[usaphp]

Correct me if I am wrong but if I visit my tax account page or something where the ssn is displayed - you can see it too?

[pageandrew]

If you load a page with your SSN, the full page will probably be parsed by the extension in search of a "GoLink". Honestly, that's pretty unavoidable. The parser most likely needs to read every byte on the page to see if its part of a GoLink, and that includes the segment of bytes that includes your SSN.

Any ad-blocker or otherwise page-modifying Chrome Extension requires the same permissions and likely does the same thing.

Provided the GoLinks extension isn't phoning home with the full contents of the pages its parsing, and immediately discards non-GoLink related data, this shouldn't be a problem.

It would be nice if the GoLinks team could clarify exactly what data is sent back to their servers by the Chrome Extension.

Chrome Extensions can also be inspected and their network traffic can be sniffed quite easily, so independent auditing is possible as well.

[benatkin]

If someone broke into their account somehow and published a version to the Chrome Web Store, they could do that.

I suggest adding an alert anytime a new version of the extension is published, or if you already get an email from Chrome Web Store each time a new extension is published or the email addresses of the Chrome Web Store account are changed (npm does this I believe), to make sure it gets sent to an inbox that's actively monitored.

[kyeong]

Thanks for pitching it! We do not send any content from the destination pages back to our servers.

Based on what we're hearing from the comments, we're planning to roll out a more detailed privacy page to build more confidence with our users.

[kyeong]

Absolutely nothing on that page is sent to us. The only thing sent to our servers from the extension is when you create a golink using the extension. Your content is completely private to you.