Over 15 years ago now, I had a popular chrome extension that did a very specific thing. I sold it for a few thousand bucks and moved on. It seemed a bit strange at the time, and I was very cautious in the sale, but sold it and moved on.
It's abundantly obvious to me now that bad actors are purchasing legitimate chrome extensions to add this functionality and earn money off the user's data (or even worse). I have seen multiple reports of this pattern.
For over 10 years that I maintain a reasonably popular cross-browser extension, I've been collecting various monetization offers. They simply don't stop coming: https://github.com/extesy/hoverzoom/discussions/670
It is a classic supply-chain attack. The same modality is used by gamers to sell off their high-level characters, and social media accounts do "switcheroos" on posts, Pages, and Groups all the time.
You know, a lot of consumer cybersecurity focuses on malware, browser security, LAN services, but I propose that the new frontier of breaches involves browser extensions, "cloud integrations", and "app access" granted from accounts.
If I gave permission for Joe Random Developer's app to read, write, and delete everything in Gmail and Google Drive, that just set me up for ransomware or worse. Without a trace on any local OS. A virus scanner will never catch such attacks. The "Security Checkup" processes are slow and arduous. I often find myself laboriously revoking access and signing out obsolete sessions, one by one by one. There has got to be a better way.
15 years ago was probably this type of business in its very early stage. There is little that can be done about "selling" extensions. Chrome Web Store should have tighter checks and scans to minimize this type of data exfiltration.
While assuming absolutely zero bad will on your part, I would nevertheless find it fair if you were legally on the hook for whatever happened after the sale, unless you could prove that you provided reasonable means for the users of your extension to perform their due diligence on the new owner of the extension.
This is of course easy to say in hindsight, and is absolutely a requirement that should be enforced by the extension appstore, not by individual contributors such as yourself.
And then you can do whatever you feel is an appropriate amount of research whenever a particularly privileged extension gets updated (check for transfer of ownership, etc.)
- brave://flags/#brave-extension-network-blocking
You can then create custom rules to filter extension traffic under brave://settings/shields/filters
e.g.:
! Obsidian Web
*$domain=edoacekkjanmingkbkgjndndibhkegad
@@||127.0.0.1^$domain=edoacekkjanmingkbkgjndndibhkegad
- Clone the GitHub repo, do a security audit with Claude Code, build from source, update manually
> Clone the GitHub repo, … build from source, update manually
I’d be ok to do that once per extension, but then I’ve got multiple PCs (m), multiple browser profiles (p), OS-reimages (r), and each extension (e) locally installed doesn’t sync — manually re-installing local extensions
m x p x r x e
times is too much for me. :-( (And that’s even if I’m only running Chrome, as opposed to multiple browser or Chromium derivatives.)
This is why I only run open source extensions that I can actually audit. uBlock Origin, SponsorBlock, the kind of tools where the code is available and the developer isn't anonymous. The Chrome Web Store is basically unregulated and Google doesn't care as long as they get their cut. Open source at least gives you a chance to see what you're installing before it starts exfiltrating your data to some server in a country you've never heard of.
An extension from a trusted, non anonymous developer which is released as open source is a good signal that the extension can be trusted. But keep in mind that distribution channels for browser extensions, similarly to distribution channels for most other open source packages (pip, npm, rpm), do not provide any guarantee that the package you install and run is actually build verbatim from the code which is open sourced.
Do you also audit every part of every car you buy or medicine you take? Or do you rely on large well-established institutions to do that for you?
"Dont trust google" imo is the wrong response here. We are at the mercy of our institutions, and if they are failing us we need mechanisms to keep them in check.
> This is why I only run open source extensions that I can actually audit.
How far does your principle extend? To your web browser too? Google Chrome itself is partly but not entirely open source. Your operating system? Only Linux? Mac and Windows include closed source.
This is the safest way. You also want to disable auto update to version lock, which means using Firefox or Safari or loading unpacked if you use Chrome.
