[nmstoker]

I've seen plugins like this from time to time and I always wonder to what extent using them with a secured service (like Netflix etc) means that you've opened yourself up to them doing all sorts of things with your account. You need to login and once that's done the plugin code effectively acts as you doesn't it? I'm guessing there are Chrome/FF protections on the password field, but if the plugin can do anything on a site, might it not draw their own fake password box on top of the real one?

I'm certainly not suggesting this is done by this author and I applaud the creation of the tool, but I'd be interested to hear opinions as to whether my interpretation above is correct or if I'm overly cautious/overlooking something.

[apendleton]

I mean, unsurprisingly, it looks like it requests permissions to execute arbitrary code on your behalf on netflix.com. So yeah, it can do... a lot. It could, for example, click the logout button on your behalf, wait for you to log back in again and keylog your password when you do (there aren't any special protections there -- you can access it like any other field from privileged JS, and other extensions like password managers depend on this being the case), then use that to, in the background, change your password and recovery email, and then log you back out again. Any use of Chrome extensions that can execute scripts requires some degree of trust, for better or for worse.

[justEgan]

I believe when an extension requires matches permission for say ://netflix.com/, it asks for permission to load the content script to the browser tab that has that URL opened. Which means that even if the extension involves the slightest bit of modification on the UI, it still requires the same permission as one that involves the user's sensitive information. It seems this page suggests that the extension could also read usernames and password: https://support.mozilla.org/en-US/kb/permission-request-mess...

For what it's worth, we can confidently say that our extension does UI modifications without ever being involved with user sensitive info. Regardless, will definitely open source the extension. Hopefully this will win some user's trust. Stay tuned!

[rafamvc]

I am curious too. I wonder what are the limits of an extension.