Browser extensions have much looser security than you would think: any extension, even if it just claims to change a style of a website, can see your input type=password fields - it's ludicrous that access to those does not need its own permission !
I think the industry needs to rethink extensions in general. VSCode and browser extensions seem to have very little thorough review or thought into them. A lot of enterprises aren't managing them properly.
This is why I only run open source extensions that I can actually audit. uBlock Origin, SponsorBlock, the kind of tools where the code is available and the developer isn't anonymous. The Chrome Web Store is basically unregulated and Google doesn't care as long as they get their cut. Open source at least gives you a chance to see what you're installing before it starts exfiltrating your data to some server in a country you've never heard of.
I don't really understand the complaint here. It seems for most of those extensions have it in their literal purpose to send the active URL and get additional information back, for doing something locally with it.
And why does this site has no scrollbar?? WTF, is Webdsign finally that broken?
>Before installing, make each user click a checkbox what access the extension has
However, as I've seen on android, updates do happen, and you are not asked if new permissions are granted. (Maybe they do ask, but this is after an update automatically is taken place, new code is installed)
Here are the two solutions I have, neither are perfect:
>Do not let updates automatically happen for security reasons. This prevents a change in an App becoming malware, but leaves the app open to Pegasus-like exploits.
>Let updates automatically happen, but leaves you open to remote, unapproved installs.
It's interesting to see this surface again. As someone currently looking into building extensions, the permission granularity has always felt like a double-edged sword. Even with Manifest V3 limiting some capabilities, the 'read and change all your data on the websites you visit' permission is still necessary for many legitimate tools, but it requires so much trust from the user. I wonder if a more granular, per-domain permission model (like mobile apps) would be feasible for the Chrome team to implement without breaking UX.
Over 15 years ago now, I had a popular chrome extension that did a very specific thing. I sold it for a few thousand bucks and moved on. It seemed a bit strange at the time, and I was very cautious in the sale, but sold it and moved on.
It's abundantly obvious to me now that bad actors are purchasing legitimate chrome extensions to add this functionality and earn money off the user's data (or even worse). I have seen multiple reports of this pattern.
> We built an automated scanning pipeline that runs Chrome inside a Docker container, routes all traffic through a man‑in‑the‑middle (MITM) proxy, and watches for outbound requests that correlate with the length of the URLs we feed it.
The biggest problem here is that "We" does not refer to Google itself, who are supposed to be policing their own Chrome Web Store. One of the most profitable corporations in world history is totally negligent.
The browsing data itself is only half the problem. Even if you remove the spying extension, the profile it helped build persists and keeps shaping what you see as it gets sold and changes hands.
We focus a lot on blocking data collection and spyware.. but not enough about what happens after the data is already collected/stolen and baked into your algorithmic identity. So much of our data is already out there.
It seems crazy to me that the offered way to install an extension on Chrome is to click a button on a privileged website,
and then the installed extension autoupdates without an option to turn it off.
I hate the idea of installing stuff without an ability to look at what's inside first, so what I did was patch Chromium binary,
replacing all strings "chromewebstore.google.com" with something else, so I can inject custom JS into that website and turn
"Install" button into "Download CRX" button. After downloading, I can unpack the .crx file and look at the code, then
install via "Load unpacked" and it never updates automatically. This way I'm sure only the code I've looked at gets executed.
If someone would like to replicate, a good approach would be to reduce the cost by removing a full-chromium engine. I doubt these extensions are trying to do environment detection and won’t run under (for eg) JSDOM+Bun with a Chrome API shim.
And then you can do whatever you feel is an appropriate amount of research whenever a particularly privileged extension gets updated (check for transfer of ownership, etc.)
- brave://flags/#brave-extension-network-blocking
You can then create custom rules to filter extension traffic under brave://settings/shields/filters
e.g.:
! Obsidian Web
*$domain=edoacekkjanmingkbkgjndndibhkegad
@@||127.0.0.1^$domain=edoacekkjanmingkbkgjndndibhkegad
- Clone the GitHub repo, do a security audit with Claude Code, build from source, update manually
> Clone the GitHub repo, … build from source, update manually
I’d be ok to do that once per extension, but then I’ve got multiple PCs (m), multiple browser profiles (p), OS-reimages (r), and each extension (e) locally installed doesn’t sync — manually re-installing local extensions
m x p x r x e
times is too much for me. :-( (And that’s even if I’m only running Chrome, as opposed to multiple browser or Chromium derivatives.)
54 comments
[ 4.6 ms ] story [ 78.4 ms ] threadThe only extension I trust enough to install on any browser is uBlock Origin.
And why does this site has no scrollbar?? WTF, is Webdsign finally that broken?
>Before installing, make each user click a checkbox what access the extension has
However, as I've seen on android, updates do happen, and you are not asked if new permissions are granted. (Maybe they do ask, but this is after an update automatically is taken place, new code is installed)
Here are the two solutions I have, neither are perfect:
>Do not let updates automatically happen for security reasons. This prevents a change in an App becoming malware, but leaves the app open to Pegasus-like exploits.
>Let updates automatically happen, but leaves you open to remote, unapproved installs.
It's abundantly obvious to me now that bad actors are purchasing legitimate chrome extensions to add this functionality and earn money off the user's data (or even worse). I have seen multiple reports of this pattern.
The biggest problem here is that "We" does not refer to Google itself, who are supposed to be policing their own Chrome Web Store. One of the most profitable corporations in world history is totally negligent.
Considering the barriers they build to prevent adblockers, that doesn't shine a good light on them.
We focus a lot on blocking data collection and spyware.. but not enough about what happens after the data is already collected/stolen and baked into your algorithmic identity. So much of our data is already out there.
I hate the idea of installing stuff without an ability to look at what's inside first, so what I did was patch Chromium binary, replacing all strings "chromewebstore.google.com" with something else, so I can inject custom JS into that website and turn "Install" button into "Download CRX" button. After downloading, I can unpack the .crx file and look at the code, then install via "Load unpacked" and it never updates automatically. This way I'm sure only the code I've looked at gets executed.
https://kaveh.page/snippets/chrome-extensions-source-code
Even a tiny extension like this one I wrote with 2k users gets buyout offers all the time to turn it into malware: https://chromewebstore.google.com/detail/one-click-image-sav...
No need for such complicated attacks /s
- https://github.com/beaufortfrancois/extensions-update-notifi...
And then you can do whatever you feel is an appropriate amount of research whenever a particularly privileged extension gets updated (check for transfer of ownership, etc.)
- brave://flags/#brave-extension-network-blocking
You can then create custom rules to filter extension traffic under brave://settings/shields/filters
e.g.:
- Clone the GitHub repo, do a security audit with Claude Code, build from source, update manuallyI’d be ok to do that once per extension, but then I’ve got multiple PCs (m), multiple browser profiles (p), OS-reimages (r), and each extension (e) locally installed doesn’t sync — manually re-installing local extensions m x p x r x e times is too much for me. :-( (And that’s even if I’m only running Chrome, as opposed to multiple browser or Chromium derivatives.)
Chrome/Google/Alphabet is spying on 100% of their users.
Quit using Alphabet stuff, and your exploitation factor goes down a LOT.