Annoyed with how the AWS console sometimes changes regions on its own, I recently decided that I need an extension to make the current region displayed prominently. After a bit of research, I found the AWS Colorful Navbar [0] extension, which does pretty much exactly what I wanted, but (understandably) requires granting it "This extension can read and change your data on sites" on `://.console.aws.amazon.com/*`, which I'm not willing to give to an external extension. So my solution was forking the repo [1], carefully auditing the code, and then installing it from a local clone (which they actually have a nice explanation for). Going forward, I think I'll try using this approach for all sensitive extensions.
My daughter, in grade school, uses a Chromebook at school and access Google Classroom through Chrome. The school has very few restrictions on extensions and when I log into her account, Chrome is littered with extensions. They all innocuous (ex. change cursor into cat, pets play around on your screen etc). However, without fail, each time I log in and go to the extension page, Chrome notifies me that one or more of the extensions was removed due to malicious activity or whatever.
I don't think that your daughter might know if say any web cam might take photos and see what she's searching if the extensions are indeed malicious.
I'd either go ahead and talk to her and remove extensions altogether and ask her to have a stock/only open source extensions (yes opensource also has supply issues but its infinitely more managable than this) or the second option being to maybe create them yourself . I don't know about how chrome works (I use firefox) but one thing that you can do is if the thing is simple for your daughter, then just vibe code it and use tampermonkey (heck even open source it) and then audit the code written by it yourself if you want better security concerns.
Nowadays I really just end up creating my own extensions with tampermonkey before using any proprietory extension. With tampermonkey, the cycle actually feels really simple (click edit paste etc.) and even a single glance at code can show any security errors for basic stuff and its one of the few use cases of (AI?) in my opinion.
This is why I disable automatic updates. Not just for browser extensions but everything. This whole "you gotta update immediately or you're gonna get hacked" thing is a charade. If anything, if you update you'll be hacked at this point.
I have published an extension [1] that has 100k+ users and I've probably received hundreds of emails over the years asking me to sell out in one way or another. It's honestly relentless. For that reason I also only trust uBlock Origin, Bitwarden and my own extensions.
I'd also note that all this spam is via the public email address you're forced to add to your extension listing by Google. I don't think I've ever had a single legitimate email sent to it. So yeh, thanks Google.
> The only extension I trust enough to install on any browser is uBlock Origin.
Note however that the origin of uBlock Origin is that the developer Raymond Hill transferred control of the original uBlock project to someone who turned out not to be trustworthy, and thus Hill had to fork it later.
> We built an automated scanning pipeline that runs Chrome inside a Docker container, routes all traffic through a man‑in‑the‑middle (MITM) proxy, and watches for outbound requests that correlate with the length of the URLs we feed it.
The biggest problem here is that "We" does not refer to Google itself, who are supposed to be policing their own Chrome Web Store. One of the most profitable corporations in world history is totally negligent.
So this would require a list of decided malicious extensions or not and someone can go ahead and check through that.
To find the list of decided malicious extensions, I can imagine that a github repository where people can create issues about the lack of safety (like imagine some github repo where this case could've also been uploaded) and people could discuss and then a .txt/json file could be there in the repo which gets updated every time an extension is confirmed to be malicious.
Thoughts?
Edit: (To take initiative?) I have created a git repo with this https://github.com/SerJaimeLannister/unsafe-extensions-list but I would need some bootstrap list of malicious extensions. So I know nothing about this field and the only extension I can add is this one maybe but maybe someone can fork this idea (who is more knowledgable within the extension community space) or perhaps they can add entries into it.
Edit 2: Looks like qcontinuum actually have a github repo and I hadn't read the article while I had written the comment but its not 1 extension but rather 287 extensions and they have mentioned all in their git repo
In principle I agree with you, there is just so much crap online that it's tempting to just add this one more extension to fix something.
Looking at my own installed extensions, I have a password manager, Privacy Badger and Firefox Multi-Account Containers, which I suppose is the three I really need. Then I have one that puts the RSS icon back in the address bar, because Mozilla feels that RSS is less important than having the address bar show me special dates, and two that removes very specific things: One for cookie popups and one for removing sign in with Google.
