> more often than not, the extensions are also embedding third-party scripts which are gathering all your browser traffic.
As someone who writes a lot of chrome extensions, I find that annoying, not to mention a bit insulting. Please provide the complete list of bad behaving extensions instead of implying we're mostly writing extensions to lure users into a trap.
There are so many cool things you can do with chrome extensions, which are largely unexplored yet. Actually, it reminds me the state of javascript in the early 2000. It was not uncommon then too to say javascript developers were only in to write malwares and javascript should be avoided as much as possible. What would the web look like today if we listened to them?
Now, the state of chrome permissions is indeed very bad. It is very restrictive by essence (you wouldn't have that many restrictions writing a desktop app, and you could do way more harm), but it makes everything looks suspicious. Do you need to access something to build a feature? Now user, when installing the extension, will catalog all the bad things you could do with this permission.
Worst part is, the perimeter of permissions is often poorly delimited. Do you want user to be able to use an extension that enhance their experience on a website of their choice? You have to ask to be able to edit just any website. You often reach the "this extension can read all your browser history" state when you couldn't care less.
I would gladly pay google to review my extension code and mark it as trusted. The confusion between good and bad developers must stop.
The problem with appending a list to this article is that this issue is presumed to be wide spread[1]. Creating a long list might give the illusion of exhaustiveness when the aim of the project isn't exhaustive identification of offenders, but to demonstrate the problem clearly with strong evidence.
This at least empowers the Chrome developers to attack a defined problem, and it gives chrome users a tangible, clearly defined set of in-the-wild attacks to point to when complaining about Chrome's extension permission shortcomings. It also is an amount of work that is achievable by a small team, where an exhaustive outing would probably require the resources of a large organization.
[1] Particularly since they seem to have found evidence that these tracking companies are actively reaching out to Chrome extension developers on the dl and offering them commissions.
They can't provide a list not just because it's widespread, but because extensions can silently add this through automatic updates. Even if your extension is clean right now, and even if you wouldn't add anything like this yourself, you could sell your extension to someone a year or two down the line and the buyer could start tracking all your users' browsing with no notification to them.
I get your point, but the same argument could be made to say we should avoid having computers, or at least avoid connecting them to a network :) (any hardware or software company could be sold to bad people who will find clever ways not to be detected)
There is a trust issue here, not sure why it hits chrome extensions harder (although, I'm pretty sure the whole permissions system made people turn paranoid). We will probably need some kind of trusted party audit system to get further.
Also, the list of extensions they have should be published, IMO, even (and especially) if developers are not aware about it. This should be treated as vulnerabilities and disclosed so there's a chance to take action on it.
> It was not uncommon then too to say javascript developers were only in to write malwares and javascript should be avoided as much as possible. What would the web look like today if we listened to them?
Nothing was ever going to prevent webpages from becoming more than a slightly uglier imitation of rich text. Without one unavoidably ubiquitous scripting language, (which, if it hadn't been javascript, would have been vbscript through Microsoft's sheer force of will) you still would have been left with proprietary embeds like flash, java applets and inevitably browser plugins, but probably written entirely in C or C++.
This is basically why I only install a few extensions from trusted developers such as Google, EFF, and uBlock. Google tracks me anyway, EFF doesn't track me and it would destroy their reputation if they chose to start tracking, and uBlock Origin is the only popular remaining adblock extension which hasn't sold out (yet).
Edit: uBlock Origin is the one that doesn't suck, uBlock is to be avoided.
The thing that worries me is extensions being able to grab my passwords. If my Lastpass extension can do it then presumably malicious extensions can too.
When it comes to Google and Data Collection just always assume the worst. Not to bash on Google, I am no hater, but it's what they make money with. Browser for free? Google Mail with 15 GB of storage? We all know their business model. Either you pay with money or with information.
I have been non-trusting of many Scripts for years now, call me paranoid, but if Facebook actually has the capability to just track you via Facebook Scripts that are executed on every site you have the option to Log in with Facebook or share via Facebook directly from the site, why would they not do it?
Google also tries to keep you logged by all means possible.
I block their Scripts, only temporarily allow if I need them, I don't keep cookies for longer than my current session except for Fastmail, I use VPN, have no DNS-Leak and WebRTC Detection turned off (last I checked you could not turn WebRTC Detection off in Chrome and the Extensions promising to do that were not working).
And that's also why I use Mozilla Firefox. Not because it's the technically better browser, but I have trust in Mozilla and their API just allows capabilities Chrome isn't capable of (that's why there is no NoScript in Chrome and no, there is no NoScript-Alternative in Chrome with the same features and capabilities, look it up).
Back when I used both Chrome and Firefox side by side, Firefox for example would turn off some Add-Ons/Extensions in Private Browsing Mode, while Chrome would not. I guess we all can grasp what most likely was the reason for it (Add-Ons/Extensions should not be able to obtain information from the user if in private browsing).
I am not saying that everyone should do it this way, I even recognize I am not the normal user and this is not for everyone, but complaining about Google because of Data Collection is like complaining about Facebook and the information they have about people while using it heavily and putting sensitive information up on it willingly. Get over it ;)
Yep, but since Google's whole business model revolves around monetizing user information, I am not surprised about this article. Google's Motto is "Data Collection for monetary purposes is not evil".
