Over 15 years ago now, I had a popular chrome extension that did a very specific thing. I sold it for a few thousand bucks and moved on. It seemed a bit strange at the time, and I was very cautious in the sale, but sold it and moved on.
It's abundantly obvious to me now that bad actors are purchasing legitimate chrome extensions to add this functionality and earn money off the user's data (or even worse). I have seen multiple reports of this pattern.
This is why I only run open source extensions that I can actually audit. uBlock Origin, SponsorBlock, the kind of tools where the code is available and the developer isn't anonymous. The Chrome Web Store is basically unregulated and Google doesn't care as long as they get their cut. Open source at least gives you a chance to see what you're installing before it starts exfiltrating your data to some server in a country you've never heard of.
An extension from a trusted, non anonymous developer which is released as open source is a good signal that the extension can be trusted. But keep in mind that distribution channels for browser extensions, similarly to distribution channels for most other open source packages (pip, npm, rpm), do not provide any guarantee that the package you install and run is actually build verbatim from the code which is open sourced.
Actually, npm supports "provenance" and as it eliminated long lived access tokens for publishing, it encourages people to use "trusted publishing" which over time should make majority of packages be auto-provenance-vefified.
I agree but let me play the devil's advocate. I'll channel Stallman:
Same argument can be applied to all closed source software.
In the end its about who you trust and who needs to be verified and that is relative, subjective, and contextual... always.
So unless you can read the source code and compile yourself on a system you built on an OS you also built from source on a machine built before server management backdoors were built into every server... you are putting your trust somewhere and you cannot really validate it beyond wider public percetptions.
> How do you check that the open sourced code is the same one that you are installing from the extension repository and actually running?
Extensions are local files on disk. After installing it, you can audit it locally.
I don't know about all operating systems but on Linux they are stored as .xpi files which are zip files. You can unzip it.
On my machine they are installed to $HOME/.mozilla/firefox/52xz2p7e.default-release/extensions but I think that string in the middle could be different for everyone.
Diffing it vs what's released in its open source repo would be a quick way to see if anything has been adjusted.
The browsing data itself is only half the problem. Even if you remove the spying extension, the profile it helped build persists and keeps shaping what you see as it gets sold and changes hands.
We focus a lot on blocking data collection and spyware.. but not enough about what happens after the data is already collected/stolen and baked into your algorithmic identity. So much of our data is already out there.
I have published an extension [1] that has 100k+ users and I've probably received hundreds of emails over the years asking me to sell out in one way or another. It's honestly relentless. For that reason I also only trust uBlock Origin, Bitwarden and my own extensions.
I'd also note that all this spam is via the public email address you're forced to add to your extension listing by Google. I don't think I've ever had a single legitimate email sent to it. So yeh, thanks Google.
I was just having a quick search and the only email I can find that offered a price range up front was for $0.1-0.4 per user, and that was from 2023. So I assume up to a dollar per user these days?
I guess I shouldnt be surprised on how many use "LibreOffice" or other legit company names to lend legitimacy to themselves. I'm wondering if companies like Zoom don't audit the extension store for copyright claims
I for sure used to use Video Downloader PLUS when I still used chrome (and before youtube-dl)
I think the industry needs to rethink extensions in general. VSCode and browser extensions seem to have very little thorough review or thought into them. A lot of enterprises aren't managing them properly.
> We built an automated scanning pipeline that runs Chrome inside a Docker container, routes all traffic through a man‑in‑the‑middle (MITM) proxy, and watches for outbound requests that correlate with the length of the URLs we feed it.
The biggest problem here is that "We" does not refer to Google itself, who are supposed to be policing their own Chrome Web Store. One of the most profitable corporations in world history is totally negligent.
Browser extensions have much looser security than you would think: any extension, even if it just claims to change a style of a website, can see your input type=password fields - it's ludicrous that access to those does not need its own permission !
It's hard to see how you would implement that, any script run within the context of the page needs access to these fields for backwards compatibility reasons, so the context script of the extension would just need to find a way of running code in the context of the page to exfiltrate the data. It could do this by adding script tags, etc.
Browsers break backwards compatibility for security all the time. Most recently Chrome made accessing devices on a local network require a permission. They completely changed the behavior of cookies. They break loads of things for cross origin isolation.