The only one of these I feel should actually be a plugin is my password manager. Privacy management (including cookies), RSS and containers could just be baked into Firefox. All of those seems more relevant to me than AI.
Maybe adding a GreaseMonkey lite could fix the rest of my problem, using code I write and control.
My honest reaction to your comment is "What? No!".
I want to block ads, block trackers, auto-deny tracking, download videos, customize websites, keep videos playing in the background, change all instances of "car" to "cat" [1], and a whole bunch of weird stuff that probably shouldn't be included in the browser by default. Just because the browser extension system is broken it doesn't mean that extensions themselves are a problem - if anything, I wish people would install more extensions, not less.
Browser extensions have much looser security than you would think: any extension, even if it just claims to change a style of a website, can see your input type=password fields - it's ludicrous that access to those does not need its own permission !
It's hard to see how you would implement that, any script run within the context of the page needs access to these fields for backwards compatibility reasons, so the context script of the extension would just need to find a way of running code in the context of the page to exfiltrate the data. It could do this by adding script tags, etc.
The concerning pattern is that the data-collecting ones actively hide what they're doing — the Similarweb-linked extensions apparently obfuscate with Base64 or AES-256 before sending.
Worth distinguishing from extensions that are genuinely client-side. A basic test: check the extension's manifest for network permissions (host_permissions). If it only requests the active tab and has no background network access, it physically cannot phone home. The inspection is 30 seconds in chrome://extensions.
The more insidious problem is that users can't easily distinguish between "this extension processes data locally" and "this extension processes data locally and also sends it somewhere." Same UI, very different behavior.
I think the industry needs to rethink extensions in general. VSCode and browser extensions seem to have very little thorough review or thought into them. A lot of enterprises aren't managing them properly.
Capital One just offered me $45 to install a Firefox extension. I declined, though I'm sort of tempted to get paid for getting spied on which I assume is happening anyway. And who knows, maybe I could get a couple more bucks later in the class action.
Their offers are very hard to claim - only eligible to be used in their store, only given after making a purchase in their store, among other random strings. I tried to claim the same offer but could never actually get it.
I’ve always thought that it’s crazy how so many extensions can basically read the content of the webpages your browse. I’m wondering if the research should go further: find all extensions that have URLs backed in them or hashes (of domains?) then check what they do when you visit these URLs
Without any doubt the research could continue on this. We had many opportunities to make the scan even wider and almost certainly we would uncover more extensions. The number of leaking extensions should not be taken as definite.
There are resource constrains. Those extensions try to actively detect if you are in developer mode. Took us a while to avoid such measures and we are certain we missed many extensions due to for example usage of Docker container. Ideally you want to use env as close to the real one as possible.
Without infrastructure this doesn't scale.
The same goes for the code analysis you have proposed. There are already tools that do that (see Secure Annex). Often the extensions download remote code that is responsible for data exfiltration or the code is obfuscated multiple times. Ideally you want to run the extension in browser and inspect its code during execution.
I still use the Little Rat extension, it shows a little notification when an extension does a network request, and lets you see quickly what type and where. It can also block requests (doesn't seem to work all the time in Brave now, even with the flag on), activate and deactivate extensions:
@qcontinuum1 appreciate this kind of research. saw your other comments and you mentioned that the team's engineering resources are scarce + saw that at the bottom of the github repo that there are links to BTC address.
curious to know:
1- how large your team is? and how long this research took? it is very thorough and knowing such a detail might encourage others to participate in a joint effort in performing this kind of research
2- if this kind of research is your primary focus?
3- if there are other ways that financial support can be provided other than through xrp or btc?
i tried to look up your profiles but wasn't able to find where you were all from, so wishing you well wherever you are in the world. :)
Thank you. We are very glad to see the discussion that the report has sparked and and also glad to see the feedback on it. It means a lot to us.
> 1- how large your team is? and how long this research took? it is very thorough and knowing such a detail might encourage others to participate in a joint effort in performing this kind of research
The group is not very large and it took a few months of non-continuous work.
> 2- if this kind of research is your primary focus?
