> Chrome scrolls the permission warning message container, so more than half of the warning messages don’t even show up. I’d bet most users wouldn’t think twice about installing an extension that appears to ask for just 5 permissions.
An egregious and nearly unbelievable oversight on Google's part. :-\
As a developer, it's unimaginable to me to not test the extreme high and low numbers of inputs cases to ensure things look and operate as expected. Especially for a security sensitive UI element.
The chain of humans who've been responsible for developing and testing Chrome Extension functionality and security has been asleep at the wheel this whole time, for something like 15 years.
There are so many risk-reduction controls in place; tons of red tape and umpteen security and privacy reviews required to ship even minor features or updates, yet here we are.
How many hands have been in the pot and not noticed/raised/resolved what amounts to a pretty obvious security vulnerability? And if this kind of issue can fly undetected for so long, what can organizations with drastically less resources than $GOOG do to ensure adequate velocity while not leaving the proverbial barn doors open?
The author deserves the highest tier of bug bounty reward for bringing this to light. What's that? It wasn't submitted through the proper channels to be eligible? Right.
> The chain of humans who've been responsible for developing and testing Chrome Extension functionality and security has been asleep at the wheel this whole time, for something like 15 years.
As the first in this chain of humans, I can tell you that (a) we obviously considered this in the first version of extensions and did not allow permissions "below" the fold, (b) Chrome's extension model dramatically improved on the previous state of the art which was Firefox's "every extension can do everything, extensions can't be uninstalled completely, and there's no review" [1], and (c) the install dialog is just one part in a bigger system which includes the review process.
I encourage the author to try and get this onto the store and get meaningful usage, then we can complain about how well the entire system works end to end. Examining just the install dialog alone is missing the point. I'm not even certain that an extension that requests more than 5 permissions would be approved in the first place.
I also encourage readers to remember that generally speaking, you all _want_ extensions. When Chrome didn't have them, they were the top feature request in the bug tracker. Real security is hard. If you don't solve user needs, users solve them themselves with solutions that are even worse (ie native code). Managing the browser extension system is a thankless painful job of delicately balancing incentives. Extensions need to work well enough that developers don't reach for more powerful and dangerous tools, but have enough controls that the majority of malware can be controlled. It sucks. Trust me you really don't want this job. Please spare a bit of empathy for the "chain of humans" that have had it.
> An egregious and nearly unbelievable oversight on Google's part. :-\
I agree it's egregious, but it's quite easy to believe.
It's surely just using a standard modal and passing a string. The thing is, this is on a Mac that has scroll bars that are invisible until you scroll. It's easy to imagine testing was done other OS's where the scroll bars are obvious and the bottom line might be only partially hidden which makes it even clearer. And/or that testers never caught it on a Mac because they themselves never realized there were more.
I would hope somebody sees this now and prioritzes a Chromium bug for it. Because on a Mac at least, this is pretty serious.
(And I'm well aware this is a good example of a negative side effect of Apple's choice to make scroll bars visible by default only while scrolling.)
> if this kind of issue can fly undetected for so long, what can organizations with drastically less resources than $GOOG do to ensure adequate velocity while not leaving the proverbial barn doors open?
If $GOOG can't do it with practically infinite resources then I'm of the opinion that nobody can. Computing is broken.
Extensions in general are a massive security issue and it’s impossible to fix without crippling them beyond uselessness. Or maybe having approved extensions only.
This introduces an especially silly attack vector: if you expect that asking for a specific permission might alarm users, and if you can push it below the fold, just ask for more innocuous or plausible permissions than you need!
Besides the oversight of hiding some permission requests, this highlights that the order they’re presented matters too. Even if it weren’t scrollable with ~invisible indication of that, people stop reading at some point. If N lines (I’m gonna guess ~5 for most people) seem totally innocuous, the rest are probably effectively invisible.
> The chain of humans who've been responsible for developing and testing Chrome Extension functionality and security has been asleep at the wheel this whole time, for something like 15 years.
There should be liability for negligence.
