|
|
|
|
|
|
by silverlight
4536 days ago
|
|
|
I just can't even fathom. Like, every email I've typed. Every interaction with any site. Credit card numbers. How is this not entirely illegal? And it certainly shows an incredible flaw in Chrome extensions. This extension didn't do this when I installed it. A silent auto-update though basically turned it into the worst malware I've ever had installed on my computer. How can any Chrome extension ever be trusted? Furthermore, I spend a lot of time in Chrome Dev Tools, and the Network tab and I are no stranger. I would easily have noticed if my keystrokes were being sent back to a server and it was shown in there. So not only can an extension be silently updated, but it's capable of using a network connection that doesn't appear in the Chrome Network tab, that only Wireshark can reveal? That seems almost as ridiculous as what the extension author did. |
|
|
Unfortunately this is simply a byproduct of the web's (and browsers') botched security model; there is no way to allow extensions to modify pages without them being able to read the pages, and if they can read the pages they naturally can catch events, including keystrokes.
This is why you should think - hard - whenever allowing any extension with that permission. It could autoupdate at any time to include malware.
There are a lot of bad extensions out there. I've encountered quite a few. It's a wide-open vector for exploitation and it happens all the time. Just last month I came across a game extension (super mario clone) that contained jQuery. Upon further inspection, it turned out it had been re-minified (making diffs difficult) and had a few lines deep inside that hijacked ads and replaced them with the author's ad network. Silent, effective, and this extension was on the 'top lists' for months. It might even still be there.
Be very aware of the permissions an extension asks for.