How to inspect your local version of HZ+

[GrosPoulet]

Open-source review

HZ+ is an open-source extension, meaning everyone can participate to its development by fixing bugs, reporting problems, translating messages,... Attemps to introduce malicious behaviours (stealing passwords, mining crypto-currencies, ...) will be quickly detected and blocked. Simply because the source code is under scrutiny by HZ+ repository owner (Oleg) and contributors (like myself).

Chrome Web Store review

From time to time, Oleg zips the whole extension folder and uploads the ZIP archive to Chrome Web Store.
A review is then performed by the store (note: more details here: https://developer.chrome.com/docs/webstore/troubleshooting/), and if review shows no problems then HZ+ is available in Chrome Web Store for installation (note: if you already installed it then it is updated automatically).

So every relase of HZ+ is checked twice:

• by Oleg and contributors
• by Chrome Web Store

But how to be sure that the code displayed in GitHub is really the same as the one running on your computer ?

Some Evil Creature 👿 may have tampered it just before upload to Chrome Web Store for review (though it would still have to pass review) ... or maybe the Chrome Web Store itself may modify some extensions before publication ?

Sounds hairy, but anyway, here is how you can check by yourself that it did not occur.

Local version versus GitHub version

• open Extensions settings

• activate Developer mode, this will display extensions IDs:
  

• check that HZ+ extension ID: pccckmaobkjjboncdfnnofkonhgpceea matches ID in chrome Web Store url:
  

• open folder: C:\Users\your_user_name\AppData\Local\Google\Chrome\User Data\Default\Extensions\pccckmaobkjjboncdfnnofkonhgpceea
  (note: for Edge, open folder: C:\Users\CherryPics\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\pccckmaobkjjboncdfnnofkonhgpceea)

• in this folder, you can see a folder whose name = version of extension, for instance: 1.0.174_0
  This folder contains all the code (javascript, css, html) that makes HZ+ work.
  It should be identical to the code stored in GitHub, so let's check it.

• go to HZ+ gitHub repository and download source code of release 1.0.174: https://github.com/extesy/hoverzoom/releases/tag/1.0.174
  Do NOT use the "Code" green button on main page for download, because you would download latest version of source code.
  This version has not yet been released to Chrome Web Store and will differ from version 1.0.174.
  

• now we will compare downloaded folder from GitHub against your local folder. I use Beyond Compare for this task, you can find it here: https://www.scootersoftware.com/download.php
  (note: Beyond Compare kindly give a 30 day trial for their excellent software :-))

• launch Beyond Compare (or any similar tool) and load both folders for comparison. If you use Beyond Compare, make sure Rules settings are correct (file sizes may differ because encoding may differ, timestamps are lost in version downloaded from GitHub):
  

• now let's see... You should have no difference among JavaScript code files (.js), in /js, /js/libs or /plugins folder:
  

• you can also see that:
  _ some files were removed by Chrome Web Store (release.cmd,...), probably because they are not needed
  _ some JSON files were added by Chrome Web Store (computed_hashes.json & verified_contents.json), they are used to control integrity of files
  _ the manifest (manifest.json) is reordered (now keys are in alphabetical order), but its content remains the same. For instance, permissions are not modified.

Well, i hope this quick inspection session will make you feel more at ease while using HZ+ ☺️
P.S.: a good article about malware in Chrome extensions: https://kjaer.io/extension-malware/