At the moment it is not very clear if we will do followup on this topic or not as explained in different comment. At the moment yes, the group is new.
> 3- if there are other ways that financial support can be provided other than through xrp or btc?
No, at the moment. We would like to remain anonymous, at least for now.
It's interesting to see this surface again. As someone currently looking into building extensions, the permission granularity has always felt like a double-edged sword. Even with Manifest V3 limiting some capabilities, the 'read and change all your data on the websites you visit' permission is still necessary for many legitimate tools, but it requires so much trust from the user. I wonder if a more granular, per-domain permission model (like mobile apps) would be feasible for the Chrome team to implement without breaking UX.
Using the below page you can check your extensions, select all your extensions on chrome://extensions/ (everything on the page, it will filter it out IDs) and it will check if any IDs match.
The browsing data itself is only half the problem. Even if you remove the spying extension, the profile it helped build persists and keeps shaping what you see as it gets sold and changes hands.
We focus a lot on blocking data collection and spyware.. but not enough about what happens after the data is already collected/stolen and baked into your algorithmic identity. So much of our data is already out there.
It seems crazy to me that the offered way to install an extension on Chrome is to click a button on a privileged website,
and then the installed extension autoupdates without an option to turn it off.
I hate the idea of installing stuff without an ability to look at what's inside first, so what I did was patch Chromium binary,
replacing all strings "chromewebstore.google.com" with something else, so I can inject custom JS into that website and turn
"Install" button into "Download CRX" button. After downloading, I can unpack the .crx file and look at the code, then
install via "Load unpacked" and it never updates automatically. This way I'm sure only the code I've looked at gets executed.
be scoped, meaning only allowed to read/access when you visit a particular domain whitelist (controlled by the user)?
be forced (by the extension API) to have a clear non-obfuscated feed of whatever they send that the user can log and/or tap onto and watch at any time?
If not, I wouldn't touch them with a 10000ft pole.
Kinda. You can usually open a devtools instance that shows whatever the extension is doing. But you can’t enforce it to not obfuscate the network requests though (you’d have to make extensions non-Turing complete).
You could mitigate some of these issues by vetting the extensions harder before letting them into the stores. Mozilla requires all extensions to have a readable source code, for example.
Stylus is a good alternative to Stylish. I keep my extensions to a minimum, and I turn off the ones I don't need until I need to use them. The only extensions I have turned on all the time are uBlock, Humble New Tab Page, and Stylus.
If someone would like to replicate, a good approach would be to reduce the cost by removing a full-chromium engine. I doubt these extensions are trying to do environment detection and won’t run under (for eg) JSDOM+Bun with a Chrome API shim.
That can't be true, right? I mean, Google broke Adblockers in Chrome to prevent this very issue. And it had absolutely nothing to do with Google's Ad business.
So it's completely impossible that such malicious extensions still exist.
Extensions have too many security risks for me. At this point I'd rather just vibe code my own extension than trust something with so much access and unpredictable ownership.
>Before installing, make each user click a checkbox what access the extension has
However, as I've seen on android, updates do happen, and you are not asked if new permissions are granted. (Maybe they do ask, but this is after an update automatically is taken place, new code is installed)
Here are the two solutions I have, neither are perfect:
>Do not let updates automatically happen for security reasons. This prevents a change in an App becoming malware, but leaves the app open to Pegasus-like exploits.
>Let updates automatically happen, but leaves you open to remote, unapproved installs.
I'd assumed most people would have jumped ship to Stylus [1] after that, but most people probably never heard anything about what Stylish was/is doing.
I guess I shouldnt be surprised on how many use "LibreOffice" or other legit company names to lend legitimacy to themselves. I'm wondering if companies like Zoom don't audit the extension store for copyright claims
I for sure used to use Video Downloader PLUS when I still used chrome (and before youtube-dl)
Play Store pages for all 3 list strong assurances about how the developer declares no data is being sold to third parties, or collected unrelated to the item's core functionality.
My open question to Google is: What consequences will these developers face for lying to you and your users, and why should I have any faith at all in those declarations?
Nobody is going to even do anything about SimilarWeb for pulling this off?