If you were told about a security hole and you have not fixed it, and you have not informed your users, in months, you should pay statutory damages.
And if you lied about your app (claiming encryption where there is none) you should be liable too, even if the app is free
Even if they were to somehow show everything up-front, it would be user hostile design. No one wants to read and consider every possible permission prior to granting it to the thing they want to use
Even if there were 20 items in the list, people would hit "OK," it's like accepting terms and conditions. Most people won't read them, they're trained to hit "Agree"
The whole model needs an overhaul. Extensions should be required to ask whenever they need the specific resource, rather than asking up-front. And each gated resource should get its own prompt with its own informative design. Similar to permissions on mobile
> An egregious and nearly unbelievable oversight on Google's part.
This describes Google's entire approach to browser extensions. It's so cosmically and hilariously bad, and because extensions grant post-decryption access, renders basically every other security and privacy effort they've ever done with web standards completely pointless.
All that garbage about encrypting everything in transit is entirely irrelevant when the endpoint is a masterpiece of bad security design.
> The author deserves the highest tier of bug bounty reward for bringing this to light. What's that? It wasn't submitted through the proper channels to be eligible? Right.
Almost entire point of bug bounty programs is to encourage researchers to submit vulnerabilities using a proper channel and adhering to a proper procedure.
And what’s even worse, in that screenshot there’s no visible scrollbar to show there is even any additional data below the fold, or any indication that it’s a scrollable control in the first place. I can’t tell looking at it that there’s any possibility of further permissions anywhere.
there is always a balance or tradeoff between convienence and security. If you maximize security, you will have a piece of software nobody wants to use unless there is a gun pointing at their head. Not that security is unimportant but please also keep user experience in mind when you design security.
You're giving Google way too much credit here. Do you not think they use some of these techniques here? Or that they're an endpoint for other people's usage of these techniques?
> security has been asleep at the wheel this whole time, for something like 15 years
Wait until you see what’s possible with executables!
I like this project, but I also worry that eventually we’re going to lose access to extensions entirely because people will take away the wrong message.
Safeguards are good, but at a certain point I want my devices to trust that I know what I’m doing.
My guess is this wouldn't even get close to getting through the review process for the Chrome Webstore. From our experience with Streak, this would def get picked up in review.
Seeing other comments in the thread pointing to this article as a reason why MV3 is bad I think misses the point. Personally I think MV3 is a step in the right direction (even though it negatively affects us!). But it's only one piece to make extensions more secure - the others being manual review, policy adjustments and automated scanning. Even though the APIs allow for all sorts of functionality doesn't mean you'll be able to get through the rest of checks.
My experience so far with publishing to the extension store has been that they examine both the code shipped as well as the scopes used. I've had apps rejected due to overly broad scopes and it was obvious based on the responses that the reviewer was pretty competent at JS.
The real trick isn’t publishing a new app, it’s purchasing an existing app and pushing an update with malicious code. The latter review process is more lax
This is a spicy essay for sure but what is the author's actual point? If the user grants you permission to do all these things, then you have permission to do all these things. If you can't be trusted and abuse that permission then you are not ethical. If you aren't ethical someone will find out and your extension will be removed in the worst case and simply not approved in the common case. The author even admits as much saying this thing would never pass Google's review process in a million years. Sounds like there's no real risk here and we're mostly just enjoying the show...
I do agree about the permission UI box. Surely that's a completely simple fix on Google's part to force the user to scroll through the permissions box before accepting.
Is that solving any real problem? Will any single person actually be protected by that annoyance? The permissions already appear roughly sorted by invasiveness. Is the sixth one really going to be the one that your install decision hinges on? I mean, once you have "Read and change all your data on websites" it's game over anyway if the extension is truly malicious.
It's very early for users to not understand and for apps to ask for a bunch of permissions. One great example is Grammarly, which is a keylogger that helps users with grammar. I don't think Grammarly has bad intentions, but still, millions of users are giving it access to everything they type.
