[silverlight]

Whoa, wait. One guy in this thread is claiming that Window Resizer was sending all your keystrokes back to a central server based on what he saw in Wireshark. Can anyone else verify this? I've had this extension installed for...a year, at least. Do I need to now go change every single password on every site because chances are it's been keylogged? This is insane.

[Svip]

The developer also seems to claim that the keylogger exists as well. If you want to take his word for it as well.

[silverlight]

I just can't even fathom. Like, every email I've typed. Every interaction with any site. Credit card numbers.

How is this not entirely illegal?

And it certainly shows an incredible flaw in Chrome extensions. This extension didn't do this when I installed it. A silent auto-update though basically turned it into the worst malware I've ever had installed on my computer. How can any Chrome extension ever be trusted?

Furthermore, I spend a lot of time in Chrome Dev Tools, and the Network tab and I are no stranger. I would easily have noticed if my keystrokes were being sent back to a server and it was shown in there. So not only can an extension be silently updated, but it's capable of using a network connection that doesn't appear in the Chrome Network tab, that only Wireshark can reveal? That seems almost as ridiculous as what the extension author did.

[ssafejava]

A chrome extension can make network connections that you won't (normally) see in Dev Tools using a background page. You'll see the connections if you inspect the background page directly but most users won't.

Unfortunately this is simply a byproduct of the web's (and browsers') botched security model; there is no way to allow extensions to modify pages without them being able to read the pages, and if they can read the pages they naturally can catch events, including keystrokes.

This is why you should think - hard - whenever allowing any extension with that permission. It could autoupdate at any time to include malware.

There are a lot of bad extensions out there. I've encountered quite a few. It's a wide-open vector for exploitation and it happens all the time. Just last month I came across a game extension (super mario clone) that contained jQuery. Upon further inspection, it turned out it had been re-minified (making diffs difficult) and had a few lines deep inside that hijacked ads and replaced them with the author's ad network. Silent, effective, and this extension was on the 'top lists' for months. It might even still be there.

Be very aware of the permissions an extension asks for.

[imdsm]

Pop fiddler on your machines and look for yourselves.

[onli]

> How is this not entirely illegal?

Depending on where you live, this might very well be illegal. Unauthorized access and recording of private information of an IT-System is covered in some hacking parapgraphs, in the US and the EU (in the EU maybe as part of the cyber attack tools, as the keylogger would have recorded passwords).

[prafuitu]

That, my friend, sounds exactly as ridiculous as you are! If you know your JavaScript you can look at the source code and see that the extension is doing none of that. If not, you can try wireshark for yourself and see that there is no keystroke sent anywhere. The guy that made the claim is a complete A-hole that wanted to see the extension being remove from the webstore at any cost, including committing perjury.

[userbinator]

What are Chrome extensions written in? I don't use Chrome but if it's JS then it wouldn't be difficult to verify these claims.

[tokenizerrr]

It isn't. You can just download the crx, unzip it and go to town. You can acquire the crx by downloading it from https://clients2.google.com/service/update2/crx?response=red... (replace the EXTENSIONIDHERE)

[skybrian]

They're in JavaScript.

[erichurkman]

Where did you see that from the author?

[Svip]

Technically, he is quoted by another poster further up in the discussion. But the developer does not deny this quote.

[prafuitu]

Holly crap? Do you honestly think I can monitor the whole internet so I can deny every affirmation made by some random dude?

Look! I deny it now, ok?! I haven't done anything like that. I just mentioned somewhere that it is technically possible to do such thing in an attempt to increase users' awareness about what would truly be a "horrible thing", unlike my attempt to support further development of my extension through advertising.

[erichurkman]

That's why I asked. I saw a few accusations of it, but in all the referenced threads, could not locate you mentioning the accusation at all. I've not used the extension in a while, otherwise I would have dug into the JS itself to answer the question.

[prafuitu]

Where do I claim that?!! WTF?!

[gorhill]

I wrote an extension (HTTP Switchboard) which can log and filter behind-the-scene requests, which also comprise net requests made by extensions. I suppose this could be used to validate that an extension connects to a remote server. In any case, it can be set to selectively block/allow net traffic of extensions.

Even without this extension, it is possible to open the dev console of a specific extension and look at the detailed net traffic of a specific extension in the network tab. Somewhat simpler than running wireshark, so more within reach of the average user.

[gokulk]

I googled the problem and opted out ecoasia from the extension settings when i noticed my urls getting redirected everytime. but i had no idea that the extensions can 'Access all data on all the websites'. now I notice most of my extensions like web developer, page ruler, web font previewer have this permissions. need further clarification from the chrome team as to what this exactly is. passwords? credit card numbers? can also be accessed by the extensions?

[Cthulhu_]

Pretty much, yeah. The 'access all data on all websites' permission basically gives the extension access to injecting Javascript in all of your pages, which gives the extension full access to the DOM, and thus access to password and credit card fields.

[timmclean]

This comment from Paul Irish suggests that there was no keylogger: https://news.ycombinator.com/item?id=7048862

[dminor]

He's talking about a different extension.

[timmclean]

Whoops, you're right.

Do we have any confirmation other than from jollymonsa on the Chrome Forums that there was in fact a keylogger?