My understanding from the article is that they're actively behind this.
When I was the CTO in a previous role, SimilarWeb approached us. I read through the code snippet they gave us to inject onto our site. It was a sophisticated piece of borderline spyware that didn't care about anyone in the entire line of sight - including us. They not only were very persistent, they also had a fight with our management - for refusing to use their snippet. They wanted our data so bad (we had very high traffic at the time). All we wanted was decent analytics for reporting to senior management and Google had just fucked up with their GA4 migration practices. I switched them to Plausible.io and never looked back. It was the least I could do, we had to trade-off so many data points in comparison to GA, but still works flawlessly till date. Fuck SimilarWeb.
I don't really understand the complaint here. It seems for most of those extensions have it in their literal purpose to send the active URL and get additional information back, for doing something locally with it.
And why does this site has no scrollbar?? WTF, is Webdsign finally that broken?
We beg to differ. Consider for example "BlockSite Block Websites and Stay Focused" why would you need to send browsing data to remote server if your job is only to block selected domains?
deanc|19 days ago
It's abundantly obvious to me now that bad actors are purchasing legitimate chrome extensions to add this functionality and earn money off the user's data (or even worse). I have seen multiple reports of this pattern.
extesy|19 days ago
RupertSalt|19 days ago
You know, a lot of consumer cybersecurity focuses on malware, browser security, LAN services, but I propose that the new frontier of breaches involves browser extensions, "cloud integrations", and "app access" granted from accounts.
If I gave permission for Joe Random Developer's app to read, write, and delete everything in Gmail and Google Drive, that just set me up for ransomware or worse. Without a trace on any local OS. A virus scanner will never catch such attacks. The "Security Checkup" processes are slow and arduous. I often find myself laboriously revoking access and signing out obsolete sessions, one by one by one. There has got to be a better way.
qcontinuum1|19 days ago
gilrain|19 days ago
[deleted]
Rygian|19 days ago
This is of course easy to say in hindsight, and is absolutely a requirement that should be enforced by the extension appstore, not by individual contributors such as yourself.
gnl|19 days ago
- https://github.com/beaufortfrancois/extensions-update-notifi...
And then you can do whatever you feel is an appropriate amount of research whenever a particularly privileged extension gets updated (check for transfer of ownership, etc.)
- brave://flags/#brave-extension-network-blocking
You can then create custom rules to filter extension traffic under brave://settings/shields/filters
e.g.:
- Clone the GitHub repo, do a security audit with Claude Code, build from source, update manuallyno-name-here|19 days ago
I’d be ok to do that once per extension, but then I’ve got multiple PCs (m), multiple browser profiles (p), OS-reimages (r), and each extension (e) locally installed doesn’t sync — manually re-installing local extensions m x p x r x e times is too much for me. :-( (And that’s even if I’m only running Chrome, as opposed to multiple browser or Chromium derivatives.)
dotancohen|19 days ago
singularfutur|19 days ago
mixedbit|19 days ago
randunel|19 days ago
cachius|19 days ago
Rebuff5007|19 days ago
"Dont trust google" imo is the wrong response here. We are at the mercy of our institutions, and if they are failing us we need mechanisms to keep them in check.
lapcat|19 days ago
How far does your principle extend? To your web browser too? Google Chrome itself is partly but not entirely open source. Your operating system? Only Linux? Mac and Windows include closed source.
bennydog224|19 days ago
unknown|19 days ago
[deleted]
smithza|19 days ago
[0] https://research.swtch.com/xz-timeline
Angostura|19 days ago
lofaszvanitt|19 days ago
falcor84|19 days ago
[0] https://chromewebstore.google.com/detail/aws-colorful-navbar...
