Why is a browser extension required to access research papers?
There are a series of subreddits concerned with machine learning topics. In those subreddits there is an organization named CatalyzeX that is constantly promoting their browser plugin to access the latest ML papers, code, etc.
Here is one such post of theirs: https://old.reddit.com/r/LatestInML/comments/s2l10i/given_a_single_video_of_a_human_performing_an/
My question: why a browser extension? This really smells fishy, because a browser extension bypasses any browser security one may have, and has access to one's entire computer. What valid reasoning could there be to justify a browser extension for this purpose?
21 comments
[ 3.8 ms ] story [ 59.4 ms ] threadSince it's an authenticated (from their perspective) add-on, they also might do some "clever" things with the materials being offered (animations vs flat PDFs, for example)
It may also handle/verify some aspect of their support model
IIRC that one is no longer true since the advent of sandboxing (and the end of native-code extensions via NPAPI and friends), all permissions have to be granted by the user explicitly.
> What valid reasoning could there be to justify a browser extension for this purpose?
Given the permissions it asks for (access catalyzex.com, arxiv, google scholar, twitter and google) and the description, I'd guess that whenever you search for some research paper it will forward the search to catalyzex and annotate search results.
Unfortunately, the access to Google and Twitter can also be used to exfiltrate your credentials or to commit actions on your behalf there, so I'd be very careful. Too bad the Chrome extension store (unlike the Firefox extension store) does not allow you to directly download the extension to examine it, or to prevent automatic updates.
Edit: At least... I'm guessing. Regrettably the details of the bug is linking back to some internal atlassian mozilla seems to be keeping. Same with related bugs.
This is a little surprising to me, since all of mozilla's development tracking used to be on bugzilla. I hope this isn't a move to something more like Safari or Microsoft where issues vanish into an internal system with external updates ignored.
CatalyzeX appear to be just posting (or spamming depending on your point of view) interesting papers/videos to AI/ML subredits to publicise their chrome plugin (that "finds and shows implementation code for any... research papers").
The link to the paper is at the top of the post under "paper link" from that you can click through to the paper on arxiv.org
The reason its a browser extension is on the plugin page: https://chrome.google.com/webstore/detail/aiml-papers-with-c...
▶ Browse the web as usual and you'll start seeing [CODE] buttons next to papers everywhere.
(former longtime chrome engineer here)
https://chrome.google.com/webstore/detail/chrome-extension-s...
This isn't true. They don't have any access outside of the browser with that extension. Further, the list of sites that they've asked for permissions to seems vaguely reasonable. I have not actually looked at the extension code to see what they're doing, but they have only asked for permissions to the following:
Catalyze.com domains
twitter.com
arxiv.com
scholar.google.com
google.com
And unfortunately the extension security model isn't all that granular, so "Read and change your data" really just means they wanted to touch the DOM somewhere on those sites. They could be recording data, but it's more likely they wanted to add a button/link somewhere.
Lots of harmless reasons to want to do that (ex: adding a link/button) but yes, it also means they can grab the text content of the site (read your data) and change the site DOM or your text nodes (change your data).
Just because they can doesn't mean they do, though (but it also doesn't mean they don't... shrug).
Again - the problem here is there's absolutely no way to tell the browser "Hey, I don't want to see text nodes, just put this button here in the DOM".
---
I should add - they appear to have only requested www.google.com, which is usually just search. Gmail/Docs/Sheets/Suite/Other are usually under seperate subdomains - ex: gmail is mail.google.com.
Not really into this topic (extensions), but could this capability be used by an extension to create fake (invisible) login forms, grab your login data through auto-complete and send it home?
That said - at least for google, login is on accounts.google.com - so they aren't asking for that here.
Additionally, these extensions do go through review by google - something as blatant as a content_script that's phoning home with login details would ideally be caught (I develop extensions for work, but haven't tried submitting something malicious for review - so I can't really comment on whether they DO actually catch it)
[ https://old.reddit.com/r/scihub/comments/lofj0r/announcement... ]
Further details and suggested alternatives at https://old.reddit.com/r/scihub/wiki/index
Solution: don't subscribe to that Subreddit.
Why did it annoy me so much? - They would share the popular, latest papers that most people in the ML sphere would anyways come across if they follow academia twitter or ML subreddit. That is fine in itself but no, those posts would hijack the original source (mostly arxiv or respective project page) by taking you to the CatalyzeX website which is mainly designed to drive traffic to it and has all sorts of irritating design patterns. Mostly, it just felt dishonest and a blatant shadowing of the original authors' hard work to me.
- The extension lets you easily jump to the code for papers (the papers are all open-access on the web) - The extension code is not obfuscated so it's easy to check out the underlying code for yourself (just search online for how to view extension source code). We just haven't officially open-sourced it as of now as it still needs a fair bit of cleaning up and optimizing - What we're using the browser permissions for is to add code buttons in-line on the webpage(s) you're on. Permissions offered by Chromium browsers are unfortunately not more granular than what we're using to simply update the DOM.
Feedback is always welcome!