[purple-leafy]

Issue with this “benign” extension is that it will be using

“host_permissions”: “<all_urls>”

In its manifest means it can basically do anything on any webpage you visit, scrape data etc.

As an extension developer, no thanks. “Fun” pointless extensions like this that have no real utility, but funnily enough require broad permissions, are dangerous

[elaus]

> [...] but funnily enough require broad permissions

I don't think there is a way to implement this without said permission. You can always check out the code from GitHub and install the extension locally to avoid any malicious changes in the future.

[skybrian]

And that’s why it shouldn’t be in the Chrome app store at all.

As a hobbyist developer, having that kind of access in other people’s browsers is not something I want, and I’m suspicious of developers who do seem to want it. It’s like “hey, I wrote a fun game that requires root access.”

At least limit it to people who know what Github is.

[firtoz]

> hey, I wrote a fun game that requires root access

So... Just like AAA game studios, eh?

[MOARDONGZPLZ]

No. They are large and presumably have some sort of trust, and can lose the trust of people if they do particularly shady things. This may not bear itself out in practice of course. But a game studio has something to lose, whereas hobbyist developer 73683 asking for root permissions for no real gain to you has nothing to lose from any number of things like scraping sites you visit or using your browser as a tor exit node or any number of things.

[sandworm101]

>> No. They are large and presumably have some sort of trust, and can lose the trust of people if they do particularly shady things.

Sony? Microsoft? EA? Apple? Exactly which giant megacorporation is beyond shady things?

https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootk...

[ocodo]

Apparently people are a telepathically interconnected species, who won't fall for corporate scams in waves.

Sadly, both those things are untrue.

[gryn]

yeah, I'm sure Genshin impact's creators went out of business when their Kernel access anti-cheat was hacked by ransomware or more recently the hacks mid live broadcasted tournaments (don't remember which game, I think it was apex).

I mean that's what kids, teenagers, and young adults and non technical people in general are known for: their prudence and good technical decision making.

lets not talk about the other risk vector that Tencent, a chinese company is the one buying most of these game studios that have Kernel access (not exclusively).

[dspillett]

It doesn't even need to be a hack, or a malicious new owner taking over a game or other software package that has such access.

The original company could be malicious/stupid/both. See https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootk... for the most famous example of “both”.

[MOARDONGZPLZ]

I don’t know what that is.

[oneeyedpigeon]

Right, but Google is surely the one at fault here. There should be absolutely no reason that this extension can "change all my data on all websites", whatever the hell that actually means.

[tetromino_]

Not "change all my data on all websites" but "read the content of all websites I visit".

Because an extension that finds all button elements on all websites you visit, must necessarily start by reading the content of all websites you visit.

[oneeyedpigeon]

Yes, I think that one's acceptable in this case. It's the "change all my data" that is problematic.

[Retr0id]

I was under the vague impression that Manifest V3 was supposed to prevent this sort of thing. But looking at the extension, it is using MV3. Maybe it really was just about weakening ad blockers.

[skybrian]

I think both the developer and Google have some control over what appears in the Chrome store.

[beeboobaa3]

What are you even talking about? Every piece of desktop software you have ever ran has more permissions than a browser extension.

Is your stance that hobbyist developers should not be allowed to develop desktop software or CLI tools? The entire software development ecosystem would collapse in an instant. Or are you just not familiar with Windows & Macs (lack of a) permission system?

[vunderba]

Unbelievably poor comparison... for several reasons:

1. Most antivirus solutions built into operating systems such as Microsoft defender are unlikely to find suspicious extensions that are exfiltrating your data

2. Extensions autoupdate (and don't require you to re-authenticate their permission set)

3. It is not uncommon for large spyware companies to buy up a bunch of the most popular chrome extensions, and proceed to inject them with malware.

4. Since an extension runs inside your browser, it's much easier to forget that they're essentially always running, whereas once I exit a desktop app it's presumably gone. There's a dangerous level of passivity to browser extensions for an average user who might forget they even have them installed on the browser.

Maybe number 2 has changed in the last 10 years, but it certainly didn't used to be the case.

[beeboobaa3]

> Most antivirus solutions built into operating systems such as Microsoft defender are unlikely to find suspicious extensions that are exfiltrating your data

They can flag antivirus signatures just like everything else, and I've experienced this happening in the past. In the end, extensions are just some javascript/css files in a folder and they get scanned just like everything else.

