Show HN: Little Rat – Chrome extension monitors network calls of all extensions (github.com)
Hi HN
I needed a way to monitor network calls made by chrome extensions so I made a small extension.
You can install it by dropping the zip or crx into the extensions page. It'll be on the chrome store whenever/if it gets through the review.
Hopefully it's useful to others.
117 comments
[ 13.8 ms ] story [ 170 ms ] threadViolation reference ID: Yellow Zinc Violation: Description provided is insufficient to understand the functionality of the item.
I added ability to do blocking and made the "management" and "declarativeNetRequestFeedback" permissions optional, requested via a button on the popup page. While declarativeNetRequestFeedback works when you install it manually, the store version tells you the permissions are there, but chrome.declarativeNetRequest.onRuleMatchedDebug is undefined, so unfortunately, the store version can't count the number of requests. Blocking still works though, just you don't get any feedback about what's blocked. I think this is still useful to be able to block extensions, so I'll keep carrying 2 versions, 1 for the store with limited functionaly.
1: https://chrome.google.com/webstore/detail/little-rat/oiopkpa...
https://ris58h.github.io/youtube-chapters-in-player/
> This extension is not listed in the Chrome Web Store and may have been added without your knowledge. Learn more https://support.google.com/chrome_webstore/answer/2811969?vi...
0: https://github.com/dnakov/little-rat/blob/f0b9b6be39af9fe7f4...
Does anyone know an equivalent that do the same thing on Firefox?
I'll be watching this. Thanks for the project!
declarativeNetRequest.onRuleMatchedDebug is not available [1] Even though the docs say it's behind a flag [2], it's undefined.
[1]: https://bugzilla.mozilla.org/show_bug.cgi?id=1745773 [2]: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...
0: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...
You will be amazed at the obvious extension policy violations Mozilla is letting many of their "recommended" extensions get away with.
[1]: https://firefox-source-docs.mozilla.org/devtools-user/browse...
[2]: https://firefox-source-docs.mozilla.org/networking/http/logg...
[3]: https://firefox-source-docs.mozilla.org/devtools-user/about_...
I've reported these and several other extensions again every time they were updated in great technical detail and through various official channels, but stopped bothering when about a year and several extension updates later nothing had changed.
If you still happen to have the technical detail you sent off somewhere, that seems like it would be a great reference for starting to learn what to look for. Hell I'm sure HN would appreciate it as a submission (assuming it actually gets eyes and doesn't die in new)
I hadn't really cared about this topic, because it adds yet more cognitive overhead and I was relying on mozilla to care. Seems this faith was misplaced.
As for the extensions I listed in my older comment, as far as I remember:
- Even though the extension policy explicitly and unconditionally forbids it, they were all sending some form of telemetry to either Google or Sentry without so much as a mention or let alone having provided any sort of opt-out controls.
- Some would load and run external scripts at runtime (not limited to "just" Google Analytics/Tags stuff), none of which appeared to be nefarious in nature - when I checked them over after downloading them directly, that is. Obviously, as is the whole point behind not allowing them, the external script could simply be swapped out for something else one day, or a different one could be served depending on whether it was requested by the extension.
- One of them would occasionally advertise the author's other extensions when new or updated, either with a weird in-page popup notification or a video announcement on YouTube, which it would hijack the current tab or create and focus a new one for to show.
- Tracking parameters would be added to outgoing links by several extensions, including ones to third parties which I guess were partners/affiliates which is also forbidden.
Tangent: Funny thing is that even Firefox itself ignores a disabled "Allow Firefox to send technical and interaction data to Mozilla" setting by tacking on parameters to all of the preinstalled search engine providers' results pages, and all external pages the browser provides links to such as documentation, legal, support, and other Mozilla product pages. Perhaps no PII, but interaction data is interaction data and no is no.
Of course this isn't all, and there are more offenders besides those extensions I listed before. Just downloading the extension (from the extension page, easiest to use a different browser and "save as" since Firefox will ask to install), unpacking the XPI archive, and grepping for common telemetry service names/collection endpoints or suspicious terms like "promo" or "utm" will do it in most cases (Mozilla extension review team should try it sometime). Although let me know if you want some more pointers or details on specific extensions.