It's a tutorial to build a Chrome extension. Like, a project template. He links source code, found a privacy issue in Chrome, and the Grinch-plundering Whoville character made me laugh. That's already asking a lot for a Substack post.
> force the user to scroll through the permissions box before accepting.
Something else used to do that. Java, maybe? Whatever it was had regular enough updates that I _habitually_ drag the scroll bar directly or simply hit the end key to this day when I get to EULAs and other long modal popups.
Look, I hate MV3 as much as the next guy. I've even wasted part of my life porting a large extension to it, so I might hate it MORE than the next guy. But I don't draw any security conclusions from this article.
For every permission in your manifest you need to provide the chrome web store reviewer with a written justification for why your extension needs that permission. Even the ones that don't prompt the user. And they definitely read it, and your code.
Shipping malicious extensions is almost entirely a social engineering problem and not a technical one.
> If we’re expecting the page DOM to change often (for example, with SPAs), we certainly don’t want to miss out on any valuable data. Just set a MutationObserver to watch the entire page, and reapply listeners as needed.
The code below this text is highly inefficient and may lead the user detection solely from page interactivity slowdown alone. A more efficient implementation could read input using the 'input' event[1]. For example, here[2] is how you would use the input event to detect changes to any fields in a page.
Fair point, multiple people have circled this snippet as problematic. I'll confess, I didn't spend much time testing this for performance.
My idea was that separate inputs should have separate debounced handlers, but it's likely you could do away with that and just listen for input events globally with no adverse effect on data collection.
"Let's build a Chrome extension that taps what google is already stealing."
But it isn't stealing if you clicked something somewhere sometime so "stealing" is wrong will be the PR response because people are being paid to not understand "stealing is wrong"
I'd like a fork of chrome which removes all (or at least most) the "features" mentioned - a browser that renders well but just doesn't support these masses of unsecure features.
If you want to give 3rd parties access to all that stuff, you can run chrome. But I don't - I want the bare minimum that will run normal websites. I know that will break some pages, I'll accept that. (And that would give me a smaller & faster browser.)
Maintainer of a Chrome Extension with 10,000+ installs here. Chrome doesnt willy nilly approve your extension. They even take down extensions that ask for permissions you do not legitimately use. The article doesnt say for how long op was able to put his extension on the chrome store without it being reviewed or taken down.
What's up with the tons of fresh accounts (all created 3 days ago) posting plagiarized snippets in the comments? Various snippets from news articles, Quora, etc.
I have a chrome extension with about a 1000 DAU right now [link below]. I'm getting messages to buy the whole thing out but the buyer always fails to answer why they want to buy it. they are also open to buying any extension whatsoever. I suspect it's to open up the permission model and started stealing user's data.
One of the issues here is that the browser is prompting the user for all the Permissions at install time. Both Android and IOS have moved away from that. Perhaps it is time browsers to move away from that as well.
> Without looking, can you name more than half of the extensions you have installed right now?
Sure.
uBlock Origin, Multi-containers, Temporary Containers and cookies.txt on Firefox, which I only use for specific purposes. History and all data is wiped frequently.
None on Chromium, which I always use in incognito mode. I use this daily, but don't need even uBlock on it, since I run a DNS ad blocker on my network.
And none on my main browser, Luakit, since it doesn't support extensions. :) Technically, I have some user scripts, which I've all reviewed or written myself.
Browser extensions are the number one security and privacy risk for all users, more than any OS exploits. The fact they've historically been handled so poorly, and these issues exist even today, should be terrifying.
> Just set a MutationObserver to watch the entire page, and reapply listeners as needed.
I did not know such thing is possible. I want to make an extension which undeletes some chat messages in typical chats (usually that happens because of moderation)
Chrome has a a USB interface; I'm guessing identification and ejectionnis required functionality fir dual-mode USB devices that may present as storage devices foe driver installation.
The author notes that this sort of extension would be laughed out of the review queue....but there are plugin authors who get plenty of users by putting up a website and making the plugin available directly from their site.