Think about Android Application Permissions for example, I am not sure whether or not you now can revoke permissions one by one on your own (think I read something about this), but for how long was this not possible?
It's also what the Platform allows the Extension Developers to do and the users not to do.
One Example? I have been disabling what Apps get access to on my Blackberry for I don't know how long. Forbid Whatsapp to have Access to the Camera? No Problem, if I want to make a photo from within Whatsapp it then says something that it isn't capable of doing so, just how it should be.
How a Browser behaves in private Browsing also is a browser-side issue. Whether or not the API allows Extension developers to give users the functionality NoScript for example provides to its users it also a browser-side issue.
The distinction between "This concerns only the Extensions" and "this concerns only the browser itself" is not as clear and easy as you say it is, especially in this case.
Since Google is all about obtaining information and using it, I don't think they are to be trusted in developing a browser that is highly concerned with user's privacy. Everybody has to make their own decision.
So do you feel like Google Chrome as a platform is not giving you enough information about what the Google Chrome extensions are doing and not giving users enough power to act on such information?
Also about firefox from the comments in this discussion by zetafunction:
zetafunction 5 hours ago:
From the article:
Are Firefox extensions any better?
To be honest, no.
This isn't about Google's business model - which by the way isnt as terrible as you make it seem. Unless you'd like to start paying them for all their services, how exactly do you think they should make money?
I actually pay money for E-Mail for example, I think many would be happy to pay for GMail if they would offer the option of "No Ads, and we don't use your information at all", but since Google has perfected the business with information, they rather have that than get money, so... I also want to make clear: This of course is highly subjective, like I said, I have an issue with this, some don't and that is perfectly fine, the world doesn't revolve around me and as long as there are alternatives...
But Google certainly is a company solely built upon obtaining user information and using that information as efficient as possibly, that is their right, and it is my right to not approve of this, state my opinion, and use something else / block their services :)
Would you agree that the article is focusing on companies/programmers making extensions and ignoring their users' privacy, which might harm the users if they store their users information (access keys) in a database?
So, imagine if you were an elite hacker and I have an extension that I made in Google Chrome that asked for users authentication keys and I stored that in a database. Then you figured out where my database is located. If your best friend uses my chrome extension, would you suggest to your best friend to use my chrome extension?
> I block their Scripts, only temporarily allow if I need them, I don't keep cookies for longer than my current session except for Fastmail, I use VPN, have no DNS-Leak and WebRTC Detection turned off (last I checked you could not turn WebRTC Detection off in Chrome and the Extensions promising to do that were not working).
It's been possible to disable multiple webrtc routes since M42[1]. uBlock exposes this option as a checkbox in its main settings.
> And that's also why I use Mozilla Firefox. Not because it's the technically better browser, but I have trust in Mozilla and their API just allows capabilities Chrome isn't capable of (that's why there is no NoScript in Chrome and no, there is no NoScript-Alternative in Chrome with the same features and capabilities, look it up).
The only thing Chrome/Chromium cannot block are inline script tags[2]. Inline script tags should apparently be considered cosmetic filtering according to [2].
Other than the above exception you can pretty close to blocking everything you could in Firefox with uBlock[3]/uMatrix[4]. Unless you're referring to something else? With uMatrix you can get basically the same granularity that you can with NoScript just in a much nicer looking interface (which is available for Firefox now as well).
> Back when I used both Chrome and Firefox side by side, Firefox for example would turn off some Add-Ons/Extensions in Private Browsing Mode, while Chrome would not. I guess we all can grasp what most likely was the reason for it (Add-Ons/Extensions should not be able to obtain information from the user if in private browsing).
Chrome extensions will by default NOT be allowed in incognito mode. I don't know what you observed but you must have explicitly allowed this behavior.
>We all know their business model. Either you pay with money or with information.
That isn't actually their business model. They make money from people paying for ads not information. I've got friends in marketing and they'd love Google to sell them say a list of email address of high net worth investors which Google probably knows but they won't do that. They will let you pay to run ads aimed at certain groups but that's a different thing.
Agreed, but additionally to "one-time revenue" versus "ongoing annuity stream":
a) Acceptance, Image
The fact that they don't sell is the reason why many don't mind it as much. "So their automatic algorithms look for some key words in my mail and searches to target ads, I get better ads, they get money for clicks, what's the problem?"
Selling it would be a whole different story
b) Once you sold out, what then?
I guess that selling to thousands of companies you loose control over your information. x-many Companies have lists of high net worth investors for product category y from us, how to guarantee this information does not get out? Will be given to other companies/people? Will it be correctly used? How can we guarantee those x-many companies are storing that information securely? I can think of all kinds of issues with that business model.
Agree completely with this. The tracking capability today is, scary. Between Google and Facebook I've noticed some gorilla type ad behaviour. I'm basically done with both services now.