> Extensions autoupdate

So can any piece of software if it wants to. It's trivial to make an updater start on boot.

> It is not uncommon for large spyware companies to buy up a bunch of the most popular chrome extensions, and proceed to inject them with malware

The same can, and has, happened for "regular" software.

> Since an extension runs inside your browser, it's much easier to forget that they're essentially always running, whereas once I exit a desktop app it's presumably gone

Desktop apps can trivially just not show a window if they want to. They can trivially add themselves to autostart. It depends entirely on what they're doing, just like an extension.

[skybrian]

The lack of sandboxing in desktop applications is bad, but you aren’t going to be writing code to read every web page a user visits by accident, and that’s what some browser extensions do on purpose. They’re inherently working with more sensitive data. So that’s worse in certain ways. (And they are more sandboxed in other ways.)

[beeboobaa3]

> but you aren’t going to be writing code to read every web page a user visits by accident

No, instead you're just reading all files on the filesystem, including the browser's cookie store or whatever. The data you are, or can be, handling is just as, if not more, sensitive since it's literally a superset of what the browser has access to.

> The lack of sandboxing in desktop applications is bad

Some sandboxing would be nice, but the Google/Apple approach of needing to beg the vendor for every little permission isn't the way to go, either. I'd rather have software that can actually do things as opposed to only having useless sandboxed "apps".

[skybrian]

My Mac sometimes prompts me to see if a Mac application should have access to certain directories, such as “Downloads,” so I’m not sure that’s entirely true anymore?

But in any case I think this is missing a distinction between what software developers can install in “developer mode” versus stuff that’s in the store for non-technical people to use. Apps in app stores see widespread use by people who barely know what a computer is, so I think there should be hoops you need to jump through to get distribution to the masses, at least for certain types of apps.

And those apps aren’t useless, they do important but security-sensitive things like banking, things us developers need to do too sometimes.

It’s a different world than hacking around on your Raspberry Pi or an old phone, and I think it should be different. Treating these situations the same muddies the issues.

[dougseismic]

Gatekeeping hobbyist mentioned

[purple-leafy]

There is a way:

1) Extension could use the “activeTab” permission (would require user to click the extension once when inside the current tab to activate the extension, then the extension will run for any url they visit

[lofaszvanitt]

And that is so annoying noone would do it.

[jimvdv]

If chrome permissions made sense a user could choose to activate the extension when they visit a site.

Also the extension could have no network access and have read-only access to the DOM to name a few improvements.

[m3kw9]

hard to know if github code is the code it is being installed unless you build it from github. 1/10000 people check+install like this

[resonious]

It seems crazy that extensions don't have a permission for making network requests. Getting permission to access the DOM on all pages I visit is fine if there's no way to exfiltrate!

[robryk]

You can always exfiltrate by inserting stuff into the page's DOM that will do the exfil from the page's context.

[aembleton]

Should have a seperate permission to modify the DOM. This extension only needs to read the DOM.

[teruakohatu]

Yes, a network access and DOM write permission should be one and the same. I think the reason it isn't done is because there are so many ways to leak data over a network. If the extension can trigger a DNS lookup somehow, it can exfiltrate data.

Android used to have a network permission but Google removed it.

[beeboobaa3]

> Android used to have a network permission but Google removed it.

That's because google is in the ads business and wants apps to always be able to exfiltrate data to google (google analytics, google ads, etc) & display ads without needing additional permissions.

Having a network permission means there is an incentive for apps to not have the network permission which means they can't load ads. And Google wants you to look at their ads.

[pastage]

I block all external resources on my pages, but sure it works well in most places! It think the default policy should be block on most pages.

[gtsteve]

I would hope that high value target sites such as banks would implement CSPs to prevent that or make it more difficult though.

[pigeonhole123]

You can save the data and exfiltrate through a site without CSP

[emadda]

Or also a permission to disable automatic updates to reduce the issue of “popular extension sold to malware corp”.

[ivanjermakov]

1. Wait for an extension to become popular

2. Sell it to a company with malicious intentions

3. Get ad/spy/malware in your browser

[geek_at]

that happened to me. I installed a plugin that would parse all pages for email addresses and store them for later reference. A few months later i started to see strange ads on pages that shouldn't have ads.