Looks like pocket tube, I see, "https://p.yousub.info/referral" mentions in the extension. I can fully comprehend Giphy's tracking code, but pocket tube's eludes me.
I have started a Github repo to try and report to report them, but I only have time for Giphy for now. [1] Plus I have not done this sort of thing before. Any pointers are very appreciated.
[1]: https://github.com/ColoursofOSINT/extensions-investigation
I am not a user, but I have some time to throw something together about it.
Giphy seems to have some compiled code in a weird .ts format (which I have not seen before, but I am a novice).
It also loads a script from https://www.google-analytics.com/analytics.js, isn't that remote code?
Also, I could not find a privacy policy, even though there is information being sent and received.
Let me know if there is anything else or more specific you'd like to know.
Thanks
Network requests initiated by other extensions in their own context are not visible to other extensions through the webRequest API.
Here the actual code of the extension is basically 2 files, one of 114 lines and the other 66. Plain js, easy to digest. Looks pretty safe.
Also, plenty of these extensions have been acquired by data firms or other sketchy places to then add your browser to botnets. If these are absolutely necessary for you, I highly recommend downloading the source and dumping it into Chrome/Edge via developer mode. At least then you know they can't update it in the background and you know what you're running.
> No wonder reddit used to go down so often...
That's uncalled for. If this were reddit I'd have a much spicier retort.
you leaving is actually part of the reason I left at the time, you were one of the few admins who regularly participated (it seemed)
Next, back in the normal browser-- Click the puzzle piece icon where your extensions icons are to the right side of the URL address bar. Click the little thumbtack next to Little Rat extension. Now it's installed and shows in the list of extension icons
A well made extension will only pop up an occasional toast. One that needs the server to work will show the toast when the user expects it to be talking to the server. One sending keypresses or other suspicious data will be really obvious.
The process is roughly the same as inspecting the UI, you basically enable remote debugging and then launch the Browser Toolbox: https://superuser.com/questions/1608096/how-to-inspect-firef...
(this is also a great way to figure out what you need to do for a user-chrome CSS file, e.g. if you want to change how tabs appear beyond just theming. though using a user-chrome CSS file is unfortunately a minor pain in the ass.)
I had to switch it to "multi-process mode" to get network requests from extensions to show up, but that broadly makes sense.
e.g. here's ublock pulling a random block list that I clicked on to test: https://i.imgur.com/wBYbBM2.png
and here's Firefox itself updating the safe-browsing list in the background: https://i.imgur.com/JYxWwjW.png
For example, even if the extension itself can't make requests, there are plenty of ways to 'trick' a webpage into making a request on your behalf when you have permissions to modify the Dom of the web page.
https://github.com/dnakov/little-rat/blob/main/popup.js#L36
I do not want to have to worry about whether another extension can inject xss into yours with a crafted request/id/name.
* the content security policy does not allow unsafe-inline
* extension ids are autogenerated by chrome
There are several clones that are trying to piggyback on that name though. You have to go for the original one - the one from Raymond Hill (or gorhill)!
The upnacked zip worked just fine though!
Nice extension, thanks!
(Vivaldi 6.2.3096.3 on Linux)
Repeated clicking results in loop of 1) muting second to the last extension 2) muting the extension I'm actually clicking 3) unmuting second to the last and 4) unmuting the one I'm clicking :-D
It is quite hard to describe, I may create a video and upload it somewhere later.
I was clicking around for a bit and noticed one more thing: it does not display "Anti Anti Debug" extension - but that extension suddenly appears when I toggle any mute button.
Maybe that extension is doing something funny? It is too late for me to try now but I will keep digging around tomorrow.
Also, if I delete an extension, it still appears in the list of extensions in Little Rat. Any easy way to fix this?
Not being familiar with exactly what data these APIs (or similar?) provide: could extensions' abilities to access other extensions' requests imply any security concerns for e.g. password manager extensions? Or auth-token-using extensions?