This is a great article. People often don't appreciate the depth to which extensions have access to your data, and this experiment perfectly proves otherwise. It's a real problem where extensions...
This is a great article. People often don't appreciate the depth to which extensions have access to your data, and this experiment perfectly proves otherwise. It's a real problem where extensions are being hijacked or sold, and data can then be easily exfiltrated.
I think that's the major reason that Google have started locking things down in Manifest v3. As this blog post shows though, there's still plenty of damage that can be done. Also some rather clever ideas are on display here. Particularly this one:
We need to prevent the browser from generating a permission dialog, so first we check if the page already has the geolocation permission.
Since the extension is running within the permission scope of that page, this is a brilliant way to get away with whatever you can without evoking suspicion.
I think it's pretty clear that scope warnings are not enough to inform users as to the abilities of their running software. There needs to be a multifaceted solution to this one. I think the MV3 changes solve some problems, but not all, and clearly people are worried about the changes to webRequest. The removal of remote executable code is important though, and at least means that the rules aren't changing after installing the extension. It also means that human reviews of submitted extensions are more reliable than before.
It's a tough thing to balance the needs of the power user, the malicious capabilities of the extension, and the performance and stability for the average user.
I have a couple ideas on how that might be improved, but they're not perfect:
First, a manual process to request "super permissions" from the browser vendor for extensions that really need them. Think extensions like uBlock Origin that would like to continue to be able to monitor network traffic rather than use declarative blocking rules. Anything that is potentially dangerous to users could go through a more extensive audit process.
Second, a toggle on the extensions page that allows extensions to read and interact with other extensions. This would act like the "Enable in Incognito" flag in that it can only be set by users. This way, extensions like the aforementioned uBlock Origin could read and modify data from other extensions, and not just the page. It would address the issue of naughty extensions being able to exfiltrate data through network requests, for example.
Of course it also offers more functionality to those naughty extensions if a user ends up being social engineered into enabling the checkbox. As I said, it's a tricky thing to balance!
If you compartment your browsing into distinct buckets, this problem is mitigated. For example, say I have an extension that copies all the tab URLs of my session, if I only run that in a...
If you compartment your browsing into distinct buckets, this problem is mitigated. For example, say I have an extension that copies all the tab URLs of my session, if I only run that in a dedicated Chrome/Firefox profile and nowhere else (and for that extension only), then my other profiles and sessions are not gleaned. Some data might be exfiltrated like the aforementioned tab URLs, but I can live with that. If I had all my browsing in one profile/session that means everything is up for grabs. This is why I assume any untrusted addon can glean details about my browser & session, so I dedicate profiles to extensions I don't trust.
It's one thing to not inherently trust extensions, but it's another to actively distrust them. Presumably there is a threshold where you're willing to install extensions for their provided...
It's one thing to not inherently trust extensions, but it's another to actively distrust them.
Presumably there is a threshold where you're willing to install extensions for their provided utility, while still taking basic precautions to ensure they can't do damage should they ever turn rogue. Or course if that does happen, you would still uninstall them on the spot.
This is a great article. People often don't appreciate the depth to which extensions have access to your data, and this experiment perfectly proves otherwise. It's a real problem where extensions are being hijacked or sold, and data can then be easily exfiltrated.
I think that's the major reason that Google have started locking things down in Manifest v3. As this blog post shows though, there's still plenty of damage that can be done. Also some rather clever ideas are on display here. Particularly this one:
Since the extension is running within the permission scope of that page, this is a brilliant way to get away with whatever you can without evoking suspicion.
I think it's pretty clear that scope warnings are not enough to inform users as to the abilities of their running software. There needs to be a multifaceted solution to this one. I think the MV3 changes solve some problems, but not all, and clearly people are worried about the changes to webRequest. The removal of remote executable code is important though, and at least means that the rules aren't changing after installing the extension. It also means that human reviews of submitted extensions are more reliable than before.
It's a tough thing to balance the needs of the power user, the malicious capabilities of the extension, and the performance and stability for the average user.
I have a couple ideas on how that might be improved, but they're not perfect:
First, a manual process to request "super permissions" from the browser vendor for extensions that really need them. Think extensions like uBlock Origin that would like to continue to be able to monitor network traffic rather than use declarative blocking rules. Anything that is potentially dangerous to users could go through a more extensive audit process.
Second, a toggle on the extensions page that allows extensions to read and interact with other extensions. This would act like the "Enable in Incognito" flag in that it can only be set by users. This way, extensions like the aforementioned uBlock Origin could read and modify data from other extensions, and not just the page. It would address the issue of naughty extensions being able to exfiltrate data through network requests, for example.
Of course it also offers more functionality to those naughty extensions if a user ends up being social engineered into enabling the checkbox. As I said, it's a tricky thing to balance!
If you compartment your browsing into distinct buckets, this problem is mitigated. For example, say I have an extension that copies all the tab URLs of my session, if I only run that in a dedicated Chrome/Firefox profile and nowhere else (and for that extension only), then my other profiles and sessions are not gleaned. Some data might be exfiltrated like the aforementioned tab URLs, but I can live with that. If I had all my browsing in one profile/session that means everything is up for grabs. This is why I assume any untrusted addon can glean details about my browser & session, so I dedicate profiles to extensions I don't trust.
But why use an extension you don’t trust in the first place?
It's one thing to not inherently trust extensions, but it's another to actively distrust them.
Presumably there is a threshold where you're willing to install extensions for their provided utility, while still taking basic precautions to ensure they can't do damage should they ever turn rogue. Or course if that does happen, you would still uninstall them on the spot.