These type of malicious offers for extensions are actually quite common. See this[0] and the discussion[1]. I try to stick with only the most popular of extensions in the hope that any malicious changes would be widespread news, but it is still a gamble.
Developers who get paid for this know what they’re doing.
Saying they don’t know is like saying a courier who delivers packages from Mexico never knew they were delivering narcotics. That defense doesn’t really hold up in court. Extension devs who do it should be banned from the store.
Developers who get paid for this know what they’re doing.
Are you sure?
Lots of developers are highly trained but poorly educated. It took at least a decade for a lot of them to catch on to the scam called "crypto" --- and some still haven't.
Mozilla reviewers do very detailed reviews. Unlike Chrome, they sometimes do manual reviews, looking for potential XSS or similar problems, and will let you know the exact line causing it. The Chrome web store is almost unmoderated though.
I recently installed Chrome and, all of a sudden, got really spooked that the AdBlock extension can see and edit everything I can see. Obvious as it is, for some reason this never occurred to me before!
I'm now routing my traffic through a PiHole via a VPN to cut down the worst ads and will probably never install another extension.
You can also use a declarative adblocker like uBlock Origin Lite [1], which only provides the browser with a list of elements to filter, but doesn't have any permissions to read content or perform requests. Or simply use your hosts file to apply OS-wide filtering with no browser add-ons needed [2].
Be aware that if you use these "passive" blocking methods, there are some sites like YouTube where you will see ads, because in these cases it's necessary to actually manipulate page content to hide them. What you can do is use a traditional adblocker but enable it only for these few sites where the declarative approach is not enough, take a look at [3] for more details.
Even worse, even if you know an extension is OK (you can audit the code: iirc the rules say the source has to be readable), it can auto-update after being acquired by a malicious actor (e.g. The Great Suspender).
For TGS I use the last known good version, as an "unpacked" extension.
I think this approach of taking ownership of the code (i.e. running the extension "manually") is the best option, aside from two critical factors: skill and effort.
(Not very much of either is needed, if you know basic JavaScript, but it's a significant "mental hurdle".)
Ublock origin is the way to go for Adblock extensions. Also, NextDNS is way more flexible than pihole since you don’t need to host anything. AdGuard DNS provides the same service. Both are priced at $20/year and its money well spent IMO. NextDNS provides 300K queries per montb for free. With cache, that should last one person for one month.
Look, either my ISP's DNS servers are a watering hole attack or the NextDNS servers I subscribe to are a watering hole attack. I've got to use someone's watering hole. Why should I trust my ISP more?
I am not the product of a free extension, whatever that means. I am a NextDNS subscriber. That makes me just as much their customer as my ISP's.
Besides, I don't know what a paying-customer relationship has to do with trust. I could just as easily be betrayed by someone I'm paying. For example, GrubHub drivers have a chronic problem of "losing" my drinks, despite being promised a tip and wages. I have to go chase refunds every day for these "mistakes". I'm a paying customer, yet I can't trust them to get my order right.
If you don't trust their DNS servers for whatever reason, you can simply add these entries to your hosts file to replicate their functionality locally.
AdGuard home or pihole does not prevent “watering hole attacks” (honestly feels like paranoia more than safety but whatever). At the end of the day, you need a DNS for non filtered sites which AdGuard home and pihole uses cloudflare by default.
It’s a DNS…you have to use one regardless of what you do. Your pihole is passing any nonfiltered and white list to cloudflare or google DNS to begin with (or worse, your ISP DNS).
Tell me, is it a sound security architecture that allows extensions like that to read and write to every web page I will ever see? Or perhaps that is a desperate hack to get'er done and there may be a safer way to implement that kind of thing?
Sure, Google wants to architect things so that ad blockers as we know them now aren't really feasible. But I think that we can conceded that Google has a good point in saying these world-read-write-anything extensions are not good for us.
Manifest v3 does not remove the ability for an extension to spy on all of your network traffic; only the part where it can block the network requests it's observing.
Besides the fact that Google doesn't stop extensions from seeing everything, there's nothing wrong with allowing extensions to do that. You should have the ability to selectively block/allow/modify content however you want before it's displayed in your browser.
The biggest issues with extensions are things like silent updates (perhaps after the developer sold their extension to a bad actor) and extensions that depend on online resources. An extension that you've verified does what it claims to and nothing else, can read/write everything, doesn't update automatically, and never sends data to random servers isn't a problem at all.
I can't have an extension remove every line that contains the string "google" if it can't see every line. It'd still have to be able to access all the content to be able to parse through it for a match.