[1] https://github.com/nalbam/aws-navbar-extension
kwar13|19 days ago
https://kaveh.page/snippets/chrome-extensions-source-code
Even a tiny extension like this one I wrote with 2k users gets buyout offers all the time to turn it into malware: https://chromewebstore.google.com/detail/one-click-image-sav...
giarc|19 days ago
Imustaskforhelp|19 days ago
I'd either go ahead and talk to her and remove extensions altogether and ask her to have a stock/only open source extensions (yes opensource also has supply issues but its infinitely more managable than this) or the second option being to maybe create them yourself . I don't know about how chrome works (I use firefox) but one thing that you can do is if the thing is simple for your daughter, then just vibe code it and use tampermonkey (heck even open source it) and then audit the code written by it yourself if you want better security concerns.
Nowadays I really just end up creating my own extensions with tampermonkey before using any proprietory extension. With tampermonkey, the cycle actually feels really simple (click edit paste etc.) and even a single glance at code can show any security errors for basic stuff and its one of the few use cases of (AI?) in my opinion.
ravenstine|19 days ago
leptons|19 days ago
matheusmoreira|19 days ago
The only extension I trust enough to install on any browser is uBlock Origin.
mcjiggerlog|19 days ago
I'd also note that all this spam is via the public email address you're forced to add to your extension listing by Google. I don't think I've ever had a single legitimate email sent to it. So yeh, thanks Google.
[1] https://chromewebstore.google.com/detail/old-reddit-redirect...
lapcat|19 days ago
Note however that the origin of uBlock Origin is that the developer Raymond Hill transferred control of the original uBlock project to someone who turned out not to be trustworthy, and thus Hill had to fork it later.
stevekemp|19 days ago
I used to have tree-style tab, but now firefox has got native support for vertical tabs so I don't need to install anything extra.
Installing new extensions is sometimes appealing, but the risk is just too high.
l72|19 days ago
cess11|19 days ago
GuestFAUniverse|19 days ago
Considering the barriers they build to prevent adblockers, that doesn't shine a good light on them.
chrisjj|19 days ago
Assume they did.
And the question becomes "Why didn't they come clean?" ... and much easier to answer.
lapcat|19 days ago
The biggest problem here is that "We" does not refer to Google itself, who are supposed to be policing their own Chrome Web Store. One of the most profitable corporations in world history is totally negligent.
bell-cot|19 days ago
georgehill|19 days ago
Imustaskforhelp|19 days ago
To find the list of decided malicious extensions, I can imagine that a github repository where people can create issues about the lack of safety (like imagine some github repo where this case could've also been uploaded) and people could discuss and then a .txt/json file could be there in the repo which gets updated every time an extension is confirmed to be malicious.
Thoughts?
Edit: (To take initiative?) I have created a git repo with this https://github.com/SerJaimeLannister/unsafe-extensions-list but I would need some bootstrap list of malicious extensions. So I know nothing about this field and the only extension I can add is this one maybe but maybe someone can fork this idea (who is more knowledgable within the extension community space) or perhaps they can add entries into it.
Edit 2: Looks like qcontinuum actually have a github repo and I hadn't read the article while I had written the comment but its not 1 extension but rather 287 extensions and they have mentioned all in their git repo
https://github.com/qcontinuum1/spying-extensions
So they already have a good bootstrapped amount & I feel as if qcontinuum is interested they can maybe implement the idea?
precompute|19 days ago
Chris2048|19 days ago
baggachipz|19 days ago
james-bcn|19 days ago
cebert|19 days ago
mrweasel|19 days ago
Looking at my own installed extensions, I have a password manager, Privacy Badger and Firefox Multi-Account Containers, which I suppose is the three I really need. Then I have one that puts the RSS icon back in the address bar, because Mozilla feels that RSS is less important than having the address bar show me special dates, and two that removes very specific things: One for cookie popups and one for removing sign in with Google.
The only one of these I feel should actually be a plugin is my password manager. Privacy management (including cookies), RSS and containers could just be baked into Firefox. All of those seems more relevant to me than AI.
Maybe adding a GreaseMonkey lite could fix the rest of my problem, using code I write and control.
probably_wrong|19 days ago
I want to block ads, block trackers, auto-deny tracking, download videos, customize websites, keep videos playing in the background, change all instances of "car" to "cat" [1], and a whole bunch of weird stuff that probably shouldn't be included in the browser by default. Just because the browser extension system is broken it doesn't mean that extensions themselves are a problem - if anything, I wish people would install more extensions, not less.