[6510]

The permissions need to be more specific some how.

I think the correct approach is to have the option to have a function isolated from the rest of the code. Then pay a trusted party to review the functionality of the function.

In this case said function may only 1) access the html on the website, 2) find the button and 3) return only that what makes the button.

Then the permission prompt, written by the trusted party, can be something accurate like: This extension wants to copy buttons from websites.

I'm calling it DEWISOTT computing: does exactly what it says on the tin

You can go wild update your extension 1000 times per day without touching the function.

[dotancohen]

  > written by the trusted party

This is the weak, and expensive, link.

[6510]

The programming notary should be expensive per line.

If a function gets certified and a decent description it can be published for other developers to further scrutinize and use the same.

With user.script or greasemonkey scripts it is kinda expected to read the script before use. Short scripts are easier to check.

Funny example

https://userscripts-mirror.org/scripts/show/179526

If the potentially dubious part can be isolated the notary, the publisher, the other developer and the user can easily review it. It seems much better than the current installing black boxes?

[rc_mob]

How is OP supposed to build the extension without doing this?

[d--b]

Yes they sell for quite a bit, and the buyer may not have the same idea of “fun” than the original guy.

[Refusing23]

just like 'Grammarly' which is basically just a keylogger

[MrSS]

Grammarly has to be able to connect back to their online service while the button addon could be implemented in a way that it can read every website but not send antyhing anywere (in theory, the addon could of course simulate a form and send data out through that or somehow).

But yeah i tested grammarly for 5 minutes and found it crazy.

there has to be a better way getting both worlds :|

[dspillett]

In DayJob we've had to block (actually block, because people didn't listen to being asked not to use it and similar tools) Grammarly because it sending text that could potentially include client data off to their servers for checking would have given us a nasty fail should a client request or conduct an audit.

As an alternative there is LanguageTool which you can install locally. We have it running on a small VM that people can configure their installs to talk to, and block the public service end-point (as sending to that would be a big no-no for us for the same reason as Grammarly). It doesn't have all the features of Grammarly so isn't a complete drop-in replacement, but the self-hosted version works as well as the free features of Grammarly.

[Suppafly]

>As an alternative there is LanguageTool which you can install locally. We have it running on a small VM that people can configure their installs to talk to, and block the public service end-point

I'm surprised that Grammarly hasn't come up with a local service like that, I bet they have a ton of enterprise users that would appreciate it.

[bargainbin]

Local software of course! But good luck getting funding for a product that doesn’t phone home every 5 seconds and present an opportunity to plague the user with ads “that they want to see”

[vstollen]

I haven’t used it myself, but the LanguageTool browser extension might allow users to use a self-hosted or locally running instance.

[dougseismic]

As a fellow extension developer, you'll know that remote code is extremely sandboxed by the review process and you can jump into the code easily.

Hell if you're that paranoid, sniff any remote connections with mitmproxy and generally just... understand what an extension does before you leave it on your machine.

Some extensions are just fun; this extension is wicked for me as design inspiration but yeah, salty take and hackernews PB+J

[vstollen]

Are (updates to) extensions from the Chrome and Firefox store usually vetted before publication?

I‘ve heard that Firefox will only run signed extensions. Would you trust this process?

[zinekeller]

> Are (updates to) extensions from the Chrome and Firefox store usually vetted before publication?

Mozilla does not manually review most extensions (only extensions which Mozilla recommended are manually reviewed: https://support.mozilla.org/en-US/kb/add-on-badges).

Chrome's policy is extensions are "reviewed periodically for compliance", but is unclear on how frequent is this periodic review (https://developer.chrome.com/docs/webstore/review-process).

[doctorpangloss]

My dude. Google Chrome hoovers up all your browsing history. Google knows the content of pages you visit, because you make search queries to visit them, and most sites use Google Analytics or Webmaster tools, or the sites are in their index and can be looked up by URL reported by Chrome. Google has your Gmail, YouTube, Google Drive… if it wanted to, it could access your private stuff because it has access to your email. You are whinging about a silly joke project with a hypothetical concern, when you are already granting broad permissions to all of your data.