the developer behind the project, Matthew “Mandatory” Bryant, describes the software as “a tool to generate Chrome enterprise policies to help users harden their browser security”.

Once installed – and also available as a hosted preview – Chrome Galvanizer allows users to set enterprise policies and rules for either blocking or allowing access to URLs for sets of Chrome extensions.


Chrome Galvanizer is available to download on GitHub. Click the image above to access the hosted version


Polices can be generated to restrict active extensions from accessing websites users deem sensitive, such as online banking services, email account providers, or cryptocurrency exchanges.

Acting like a type of browser security firewall, Chrome Galvanizer can prevent extensions from accessing specific websites, even if they have previously been granted permission to do so.

It is also possible to configure policies to allow extensions to only access specific whitelisted websites, rather than just blacklisting sensitive domains.

Security extension

Speaking to The Daily Swig, Bryant said he developed the tool to add a new layer of security to the Chrome browser.

“Many people (including myself) install a bunch of various Chrome extensions that have access to all of the websites they use,” Bryant said.

“If any of these extensions get backdoored via an update or if they are vulnerable to a security issue, then you’re effectively hosed and your accounts get hacked”.


INSIGHT Will the coronavirus pandemic impact browser security?


In 2018, for example, users of the MEGA Chrome extension were left at risk from a malicious doppelgänger extension.

A cyber-attacker uploaded a malicious variant of the cloud storage extension through Mega.nz’s official channel onto the Chrome Web Store. On install, the extension requested elevated permissions.

This led to the exfiltration of credentials for domains including Amazon, GitHub, Google, and various cryptocurrency wallet platforms.

“If people used this tool, then they’d be safe from another MEGA-incident happening where the extension was backdoored and the extension update dumped their cryptocurrency from their wallets on various sites,” Bryant commented.

Open access

Bryant told us that the software has been designed for use by everyone, not just those in the security community.

Chrome Galvanizer has been created with ease-of-use and utility in mind, as “it’s extremely common to have many Chrome extensions installed as well as having important sites which you’d rather not allow the extensions to be able to access,” according to Bryant.

Future development of the tool will include support for browsers that support restriction extensions via policy. Porting Galvanizer to Firefox is Bryant’s next project.

“To be honest, I’d like to see this functionality built into browsers so people don’t have to use a third-party tool to do it,” he said.


RECOMMENDED ParamSpider: New tool helps in the discovery of URL parameter vulnerabilities