[1] https://xkcd.com/1288/
pphysch|19 days ago
the_gipsy|19 days ago
Pepperidge farm remembers.
mentalgear|19 days ago
sebzim4500|19 days ago
drdec|19 days ago
revicon|19 days ago
revicon|19 days ago
legitimate_key|13 days ago
Worth distinguishing from extensions that are genuinely client-side. A basic test: check the extension's manifest for network permissions (host_permissions). If it only requests the active tab and has no background network access, it physically cannot phone home. The inspection is 30 seconds in chrome://extensions.
The more insidious problem is that users can't easily distinguish between "this extension processes data locally" and "this extension processes data locally and also sends it somewhere." Same UI, very different behavior.
Pacers31Colts18|19 days ago
drdec|19 days ago
ghtbircshotbe|19 days ago
https://addons.mozilla.org/en-US/firefox/addon/wikibuy-for-f...
soared|19 days ago
welanes|19 days ago
1. Go to chrome://extensions and toggle Developer mode on (so IDs are visible)
2. Select all text on the page with your mouse and copy
3. Paste it into the tool
It parses the IDs and warns you if any are among the 287 spyware extensions.
ianhawes|19 days ago
baby|19 days ago
qcontinuum1|19 days ago
There are resource constrains. Those extensions try to actively detect if you are in developer mode. Took us a while to avoid such measures and we are certain we missed many extensions due to for example usage of Docker container. Ideally you want to use env as close to the real one as possible.
Without infrastructure this doesn't scale.
The same goes for the code analysis you have proposed. There are already tools that do that (see Secure Annex). Often the extensions download remote code that is responsible for data exfiltration or the code is obfuscated multiple times. Ideally you want to run the extension in browser and inspect its code during execution.
mickelsen|17 days ago
https://github.com/dnakov/little-rat
There's also this site that I've used from time to time to audit extensions quickly:
https://chrome-stats.com/
heavenlyfather|19 days ago
curious to know: 1- how large your team is? and how long this research took? it is very thorough and knowing such a detail might encourage others to participate in a joint effort in performing this kind of research 2- if this kind of research is your primary focus? 3- if there are other ways that financial support can be provided other than through xrp or btc?
i tried to look up your profiles but wasn't able to find where you were all from, so wishing you well wherever you are in the world. :)
qcontinuum1|19 days ago
> 1- how large your team is? and how long this research took? it is very thorough and knowing such a detail might encourage others to participate in a joint effort in performing this kind of research
The group is not very large and it took a few months of non-continuous work.
> 2- if this kind of research is your primary focus?
At the moment it is not very clear if we will do followup on this topic or not as explained in different comment. At the moment yes, the group is new.
> 3- if there are other ways that financial support can be provided other than through xrp or btc?
No, at the moment. We would like to remain anonymous, at least for now.
PaperBanana|19 days ago
molticrystal|19 days ago
https://output.jsbin.com/gihukasezo/
or
https://jsfiddle.net/9kLsv3xm/latest/
or
https://pastebin.com/Sa8RmzcE
singularity2001|19 days ago
bittercynic|19 days ago
nanobuilds|19 days ago
We focus a lot on blocking data collection and spyware.. but not enough about what happens after the data is already collected/stolen and baked into your algorithmic identity. So much of our data is already out there.
Grom_PE|19 days ago
I hate the idea of installing stuff without an ability to look at what's inside first, so what I did was patch Chromium binary, replacing all strings "chromewebstore.google.com" with something else, so I can inject custom JS into that website and turn "Install" button into "Download CRX" button. After downloading, I can unpack the .crx file and look at the code, then install via "Load unpacked" and it never updates automatically. This way I'm sure only the code I've looked at gets executed.
coldtea|19 days ago
be scoped, meaning only allowed to read/access when you visit a particular domain whitelist (controlled by the user)?
be forced (by the extension API) to have a clear non-obfuscated feed of whatever they send that the user can log and/or tap onto and watch at any time?
