Five years ago I had a whole bunch of extensions, but that ended whenever it was that I first learned that there were bad actors buying legitimate extensions from their developers and filling them with malware. After that I dramatically reduced the number I had installed, down to basically a password manager and ublock origin. The brief install-time vetting I used to do would would do nothing to prevent an auto update from installing something malicious in the future. Nowadays malicious browser extensions are the most common thing I find on family and friends' computers when I'm helping them with an issue.
Can confirm. As a dev of an extension with 10k users I get 3-4 emails a month in my spam which ask me to monetize my extension by secretly changing its users' search engines. My extension is open-source and quite small, but if the change was sneaked in I think most of the users would not notice. I stick to using userscripts for the most part since you can easily check their downloaded source and disable updates.
Example:
Beth Anderson <beth@monetize-extensions.com> Mon 10:58 AM
To: Mostly Spam <dev@x-ing.space>
Hello
I am Beth and I am offering monetization for browser extensions, with everything that is going on our team was extremely focused and productive in creating a way to earn revenue on extensions.
We offer to change default search to Bing or Yahoo on your extension which can earn up to $800 a month per 5000 users. This is a premium product by invitation only and can easily be added to your chrome extensions.
You are might curious to know if it is allowed? And I must say that this is completely allowed! Please reply to this email to discuss this further!
Open source doesn't solve it completely.. What you have in repo and what is published doesn't have to be the same thing. Unless people are doing the extra effort to compare them, which is extremely rare unless its quite popular. I've seen this happen a few times.
"You are might curious to know if it is allowed? And I must say that this is completely allowed!"
I feel like this would make a great corporate logo for a discount legal firm on It's Always Sunny In Philadelphia that Charlie would start when high on Elmer's glue.
I had this amazing extension for Google play music. it had cover art and some great hot keys. I noticed a bug with it pulling low Rez cover art sometimes so I tried to see if I could fix it in the source code. The GitHub repo was not public anymore, so I made the changes locally and it worked.
I emailed the dev (his email was on the about section of the extension). He told me that the code was no longer public because he was selling it to someone else that wanted to take it over. I had all kinds of red flags from this, so I uninstalled it right away.
Ublock origin and https everywhere improved security by removing deceptive advertisements masquerading as legitimate on search engines and freeware download sites. https everywhere prevented some forms of https downgrade attacks. Also ublock has an option to remove webrtc IP leaking.
I'm not sure what you mean by non-malicious extensions being intrusive. I use a number of extensions, mostly content-blocking and privacy-related and they mostly just get out of my way. The Firefox Extension Store also has a recommended extensions feature that shows that the extension has been reviewed by Mozilla for privacy and security. Most extensions I use have this seal.
Yeah, I get that, but it seems to me like that's worse than the security model for any non-containerized application. If you don't trust the author there really isn't much there that will protect you.
That's fair, but my browser has permission to access my data for all websites, and uBlock Origin probably has my best interests in mind more so than Google Chrome.
It’s one of the nice things about brave: it had privacy features built in that you would otherwise need a dozen extensions by various people to do the same. It seems like the built in tracking protections in Firefox have caught up a lot though, I’m not sure if the extensions are as necessary now
Indeed, it's more required if you're a web developer. Extension to capture whole screen (including scrolled screen), color picker, ruler, even magnifying glass are the ones I usually use.
Of course there are, but the point is, you can not really trust any of them. Today they will be very useful, tomorrow they may be malware, and there is no way for you to know or protect yourself.
This is true of anything you find on github as well.
Open source works on the idea that "given enough eyeballs, all bugs are shallow." The thing people forget is the "enough eyeballs" part. As if people are sitting around auditing every sub-dependency of a sub-dependency of React.
In addition, I don't know of any package repository that requires the authoritative source[1] from github to match the compiled/minified/etc. package that is uploaded and published. And I suspect most repos are vulnerable to this.
There are many popular but unloved packages out there.
[1] I'd also point out how incredibly stupidly dangerous it is that the open source community has basically given Microsoft the keys to be the authoritative source for all of open source. No one has learned a damn thing. And, somewhat ironically, Microsoft buying out an entire user base for their own nefarious purposes really fits the topic at hand.
2) Recursive dependencies massively increase that risk.
3) You should check all your dependencies into your repo, or at least some kind of manifest with secured signatures of those dependencies, and never automatically update dependencies.
I see a few things that can improve this situation by quite a lot:
1) Languages should provide an extensive and expressive standard library of some sort, either one bundled with the language, or a tightly vetted and controlled set of first-party dependencies.
2) Package managers should not automatically resolve recursive dependencies, but should force users to manually add all dependencies of any dependency that is added. This additional friction would force you to acknowledge all the risk you are taking on by adding dependencies, and it would force the ecosystem as a whole to reduce the number of dependencies.
Linux users who install their apps via a package manager (other than, iiuc, AUR) have at least the vetting of a third party. And this is why a lot of work goes into reproduceable builds and minimal bootstraps.
Apps provided on any platform by major, trusted vendors are much more likely to be safe. Apple/Microsoft/Adobe might find themselves compelled to add a government backdoor, but they're probably not going to chuck in code to send your credit card number to the darkweb.
As for install random programs from unknown vendors on the Google Play Store, yeah, I'm a bit nervous about that. It would be nice if we could manage trust on such platforms in some way, but all we can do is hope to be on guard at all times. Google clearly doesn't care if you get hacked by a third party, as long as they don't do it directly.
Web browsers do a lot of sandboxing to prevent outside tampering by other applications. Your secured content is encrypted by HTTPS between the server and your browser... but extensions sit inside the browser sandbox, often with full access to your decrypted web traffic.
If most of your secure information is handled via web browsers, as is usually the case today, extensions are drastically more risky than arbitrary software, because of the privileged place in the stack they operate.
not the person you are replying to, but for me, it applies the same. I only have uBlock Origin and password manager for extensions, and my phone has very few apps. I don't trust other devs to not succumb to temptation, so I don't use their apps. It would not be difficult for me to give up the smart phone for a feature phone.