Sure you could. The browser could have an API that says "give me a list of regexps and substitutions" and then the extension supplies that list, and the browser itself does the parsing and processing. This is flexible because the extension can specify the modifications.
It's like a pipeline in Bash. You could work with an end-user to build some patterns to match, then pass them to "grep" or "perl" for processing, and neither the user nor shell need to be privy to a file's contents.
Of course, Google doesn't want to do what Mozilla and Apple do and pay human beings to vet extension code looking for malware. They'll just claim that making ad blockers less effective is the only possible action they can take.
Mozilla claims that they review all the code, but in practice they don't. They have an automated tool that looks for certain things. If nothing is found, this is the end of the code review. If things are flagged, then a human will look at the code a little.
If you have an established extension and push an update, odds are there will be no human review of the code changes. That is how most malicious extensions happen.
Sure, Mozilla historically had less malicious extensions than Chrome. But that's for the same reason that Linux has less viruses than Windows: hackers will target the 90% of users and not waste time on the rest.
I say all this as a staunch Firefox user and maintainer of a handful of extensions.
They do seem to audit their recommended extensions[0] differently though. At least according to their FAQ, the extension can't get the recommended badge until it undergoes an actual security review.
Open question about that for me though, is after the initial review is done, do they audit the updates? Something tells me that may not be the case.
They do, I first came to know that from seeing ublock origin updates gets to other browsers first. The author then says that this is because it is Firefox recommended extension and have to go through the extensive review.
Apple does not vet extension code. They do have App Store review, but App Store reviewers are not software engineers, and they spend only a few minutes on average reviewing each submission.
Mozilla mostly doesn't review source code either, except for a small number of select, popular extensions.
This is one of the major differences between Apple's App Store rules and Google's Play Store rules. Apple has traditionally not allowed third party apps to download and execute code.
Apple doesn't trust you to write your own JavaScript engine, for instance. You have to use Apple's.
On the Play Store side, the ability to download executable code has proven to be an issue, as you mention.
> Known as Joker, this family of malicious apps has been attacking Android users since late 2016 and more recently has become one of the most common Android threats.
One of the keys to Joker’s success is its roundabout way of attack. The apps are knockoffs of legitimate apps and, when downloaded from Play or a different market, contain no malicious code other than a “dropper.” After a delay of hours or even days, the dropper, which is heavily obfuscated and contains just a few lines of code, downloads a malicious component and drops it into the app.
Just don't allow extensions that do that. An automated search for eval(), remote imports and script tags would probably catch most of these and if someone manages to hide it from the auditors, since source code needs to be available, a security researcher would find and report it eventually.
You download the source when you install the extension. It's a zip file. You can unzip it and examine it yourself. Even if the developer provides a GitHub repo, how do you know it's the same as the version in the extension store?
Maybe there's a server component too, but again how would you know that the source provided is what's actually running on the server?
The other problem is that it's not possible to request (as an extension author) or give (as a user) fine-grained permissions to extensions. You're only able to request very coarse permissions, often it's either you're giving up an insane amount of control over to extensions or the extension isn't allowed to do anything useful.
In the early days I was excited by extensions, but through the years I've come to really accept that the most important security risk on our computers is the browser, and that it is too important to risk compromise to only the most well-known, vetted extensions: e.g. ublock origin, noscript.
It seems there should be a way to allow a lot of customizability/power to these tools without actually letting the extension send data home or even see the actual data
I maintain an open source extension with just a few thousand users and have been receiving these offers every month for years. These people will eventually find someone desperate enough for money to do it, which is unnerving and a good reason to use something like pihole, as ad blockers can't inspect traffic from other extensions.
The title is inflammatory. By allowing random JS or by selling the extension, developers do spy on you. It’s like inviting a tiger into your office and then suggesting that the ensuing damage isn’t your fault.
Browser extensions won’t spy on you, if you use trusted extensions by trusted members of the community.
Yeah I came away feeling like this was clickbait. Based on the title I expected to read something about the app stores quietly injecting telemetry in your extension or something like that. Something outside of the developer's control or being done quietly by default as part of the standard packaging and delivery pipeline.
What the author described was very much not that. What they described was developers making a conscious decision to add untrusted code to their extension without properly verifying it or following security best practices.
A more accurate title would be something like "It's hard to trust browser extensions, developers are bombarded with offers of easy money and may negligently add malware/adware"
The weird things is that nobody cares about browser extensions on work machines. Companies go through all the trouble in the name of security, especially on windows, but almost nobody controls the sort of crap people, including developers, install on their browsers. Some extensions request access to everything, rendering the entire security dance moot.