If not, I wouldn't touch them with a 10000ft pole.
notpushkin|19 days ago
Yes. Not usually user-controllable though.
> be forced to have a clear non-obfuscated feed
Kinda. You can usually open a devtools instance that shows whatever the extension is doing. But you can’t enforce it to not obfuscate the network requests though (you’d have to make extensions non-Turing complete).
You could mitigate some of these issues by vetting the extensions harder before letting them into the stores. Mozilla requires all extensions to have a readable source code, for example.
nipperkinfeet|19 days ago
captn3m0|19 days ago
hannob|19 days ago
So it's completely impossible that such malicious extensions still exist.
(may contain sarcasm)
hackinthebochs|19 days ago
ArcaneMoose|19 days ago
PlatoIsADisease|19 days ago
>Before installing, make each user click a checkbox what access the extension has
However, as I've seen on android, updates do happen, and you are not asked if new permissions are granted. (Maybe they do ask, but this is after an update automatically is taken place, new code is installed)
Here are the two solutions I have, neither are perfect:
>Do not let updates automatically happen for security reasons. This prevents a change in an App becoming malware, but leaves the app open to Pegasus-like exploits.
>Let updates automatically happen, but leaves you open to remote, unapproved installs.
endsandmeans|19 days ago
insin|19 days ago
https://news.ycombinator.com/item?id=17447816
I'd assumed most people would have jumped ship to Stylus [1] after that, but most people probably never heard anything about what Stylish was/is doing.
[1] https://chromewebstore.google.com/detail/stylus/clngdbkpkpee...
fusslo|19 days ago
I guess I shouldnt be surprised on how many use "LibreOffice" or other legit company names to lend legitimacy to themselves. I'm wondering if companies like Zoom don't audit the extension store for copyright claims
I for sure used to use Video Downloader PLUS when I still used chrome (and before youtube-dl)
Cyuonut|19 days ago
herf|19 days ago
nkmnz|19 days ago
bennydog224|19 days ago
rkagerer|19 days ago
Play Store pages for all 3 list strong assurances about how the developer declares no data is being sold to third parties, or collected unrelated to the item's core functionality.
Brave Web browser (runapps.org) https://chromewebstore.google.com/detail/mmfmakmndejojblgcee...
Handbrake Video Converter (runapps.org) https://chromewebstore.google.com/detail/gmdmkobghhnhmipbppl...
JustParty: Watch Netflix with Friends (JustParty.io) https://chromewebstore.google.com/detail/nhhchicejoohhbnhjpa...
My open question to Google is: What consequences will these developers face for lying to you and your users, and why should I have any faith at all in those declarations?
bittercucumber|19 days ago
qcontinuum1|19 days ago
neya|19 days ago
When I was the CTO in a previous role, SimilarWeb approached us. I read through the code snippet they gave us to inject onto our site. It was a sophisticated piece of borderline spyware that didn't care about anyone in the entire line of sight - including us. They not only were very persistent, they also had a fight with our management - for refusing to use their snippet. They wanted our data so bad (we had very high traffic at the time). All we wanted was decent analytics for reporting to senior management and Google had just fucked up with their GA4 migration practices. I switched them to Plausible.io and never looked back. It was the least I could do, we had to trade-off so many data points in comparison to GA, but still works flawlessly till date. Fuck SimilarWeb.
ubermonkey|19 days ago
kgwxd|19 days ago
wormpilled|19 days ago
chenmx|19 days ago
[deleted]
felishiagreen12|19 days ago
[deleted]
adilblati3|18 days ago
[deleted]
croes|19 days ago
No need for such complicated attacks /s
jerrygoyal|19 days ago
[deleted]
nekusar|19 days ago
Chrome/Google/Alphabet is spying on 100% of their users.
Quit using Alphabet stuff, and your exploitation factor goes down a LOT.
PurpleRamen|19 days ago
And why does this site has no scrollbar?? WTF, is Webdsign finally that broken?
moebrowne|19 days ago
Seems someone decided it was a good idea to make the scrollbar tiny and basically the same colour as the background:
qcontinuum1|19 days ago