Do Chrome extensions for one User have any access to other users?

I am trying to isolate any installed Google Chrome / Chromium extensions from my more private web browsing activity. My thought was to have two Chrome "Users", with more private browsing done in one, and less private browsing with extensions in the other. I want to know if this is "reasonably"(*see below) secure.

Suppose I have the following setup:

  • I set up Chrome/Chromium so that I have two "Users" (via the Chrome settings page). Call them UserAlice and UserBob.
  • UserAlice has no extensions installed.
  • UserBob installs some extensions installed. When installed, some of them have permissions granted to them.

Given this scenario, the main question is:

  • Do the extensions for UserBob have any possibility of having access to even a tiny bit of the activity and content of UserAlice?
    • If "yes", then which permisisions allow this cross-user access?

* By "reasonable", I mean I want to protect against the following: Suppose UserBob has a malicious extension installed that somehow can read usernames and passwords from websites that are browsed to, such as email or a bank. UserAlice browses to email and banking websites. "Reasonably secure" means that UserAlice's username and passwords, email, banking, etc. cannot be accessed by any of the malicious extensions installed by UserBob.


Solution 1:

Short answer: As long as you install a Chrome extension from the Chrome Web Store and do not explicitly install a separate standalone binary, then the extension is, by default, trapped within the browser profile and cannot access nor modify other Chrome users. To say that there are "no filesystem protection in place" is inaccurate, as Chrome has never supported XUL-type extensions.


I'll address the two ways the other answer mentions as routes an extension can leverage to escape the confinement of a browser profile and access other parts of the filesystem, plus an extra. The first is through the nativeMessaging WebExtension permission, the second through triggering a file dialog, and the third is through the isAllowedFileSchemeAccess API. None are automatic (background or otherwise) and all require the user to explicitly agree to such access.

1) A WebExtension using the nativeMessaging permission cannot pull in the privileged native application on its own. Until the user explicitly decides to install the native application, the WebExtension is trapped within the browser profile it was installed in.

From the other answer, "[i]f any ... extensio[n] require[s] administrator access to install" then said software comprises more than just a pure Chrome extension, e.g., the extension taps into a standalone nativeMessaging client installed outside of Chrome, and by installing the external client (outside of Chrome) one might as well have installed a system-wide standalone keylogger binary that affects much more than just the browser. Game over, but the user's fault, since s/he has overridden the security provided by the browser.

2) From the other answer: "I was ... able to launch a portable copy of Firefox in which I installed an sqlite browser ... and browse to my old profile and see my history." File dialogs require explicit user interaction, hence this is not a security bug. If the user explicitly loads files into the browser profile for the extension to manipulate, then the user has expressed his/her agreement to having their data shared with the extension. Otherwise, the extension can do nothing but hope for the user to select a file in the Open File dialog, which the user (recalling the profile is meant to trap potentially untrustworthy extensions) can simply close.

3) The isAllowedFileSchemeAccess API on Chrome allows read-only access to the filesystem via the file:// protocol. However, "a user must explicitly permit this behavior for a given extension through the Chrome preferences pane in chrome://extensions" and as of early 2017 only 55 extensions on the CWS ask for it. (Source: Mozilla Wiki) Not only is the likelihood of encountering an extension abusing this privilege to snoop into the filesystem highly unlikely, but the privilege also requires that the user manually grants it to a browser extension.


Using separate browser profiles to isolate potentially dangerous extensions is more than good enough, as separate OS-level user accounts is overkill, unless one is defending against zero-day browser exploits that completely trash Chrome's WebExtension API permission model, in which case VM-level protections are in order. If we're playing with software that leverages exploits, then OS-level user accounts provide insufficient protection as we are now toying with malware.

Chrome Apps are an entirely different kettle of fish since they enjoy more permissions than standard Chrome extensions, but they are a deprecated technology and, more importantly, outside the scope of the OP's question since it asks about Chrome extensions. Thus, Chrome Apps are not covered in this answer.

In conclusion, a Chrome extension cannot jump across browser profiles unless 1) the user has manually installed a standalone executable external to Chrome, in which case all bets are off 2) the user selects a file in a file open dialog generated by an extension, in which case the user has explicitly granted the extension permission for arbitrary file access 3) the user manually ticks a box in chrome://extensions that extensions cannot themselves modify.

Solution 2:

As long as these users are fully separate users within Windows, rather than simply being separate profiles within Chrome, and also as long as neither user has administrator rights then their extensions and data should be completely separate and one user will not be able to access the data of the other user.

Chrome gets installed into the Program Files directory. This directory is not world writable and users must store their personal data in their own C:\Users\myProfile directory. When Chrome is run with Alice logged in it will create a profile somewhere under C:\Users\Alice\appdata and when Bob runs Chrome then a new profile will be crated under C:\Users\Bob\appdata.

These Chrome profiles will store extensions for that user, their bookmarks and caches. It is Windows itself and the filesystem permissions that determine if one user can access the data of another user. By default a non-administrator user will not be able to access the data of any other user.

If any of those extensions required administrator access to install then it is entirely possible for them to have changed filesystem permissions or installed an administrative helper service or even outright copy the user profile of another user. Note that after this initial install the extension would loose the ability to change permissions or see the other user profile except in the case where it installed an admin helper service.

Outside of Alice explicitly giving access to Bob, or Bob managing to get the administrator to allow allow the installation of an add on that requires installation outside of the Chrome user profile then Bob should not be able to access Alice's data.

If either Bob or Alice is an administrator then they will both have nearly free access to the other users data.

Of course there are alternative scenarios where Bob compromises the machine and manages to install a rootkit using know system vulnerabilities, but that's a story for another day...


I missed the part in your question where you mentioned that these are profiles within Chrome rather than Windows and I would have to say that it is entirely possible for extensions within one Chrome profile to access data within the other profile as there is no filesystem protection in place and Chrome will not enforce any protections to prevent you accessing files between profiles as that is the job of separate users within the operating system.

As an example I have previously used Firefox and uninstalled it, I was then able to launch a portable copy of Firefox in which I installed an sqlite browser (FF stores data in sqlite databases) and browse to my old profile and see my history, the same would almost certainly be possible in Chrome.

If you really want multiple users then you should use the operating system features rather than program features to enforce security. If Bob and Alice both share the same Windows user profile then one could simply browse the data of the other user outside of Chrome and not need the extensions at all.