In fact, some of the worst offenders are people who absolutely should know better. I only know a handful of people who have agreed with me on this. Unbelievable.
Browsers have the tools for companies to manage this. My workplace actually does restrict extensions to an annoyingly small allowlist. But I think it’s not on the radar for as many companies because the extension controls are moot if you aren’t restricting which browsers are allowed or if you don’t restrict access to corporate resources to managed devices.
Your place sounds reasonable. I presume it's mostly banks and other such enterprises handling sensitive information. My wife has has to use FF with extensions disabled. Their IT made the right choices on this one
The first ad blocking software I ever used was literally a proxy. It would start a server on the local machine and I'd point my browser's proxy settings at it. Then it would filter URLs from a blacklist. I think the company was called AdBusters back then.
that should also apply to vscode extensions and most other plugin systems. and this seems to get worse? one area where apple's strategy of copying the functionality of smaller extensions/apps makes sense security-wise..
I use Chrome for any sensitive browsing, and I only have one extension installed there: uBlock Origin. For development, I use Chrome Canary where I have dozens of extensions installed, since I don't enter any sensitive credentials into that browser. For leisure, I use Firefox where I have uBlock Origin and a few paywall circumvention extensions installed - not the safest, but I only log into pseudononymous accounts in that browser.
An extension I will never install is one that interfaces with my password manager. I've seen way too many exploits that begin with a bug in such an extension to feel comfortable with it. I prefer the security of my clipboard, where I can copy/paste from my password manager - if my clipboard is compromised then at least only one password will be stolen, and a separate exploit would be required to even know into which website I entered the password. This does leave me vulnerable to phishing, since I don't get the automated URL->password retrieval, but I've never liked that feature of password manager extensions anyway.
Nah, I've just accepted it as part of life. If my bank is already using Google Analytics, what difference does it make if Chrome juices the data a bit more? And as far as tracking what content I view, I only use that browser for work, so I actually want it to learn about me (e.g. I have Google search history enabled on that account). Any browsing for leisure, medical, political, etc. purposes, I do in Firefox where I only log into pseudononymous accounts not associated with my main email or name.
But I do disable as much Chrome telemetry as possible, including features like auto-suggest and pre-loading, and I don't "log in" to the browser with my Google account (despite the constantly changing dark patterns trying to trick me into doing that). It's not much but it's good enough.
for that, you can use ublock.
Little Rat can block any traffic originating from a chrome extension. That includes content scripts injected by extensions into webpages, but not sites that you loaded.
I see. That’s pretty good. So, now the attack surface is reduced to the extension author exfiltrating data via burner domains that aren’t blocked by ublock, but that are explicitly added to legitimate web sites.
edit, aha, downloaded the .zip manually rather than via the link, and it has the other icons now, I guess the 'ZIP' link pointing at archive/refs/main results in an older version
> Browser extensions must be open-source. If you can't find the extension's sources, you can be sure it's malware.
That's bullshit. My extensions are not malware. I sell upfront paid extensions to end users. As always, if you're not the customer, you're the product. That's the problem with all of these free extensions: they have no clear business model.
I don't recall ever receiving an offer to acquire my extensions. I'm not sure why: perhaps because they're Safari, perhaps because they're upfront paid, perhaps because the user base is smaller than free extensions, or some combination of those factors. In any case, these scammers are looking for volume, as many users as possible, because the amount of money they can make per user is small, especially compared to how much I can make per user from a direct purchase.
To be clear, I am not attacking or accusing you of anything - I am just having a conversation about trust in an environment where the vast majority of big players have demonstrated that they shouldn't be trusted.
It all comes down to trust, I think, not source code. How many of the "open source only" proponents have read and analyzed the source code? How many of them have verified that the shipping product is exactly the same as the source? Almost nobody, I suspect.
A relatively small number of people actually work on open source, even with the biggest, most popular projects. The number of eyeballs on the source is a lot smaller than you might expect.
> the vast majority of big players have demonstrated that they shouldn't be trusted
> As always, if you're not the customer, you're the product.
All too often you can be the customer and still be the product. It's great if you genuinely aren't selling out your paying users, but you're increasingly the outlier there
> That's the problem with all of these free extensions: they have no clear business model.
Not every extension needs a business model. Many exist just because someone was passionate enough about a problem to come up with a solution and they were happy to share what works for them with others. Not everything has to be about getting rich. Many of the best things aren't.