For example, the author of FB Purity hasn't explained to anyone why his plugin is not available via Firefox's extension store, only via his page. Presumably, he didn't meet some requirements they had...but he won't say what they were...
And this is why I welcome “control over” what I can do with my device by my OS vendor. Even though it’s mostly trivial to bypass, it still serves as a good gut check in the rare case where I might skip over my own scruples. 99% of the time if I even get this far I back out because I’ve realized by that point I was being foolishly trusting.
Given all the extensions in the store that are at some point updated with a trojan to sell your internet connection to shady people, the "review queue" is some kind of mythical beast that doesn't in practice do or achieve anything.
It would be trivial for Google to find all the extensions using that kind of crap, but they don't care.
Don't all Firefox extensions have to be signed by Mozilla in order to be installable (in non-developer Firefox editions at least) these days? Even if they're publishing it on their own site, it should have gone through the review.
> Who maintains them? Is it the same entity that maintained it when you first installed? Are you sure?
Oh yeah, got bitten hard myself on that one a couple years back, it took Google days to respond to the extension buyer uploading a malware'd version. The worst problem is that extensions auto-update silently so you as an user don't even have the chance to spot anything in time.
[+] [-] metadat|3 years ago|reply
An egregious and nearly unbelievable oversight on Google's part. :-\
As a developer, it's unimaginable to me to not test the extreme high and low numbers of inputs cases to ensure things look and operate as expected. Especially for a security sensitive UI element.
The chain of humans who've been responsible for developing and testing Chrome Extension functionality and security has been asleep at the wheel this whole time, for something like 15 years.
There are so many risk-reduction controls in place; tons of red tape and umpteen security and privacy reviews required to ship even minor features or updates, yet here we are.
How many hands have been in the pot and not noticed/raised/resolved what amounts to a pretty obvious security vulnerability? And if this kind of issue can fly undetected for so long, what can organizations with drastically less resources than $GOOG do to ensure adequate velocity while not leaving the proverbial barn doors open?
The author deserves the highest tier of bug bounty reward for bringing this to light. What's that? It wasn't submitted through the proper channels to be eligible? Right.
<insert relevant Dildbort cartoon>
[+] [-] aboodman|3 years ago|reply
As the first in this chain of humans, I can tell you that (a) we obviously considered this in the first version of extensions and did not allow permissions "below" the fold, (b) Chrome's extension model dramatically improved on the previous state of the art which was Firefox's "every extension can do everything, extensions can't be uninstalled completely, and there's no review" [1], and (c) the install dialog is just one part in a bigger system which includes the review process.
I encourage the author to try and get this onto the store and get meaningful usage, then we can complain about how well the entire system works end to end. Examining just the install dialog alone is missing the point. I'm not even certain that an extension that requests more than 5 permissions would be approved in the first place.
I also encourage readers to remember that generally speaking, you all _want_ extensions. When Chrome didn't have them, they were the top feature request in the bug tracker. Real security is hard. If you don't solve user needs, users solve them themselves with solutions that are even worse (ie native code). Managing the browser extension system is a thankless painful job of delicately balancing incentives. Extensions need to work well enough that developers don't reach for more powerful and dangerous tools, but have enough controls that the majority of malware can be controlled. It sucks. Trust me you really don't want this job. Please spare a bit of empathy for the "chain of humans" that have had it.
[1] https://static.googleusercontent.com/media/research.google.c...
[+] [-] crazygringo|3 years ago|reply
I agree it's egregious, but it's quite easy to believe.
It's surely just using a standard modal and passing a string. The thing is, this is on a Mac that has scroll bars that are invisible until you scroll. It's easy to imagine testing was done other OS's where the scroll bars are obvious and the bottom line might be only partially hidden which makes it even clearer. And/or that testers never caught it on a Mac because they themselves never realized there were more.
I would hope somebody sees this now and prioritzes a Chromium bug for it. Because on a Mac at least, this is pretty serious.
(And I'm well aware this is a good example of a negative side effect of Apple's choice to make scroll bars visible by default only while scrolling.)
