54 comments

[ 4.6 ms ] story [ 78.4 ms ] thread
Browser extensions have much looser security than you would think: any extension, even if it just claims to change a style of a website, can see your input type=password fields - it's ludicrous that access to those does not need its own permission !
And the ones that are not will probably get bought out at some point and become malware as well.

The only extension I trust enough to install on any browser is uBlock Origin.

Hopefully people will start learning that you want to install as few browser extensions as possible.
I think the industry needs to rethink extensions in general. VSCode and browser extensions seem to have very little thorough review or thought into them. A lot of enterprises aren't managing them properly.
Load extensions in developer mode so they can't silently install malware on you
This is why I only run open source extensions that I can actually audit. uBlock Origin, SponsorBlock, the kind of tools where the code is available and the developer isn't anonymous. The Chrome Web Store is basically unregulated and Google doesn't care as long as they get their cut. Open source at least gives you a chance to see what you're installing before it starts exfiltrating your data to some server in a country you've never heard of.
I don't really understand the complaint here. It seems for most of those extensions have it in their literal purpose to send the active URL and get additional information back, for doing something locally with it.

And why does this site has no scrollbar?? WTF, is Webdsign finally that broken?

My initial solution was:

>Before installing, make each user click a checkbox what access the extension has

However, as I've seen on android, updates do happen, and you are not asked if new permissions are granted. (Maybe they do ask, but this is after an update automatically is taken place, new code is installed)

Here are the two solutions I have, neither are perfect:

>Do not let updates automatically happen for security reasons. This prevents a change in an App becoming malware, but leaves the app open to Pegasus-like exploits.

>Let updates automatically happen, but leaves you open to remote, unapproved installs.

It's interesting to see this surface again. As someone currently looking into building extensions, the permission granularity has always felt like a double-edged sword. Even with Manifest V3 limiting some capabilities, the 'read and change all your data on the websites you visit' permission is still necessary for many legitimate tools, but it requires so much trust from the user. I wonder if a more granular, per-domain permission model (like mobile apps) would be feasible for the Chrome team to implement without breaking UX.
Most of them jump out as immediately dodgy -- except Stylsh. That is the only one I've ever used on the list but it's been several years.
Over 15 years ago now, I had a popular chrome extension that did a very specific thing. I sold it for a few thousand bucks and moved on. It seemed a bit strange at the time, and I was very cautious in the sale, but sold it and moved on.

It's abundantly obvious to me now that bad actors are purchasing legitimate chrome extensions to add this functionality and earn money off the user's data (or even worse). I have seen multiple reports of this pattern.

The fact that most of these are capturing query parameters:

  "u": "https://www.google.com/search?q=target",
indicates that are capturing tons of authentication tokens. So this goes way beyond just spying on your browser history.
> We built an automated scanning pipeline that runs Chrome inside a Docker container, routes all traffic through a man‑in‑the‑middle (MITM) proxy, and watches for outbound requests that correlate with the length of the URLs we feed it.

The biggest problem here is that "We" does not refer to Google itself, who are supposed to be policing their own Chrome Web Store. One of the most profitable corporations in world history is totally negligent.

And why didn't one of the wealthiest companies of the world capture this themselves?

Considering the barriers they build to prevent adblockers, that doesn't shine a good light on them.

The browsing data itself is only half the problem. Even if you remove the spying extension, the profile it helped build persists and keeps shaping what you see as it gets sold and changes hands.

We focus a lot on blocking data collection and spyware.. but not enough about what happens after the data is already collected/stolen and baked into your algorithmic identity. So much of our data is already out there.

It seems crazy to me that the offered way to install an extension on Chrome is to click a button on a privileged website, and then the installed extension autoupdates without an option to turn it off.

I hate the idea of installing stuff without an ability to look at what's inside first, so what I did was patch Chromium binary, replacing all strings "chromewebstore.google.com" with something else, so I can inject custom JS into that website and turn "Install" button into "Download CRX" button. After downloading, I can unpack the .crx file and look at the code, then install via "Load unpacked" and it never updates automatically. This way I'm sure only the code I've looked at gets executed.

If someone would like to replicate, a good approach would be to reduce the cost by removing a full-chromium engine. I doubt these extensions are trying to do environment detection and won’t run under (for eg) JSDOM+Bun with a Chrome API shim.
It’s obvious CWS has given up on oversight of these extensions. It’s a minefield.
Just create an AI service and users will voluntarily send you all their data.

No need for such complicated attacks /s

Only 37M? I'd have guessed a higher number than that.
At this point, someone should make a site to check whether installed extensions are malicious or not.
Couple of quick thoughts on how to protect yourself from having a formerly trustworthy extension go rogue on you:

- https://github.com/beaufortfrancois/extensions-update-notifi...

And then you can do whatever you feel is an appropriate amount of research whenever a particularly privileged extension gets updated (check for transfer of ownership, etc.)

- brave://flags/#brave-extension-network-blocking

You can then create custom rules to filter extension traffic under brave://settings/shields/filters

e.g.:

  ! Obsidian Web
  *$domain=edoacekkjanmingkbkgjndndibhkegad
  @@||127.0.0.1^$domain=edoacekkjanmingkbkgjndndibhkegad

- Clone the GitHub repo, do a security audit with Claude Code, build from source, update manually

  > Clone the GitHub repo, do a security audit with Claude Code, build from source, update manually
This is a great idea. Are there any deterministic tools to audit an extension codebase?
> Clone the GitHub repo, … build from source, update manually

I’d be ok to do that once per extension, but then I’ve got multiple PCs (m), multiple browser profiles (p), OS-reimages (r), and each extension (e) locally installed doesn’t sync — manually re-installing local extensions m x p x r x e times is too much for me. :-( (And that’s even if I’m only running Chrome, as opposed to multiple browser or Chromium derivatives.)

Yes, and?

Chrome/Google/Alphabet is spying on 100% of their users.

Quit using Alphabet stuff, and your exploitation factor goes down a LOT.