> Not every extension needs a business model. Many exist just because someone was passionate enough about a problem to come up with a solution and they were happy to share what works for them with others. Not everything has to be about getting rich. Many of the best things aren't.
True, but just as money can run out, so can passion. And everyone needs to make a living somehow.
Most of the big open source projects have corporate funding and engineers who are paid to work on them. I continue to be puzzled about how Raymond Hill, the developer of uBlock Origin, makes a living, and how he has time to continue to work on the extension. Does anyone know?
Note that even Hill's passion wanes. "The uBlock project official repository was transferred to Chris Aljoudi by original developer Raymond Hill in April 2015, due to frustration of dealing with requests." https://en.wikipedia.org/wiki/UBlock_Origin?#uBlock This is how uBlock became uBlock Origin, and Hill's trust in Aljoudi turned out to be misplaced. Open source is no savior.
More recently, Hill said this: "What would actually help is that people help to completely investigate existing issues instead of keep asking me to add yet more features. Turns out people willing to step in the code to investigate and pinpoint exactly where is an issue (or that there is no issue) is incredibly rare." https://www.reddit.com/r/uBlockOrigin/comments/i240ds/commen...
Thus, I still think a business model is important, even crucial. Without sustainable funding, the future of any software project becomes highly questionable.
It's not, though. Free extensions are most likely to sell out. Notice what the author did not say: "If you can find the extension's sources, you can be sure it's not malware."
Don't browser extensions essentially represent the failure of the browser to provide features that users want/need? I find Firefox unusable out of the box due to their failure to implement vertical tabs (in fact, it seems that Mozilla actively hates vertical tabs because they make it so hard to turn off horizontal tabs) and so I am stuck with using Sidebery, which, like most of the very useful extensions, requires "Access your data for all websites."
The best Mozilla can say about the security of their browser when using extensions (even ones that they recommend) is:
"While there is an element of risk to installing any third-party software, there are a few simple best practices you can follow to reduce it. Is the extension made by a reputable developer? Are the user ratings high?"
From: https://blog.mozilla.org/addons/2018/02/01/understanding-ext...
I don't want to rely on reputation and user ratings as these are ephemeral and easily faked. I want a browser to include necessary features out of the box and I want their code to be independently audited.
If this chaotic mess is simply because of the need to monetize I would gladly pay for a trustworthy, feature rich browser.
I mean, this seems like a "damned if you do, damned if you don't" complaint for the browser makers. Hacker News is constantly bitching that browsers are too slow, too complicated, use too much memory, the attack surface is too big, etc. Imagine how much worse that would be if they also had to support every possible use case instead of shunting a lot of that off into extensions.
Simple answer is for Firefox to come with a full set of their own extensions from which you can choose which to install at any time. No external developers.
Yeh, I don't trust Mozilla as much as I trust gorhill to deliver on a good adblocking experience, or to provide me a robust CSS edit tool like Stylus, or to add Bypass Paywall Clean which allows me to bypass most paywalled news sites. And yes, Firefox is my default and I wouldn't change that for a Chromium skin.
I don't know how to balance that conflict, but I wonder if it would be possible to have a web configurator that lets you pick the features you want and then compiles the executable.
> Don't browser extensions essentially represent the failure of the browser to provide features that users want/need?
Browser extensions can exist to fill needs which are specific to one web site (e.g. "Clickbait Remover for Youtube"), or which are so esoteric and/or ridiculous that they shouldn't be a core component of a web browser (e.g. "Cloud to Butt").
Yeah... so I absolutely agree that browser extensions are a fairly large security risk, and that many of them monetize through unethical means.
That said - The title as written is just complete bullshit.
If the developers are taking monetization offers and injecting code in response - the developers are fucking spying on you. There's not some malicious way to monetize an upstanding developer's extension.
Really - the title is bad enough I'd consider pulling this... It's just lying to get clicks.
I see the some people did not get point and thought it's a clickbate, so i've update post to explain the developer can be a bad engineer who failed to detect a scam and this is the potential problem of any extension.
You may think you can detect any scam, but scam may be targeted and complex
It's not that I didn't get the point, it's that the point is not interesting or worthy of the title.
Anyone developing software who takes cash money to inject code they have not reviewed (or worse is remotely hosted and subject to change - although at least this is getting removed with manifest v3...) is actively participating in screwing over their users.
Shoving your fingers in your ears and going "nah nah nah, I can't see it so I don't know" is bullshit. You took cash... to add code. You are actively complicit.
[0] https://github.com/extesy/hoverzoom/discussions/670
[1] https://news.ycombinator.com/item?id=37066680