[+] [-] 2OEH8eoCRo0|3 years ago|reply
If $GOOG can't do it with practically infinite resources then I'm of the opinion that nobody can. Computing is broken.
[+] [-] Gigachad|3 years ago|reply
[+] [-] eyelidlessness|3 years ago|reply
Besides the oversight of hiding some permission requests, this highlights that the order they’re presented matters too. Even if it weren’t scrollable with ~invisible indication of that, people stop reading at some point. If N lines (I’m gonna guess ~5 for most people) seem totally innocuous, the rest are probably effectively invisible.
[+] [-] ClumsyPilot|3 years ago|reply
There should be liability for negligence.
If you were told about a security hole and you have not fixed it, and you have not informed your users, in months, you should pay statutory damages.
And if you lied about your app (claiming encryption where there is none) you should be liable too, even if the app is free
[+] [-] interpol_p|3 years ago|reply
Even if there were 20 items in the list, people would hit "OK," it's like accepting terms and conditions. Most people won't read them, they're trained to hit "Agree"
The whole model needs an overhaul. Extensions should be required to ask whenever they need the specific resource, rather than asking up-front. And each gated resource should get its own prompt with its own informative design. Similar to permissions on mobile
[+] [-] ocdtrekkie|3 years ago|reply
This describes Google's entire approach to browser extensions. It's so cosmically and hilariously bad, and because extensions grant post-decryption access, renders basically every other security and privacy effort they've ever done with web standards completely pointless.
All that garbage about encrypting everything in transit is entirely irrelevant when the endpoint is a masterpiece of bad security design.
[+] [-] s4i|3 years ago|reply
[+] [-] msm_|3 years ago|reply
Almost entire point of bug bounty programs is to encourage researchers to submit vulnerabilities using a proper channel and adhering to a proper procedure.
[+] [-] OkGoDoIt|3 years ago|reply
[+] [-] eviks|3 years ago|reply
[+] [-] ano88888|3 years ago|reply
[+] [-] deafpolygon|3 years ago|reply
You're giving Google way too much credit here. Do you not think they use some of these techniques here? Or that they're an endpoint for other people's usage of these techniques?
> security has been asleep at the wheel this whole time, for something like 15 years
All is as intended.
[+] [-] OscarTheGrinch|3 years ago|reply
[+] [-] nostromo|3 years ago|reply
I like this project, but I also worry that eventually we’re going to lose access to extensions entirely because people will take away the wrong message.
Safeguards are good, but at a certain point I want my devices to trust that I know what I’m doing.
[+] [-] alooPotato|3 years ago|reply
My guess is this wouldn't even get close to getting through the review process for the Chrome Webstore. From our experience with Streak, this would def get picked up in review.
Seeing other comments in the thread pointing to this article as a reason why MV3 is bad I think misses the point. Personally I think MV3 is a step in the right direction (even though it negatively affects us!). But it's only one piece to make extensions more secure - the others being manual review, policy adjustments and automated scanning. Even though the APIs allow for all sorts of functionality doesn't mean you'll be able to get through the rest of checks.
[+] [-] schoolornot|3 years ago|reply
[+] [-] jackdh|3 years ago|reply
"This extension would be laughed out of the review queue."
[+] [-] moneywoes|3 years ago|reply
[+] [-] shultays|3 years ago|reply
[+] [-] dcow|3 years ago|reply
I do agree about the permission UI box. Surely that's a completely simple fix on Google's part to force the user to scroll through the permissions box before accepting.
[+] [-] modeless|3 years ago|reply
[+] [-] panda888888|3 years ago|reply
[+] [-] smittywerben|3 years ago|reply
[+] [-] efreak|3 years ago|reply
Something else used to do that. Java, maybe? Whatever it was had regular enough updates that I _habitually_ drag the scroll bar directly or simply hit the end key to this day when I get to EULAs and other long modal popups.
[+] [-] a13o|3 years ago|reply
For every permission in your manifest you need to provide the chrome web store reviewer with a written justification for why your extension needs that permission. Even the ones that don't prompt the user. And they definitely read it, and your code.