I would have thought that past 1,000,000 downloads you could trust the plugin but that is shown to be wrong. With Windows software I do a skim of the Wikipedia article for controversy as a sanity check but there aren't any for these extensions.
Previously I would search the apps name + some obvious terms like malware but those results are too spammy to be helpful now. Extensions are very useful, so I'd hope there'd be some reaction from Google on this.
uBlock Origin can be used to block requests made by the browser and by extensions. The logger UI allows you to inspect these requests, and the 'behind-the-scenes' keyword can be used instead of a domain to construct blocking rules.
> uBlock Origin can be used to block requests made [...] by extensions
This is no longer true for the Chromium version. There were changes in Chromium which now prevent extensions from being able to inspect/block network requests made by other extensions.
Imagine a more powerful API existed that an extension could use to control other extensions. Now the badware extensions start using the more powerful API and you're back to square one...
I'd like the ability to put an extension of my choice in a privileged mode so that it could escape such limitations. But sadly, given such feature, the usual response of asshole evil developers will be to ask users to give privileges to their extensions for "enhanced experience" or "to ensure that the extension works properly".
ActiveX awesomely enabled a popular antivirus to execute from a webpage. Or at least that's what I understood at the time, but nevertheless that's the day I switched to Firefox.
Does anyone have any knowledge about Wappalyzer? I cannot find it on this list, but it requests an inject.js on every webpage, even if the anonymous data sending is switched off in options.
It's quite a popular and valuable extension for web developers, I hope someone can explain how it works.
I read the file, it seems safe to me. It keeps track of javascript variables, and displays them in an element. There are many legit uses of injected scripts. I recommend the extension "Chrome extension source viewer", CRX viewer, to read the code without installing an extension. https://chrome.google.com/webstore/detail/chrome-extension-s...
So this is essentially the same as man in the middle attacks but your basically saying here are all my keys. Scary. They better step up security on the extensions review process.
I've already dumped chrome/Google because it tracks everything possible about you, especially when signed in.
Have you tried using Chromium? (I still recommend Firefox though)
Chrome is basically a stable release from Google of the Chromium Browser (which in itself is an Open Source Project), as such Chrome is more tightly integrated with Google Services, Chromium should be the better choice considering not wanting to be tracked.
I think some systems (*BSD, GNU/Linux distributions) even only have Chromium available through their package systems, others possibly both.
I'm using Ghostery browser on Android now. But I'm even paranoid of Android since you are always logged in. I was trying their ext with chrome to block trackers, some large business sites, I think business insider, have over 80 items blocked.
This type of behavior is going to cause people to disable js entirely.
I don't know for sure, but there's been quite a bit of controversy about them in the last year, mainly because of their whitelisting (https://en.wikipedia.org/wiki/Adblock_Plus#Controversy_over_...).
I switched to ublock origin, works well for me, others recommend ublock (there's been quite a bit of drama between the original dev who's responsible for ublock origin, and the new dev who's responsible for ublock, I can't really recommend one over the other, if you're interested you might want to do some research there)
Adblock Plus is not mentioned in the blog post, has a privacy policy and is open source. If you're worried about how it handles your data you can have a look at the code for yourself.
I feel I should hand roll my own extensions from copies of favorites that I no longer trust (dead mouse, etc). Is there a good tutorial out there for this?
The extension developers sell the right to embed arbitary tracking code in the extension. That code puts it on a site which arbitrary users can pay to get access to. Still not worried?
To be clear, they can definitely steal cookies if the HTTPOnly flag isn't enabled. About 60% of the session cookies we see in our scans don't have it enabled. Scary.
One solution I see (though not optimal), is to install only those extensions you really can't do without, and then have them disabled by default. When you need to use its function though, enable it (only for that short session), and then disable it later.
Otherwise, I have inspected many seemingly innocent extensions like JaSON and REST Console (both meant to run in own tabs, without need to read/modify data on sites I visit, but which nevertheless request for these permissions!). I quickly noted that many other extensions did request for these perms as well... So, for now, for the ones I can't uninstall, I'll just disable them, and only opt-in (maybe in incognito), when I need to use them.
As someone who writes a lot of chrome extensions, I find that annoying, not to mention a bit insulting. Please provide the complete list of bad behaving extensions instead of implying we're mostly writing extensions to lure users into a trap.
There are so many cool things you can do with chrome extensions, which are largely unexplored yet. Actually, it reminds me the state of javascript in the early 2000. It was not uncommon then too to say javascript developers were only in to write malwares and javascript should be avoided as much as possible. What would the web look like today if we listened to them?
Now, the state of chrome permissions is indeed very bad. It is very restrictive by essence (you wouldn't have that many restrictions writing a desktop app, and you could do way more harm), but it makes everything looks suspicious. Do you need to access something to build a feature? Now user, when installing the extension, will catalog all the bad things you could do with this permission.
Worst part is, the perimeter of permissions is often poorly delimited. Do you want user to be able to use an extension that enhance their experience on a website of their choice? You have to ask to be able to edit just any website. You often reach the "this extension can read all your browser history" state when you couldn't care less.
I would gladly pay google to review my extension code and mark it as trusted. The confusion between good and bad developers must stop.