My honest reaction to your comment is "What? No!".
I want to block ads, block trackers, auto-deny tracking, download videos, customize websites, keep videos playing in the background, change all instances of "car" to "cat" [1], and a whole bunch of weird stuff that probably shouldn't be included in the browser by default. Just because the browser extension system is broken it doesn't mean that extensions themselves are a problem - if anything, I wish people would install more extensions, not less.
I don't really understand the complaint here. It seems for most of those extensions have it in their literal purpose to send the active URL and get additional information back, for doing something locally with it.
And why does this site has no scrollbar?? WTF, is Webdsign finally that broken?
>Before installing, make each user click a checkbox what access the extension has
However, as I've seen on android, updates do happen, and you are not asked if new permissions are granted. (Maybe they do ask, but this is after an update automatically is taken place, new code is installed)
Here are the two solutions I have, neither are perfect:
>Do not let updates automatically happen for security reasons. This prevents a change in an App becoming malware, but leaves the app open to Pegasus-like exploits.
>Let updates automatically happen, but leaves you open to remote, unapproved installs.
It's abundantly obvious to me now that bad actors are purchasing legitimate chrome extensions to add this functionality and earn money off the user's data (or even worse). I have seen multiple reports of this pattern.
https://docs.npmjs.com/trusted-publishers#automatic-provenan...
Same argument can be applied to all closed source software.
In the end its about who you trust and who needs to be verified and that is relative, subjective, and contextual... always.
So unless you can read the source code and compile yourself on a system you built on an OS you also built from source on a machine built before server management backdoors were built into every server... you are putting your trust somewhere and you cannot really validate it beyond wider public percetptions.
Extensions are local files on disk. After installing it, you can audit it locally.
I don't know about all operating systems but on Linux they are stored as .xpi files which are zip files. You can unzip it.
On my machine they are installed to $HOME/.mozilla/firefox/52xz2p7e.default-release/extensions but I think that string in the middle could be different for everyone.
Diffing it vs what's released in its open source repo would be a quick way to see if anything has been adjusted.
https://robwu.nl/crxviewer/
There’s always a possibility of problems along the chain. You are reducing your risk not eliminating it.
We focus a lot on blocking data collection and spyware.. but not enough about what happens after the data is already collected/stolen and baked into your algorithmic identity. So much of our data is already out there.
Considering the barriers they build to prevent adblockers, that doesn't shine a good light on them.
The only extension I trust enough to install on any browser is uBlock Origin.
I'd also note that all this spam is via the public email address you're forced to add to your extension listing by Google. I don't think I've ever had a single legitimate email sent to it. So yeh, thanks Google.
[1] https://chromewebstore.google.com/detail/old-reddit-redirect...
Thank you for not doing so.
It's easy to see how many people in less advantaged positions would end up selling out, though.
I guess I shouldnt be surprised on how many use "LibreOffice" or other legit company names to lend legitimacy to themselves. I'm wondering if companies like Zoom don't audit the extension store for copyright claims
I for sure used to use Video Downloader PLUS when I still used chrome (and before youtube-dl)
The biggest problem here is that "We" does not refer to Google itself, who are supposed to be policing their own Chrome Web Store. One of the most profitable corporations in world history is totally negligent.
I want to block ads, block trackers, auto-deny tracking, download videos, customize websites, keep videos playing in the background, change all instances of "car" to "cat" [1], and a whole bunch of weird stuff that probably shouldn't be included in the browser by default. Just because the browser extension system is broken it doesn't mean that extensions themselves are a problem - if anything, I wish people would install more extensions, not less.
[1] https://xkcd.com/1288/
And why does this site has no scrollbar?? WTF, is Webdsign finally that broken?
Seems someone decided it was a good idea to make the scrollbar tiny and basically the same colour as the background:
>Before installing, make each user click a checkbox what access the extension has
However, as I've seen on android, updates do happen, and you are not asked if new permissions are granted. (Maybe they do ask, but this is after an update automatically is taken place, new code is installed)
Here are the two solutions I have, neither are perfect:
>Do not let updates automatically happen for security reasons. This prevents a change in an App becoming malware, but leaves the app open to Pegasus-like exploits.
>Let updates automatically happen, but leaves you open to remote, unapproved installs.