[dankohn1]

This is fantastic news.

The Quick Note Chrome extension from Diigo (now removed) submits every URL visited to a third-party server and those URLs are then crawled the next day.

We just switched our 25 member customer service team to Chromeboxes and were very concerned to find soon after that an EC2-based crawler was querying private URLs of our platform.

Because the Chrome Web Store had not banned bad actors like Diigo, we now blacklisted all Chrome extensions except for a very small number that I personally approve. Rather than feeling that ChromeOS was improving our security, we had our chief software architect spend most of the weekend figuring out who was targeting our platform. (All queries received 404 errors, but we remained concerned whether the rogue extension could read the submitted form credentials or the cookie store to get access.)

Rogue extensions are wasting a huge amount of time and destroying trust in the Chrome platform. Here's some more detail on similar stories about Diigo:

https://chrisa.wordpress.com/2014/08/25/chrome-extensions-go... https://mig5.net/content/awesome-screenshot-and-niki-bot

I am thrilled to see Google finally acting to restore trust in their platform.

Update: Google removed Diigo Quick Note, but still has Awesome Screenshot <https://chrome.google.com/webstore/search/diigo?hl=en-US> which captures the identical data and sells it to third party crawlers.

[makomk]

Sounds like it's the same as Google's previous clampdowns on rogue extensions - they removed a few high-profile offenders, put out a press release about it, and left a whole load of malicious extensions untouched even though they'd been repeatedly reported.

[arcatek]

A good thing would probably to have a way to see the requests triggered by installed extensions. Even checking this list once in a while and manually reporting the suspicious ones with a "report" button would make these rogue extensions almost worthless.

[crisnoble]

Have you tried out the new "Chrome Apps & Extensions Developer Tool" https://chrome.google.com/webstore/detail/chrome-apps-extens... ?

It appears to log what actions each application and extension performs, view permissions, and debug the extensions' background pages

[tracker1]

That would be pretty nice.. I tend to have half a dozen extensions loaded, mostly dev extensions from trusted sources. I've also used the source versions of a few as well.

I think one of the worst things to me is the number of drive-by installers that now target chrome, firefox and ie with malware extensions, or transparent proxies. I saw one on a friend's son's computure and mainly noticed because there were additional ads on Amazon's site. Sometimes I think we should bring back outlaw (dead or alive) status for certain classes of criminal dredge on society... Then I think about where the likes of Snowden would fall from the governments perspective and think it over again.

[greggman]

Just a guess but can you see those in the DevTools on the Network tab? Needs to be open before you load the page. I'd check but I don't have any extensions installed except WTF and the WebGL Inspector.

[tokenizerrr]

This depends on what/how the extension is accessing the network. They have a background page and they can inject scripts on visited pages. If they are injecting scripts which then make the requests then it would show up in the DevTools on the page you are visiting, but this is uncommon.

Instead it is far more likely for the extension to make the requests from their background page (which has elevated permissions) which is essentially its own page with its own inspector. You can inspect each extension individually by going to your extension listing, enabling developer mode and inspecting the background page of the extension you suspect.

[hueving]

Right, but I think the parent was suggesting a way to see historical URL accesses by extensions so you could audit them.

[seanp2k2]

You can see EFF PrivacyBadger code getting injected in the source tab in dev tools, not positive about network requests. It wouldn't be hard to test though, just make a simple extension that does XHR to example.com and load it up locally. Chrome extensions are surprisingly easy to write, and there are some simple tutorials if you google around a bit :)

EDIT: here's how to inspect extensions you're curious about: https://developer.chrome.com/extensions/tut_debugging

[Istof]

somewhat unrelated but if you email a private URL to a Microsoft email address, they will also crawl it, about once a month (I get an email anytime someone access it and MS bot is the only one accessing it). Not sure if Google also does that...

[kardos]

This is why I always put a user/pass on any private URL

I don't think their URL scanners are clever enough to dig through emails and try user/pass combos

[ebtalley]

Agh, damn. Just removed Awesome Screenshot due to your comment and I liked it as an extension too. Not enough to leak information to third parties though..

[x0x0]

And this is why google sucks: even technically apt people can get suckered. Google bears responsibility for what's in the chrome web store, except they (as standard) duck it and dump all responsibility onto the users. If even sophisticated users can get fooled, what hope do most folks have?

The answer is for google to own what is in their store, but that costs money.

[tushar-r]

Try using Greenshot

[joshu]

ISTR Diigo breaking our rules for the delicious API... In 2007? I guess some stuff doesn't change.

[rasz_pl]

this is exactly what Google does with every single link you receive in gmail

[sanemat]

I think Awesome Screenshot is "bad" extension too, but purging from the store is too much.