Shipping malicious extensions is almost entirely a social engineering problem and not a technical one.
[+] [-] Sephr|3 years ago|reply
The code below this text is highly inefficient and may lead the user detection solely from page interactivity slowdown alone. A more efficient implementation could read input using the 'input' event[1]. For example, here[2] is how you would use the input event to detect changes to any fields in a page.
1. https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement...
2. https://gist.github.com/eligrey/615fcc9fa9edbfb5153478109b5b...
[+] [-] mfrisbie|3 years ago|reply
My idea was that separate inputs should have separate debounced handlers, but it's likely you could do away with that and just listen for input events globally with no adverse effect on data collection.
[+] [-] harry8|3 years ago|reply
But it isn't stealing if you clicked something somewhere sometime so "stealing" is wrong will be the PR response because people are being paid to not understand "stealing is wrong"
[+] [-] mfrisbie|3 years ago|reply
[+] [-] drpixie|3 years ago|reply
If you want to give 3rd parties access to all that stuff, you can run chrome. But I don't - I want the bare minimum that will run normal websites. I know that will break some pages, I'll accept that. (And that would give me a smaller & faster browser.)
[+] [-] waqas_x|3 years ago|reply
[+] [-] KomoD|3 years ago|reply
Sample of accounts: ChillNilly, LadyXaga, NerdAlerts, SuperDud, QueenBean, Moonshining, LetFree, FoxyFox22, TurkeyTurtle, LovableLily, BeingBean, CandyRandy, AdorableLama, WiseWolfie, WoozyWarrior, PenguinPeace, SunnyHorsey, SunnyMaylor, WiseSnail, ZappyHippo, FriendlyFlame, PudgyPanda, FriendlyFlame
[+] [-] prakhar897|3 years ago|reply
link: https://github.com/prakhar897/workaround-gpt
[+] [-] wolpoli|3 years ago|reply
[+] [-] zapstar|3 years ago|reply
Well done!
[+] [-] imiric|3 years ago|reply
Sure.
uBlock Origin, Multi-containers, Temporary Containers and cookies.txt on Firefox, which I only use for specific purposes. History and all data is wiped frequently.
None on Chromium, which I always use in incognito mode. I use this daily, but don't need even uBlock on it, since I run a DNS ad blocker on my network.
And none on my main browser, Luakit, since it doesn't support extensions. :) Technically, I have some user scripts, which I've all reviewed or written myself.
Browser extensions are the number one security and privacy risk for all users, more than any OS exploits. The fact they've historically been handled so poorly, and these issues exist even today, should be terrifying.
Great article and extension! <3
[+] [-] eimrine|3 years ago|reply
I did not know such thing is possible. I want to make an extension which undeletes some chat messages in typical chats (usually that happens because of moderation)
[+] [-] NovemberWhiskey|3 years ago|reply
I mean, why?
[+] [-] Gigachad|3 years ago|reply
[+] [-] codetrotter|3 years ago|reply
In theory it’s kind of neat.
[+] [-] sangnoir|3 years ago|reply
[+] [-] paulpauper|3 years ago|reply
Stronger passwords is useless when the session is stolen, when the actual data is read and sent off
[+] [-] KennyBlanken|3 years ago|reply
For example, the author of FB Purity hasn't explained to anyone why his plugin is not available via Firefox's extension store, only via his page. Presumably, he didn't meet some requirements they had...but he won't say what they were...
[+] [-] eyelidlessness|3 years ago|reply
[+] [-] stefan_|3 years ago|reply
It would be trivial for Google to find all the extensions using that kind of crap, but they don't care.
[+] [-] mimimi31|3 years ago|reply
[+] [-] mschuster91|3 years ago|reply
Oh yeah, got bitten hard myself on that one a couple years back, it took Google days to respond to the extension buyer uploading a malware'd version. The worst problem is that extensions auto-update silently so you as an user don't even have the chance to spot anything in time.