
The Web Is Dangerous: Phishing and Browser Extensions - ejcx
https://ejj.io/the-web-is-dangerous-phishing-extensions/
======
inanutshellus
> Extensions have a permissions model, but it isn't easy to understand like a
> mobile phone's permission model and extensions have very scary powers.

I don't see mobile phone permissions to be all that superior. Perhaps they're
more explicit, but the reasons for the permissions are never explained, and
they're vulnerable to the same problem as the author describes (someone buying
the app/extension then abusing it). After all, nobody reviews the permissions
on apps they install, they just feel powerless and install it anyway. (e.g.
"Well, I want the facebook app, and so whatever permissions they ask for I'll
give them, no matter what.")

Take, oh, "Map My Run".

So it's an app to track your location while you're exercising. You might
expect it to need your location and internet access.

Nope.

It needs to know your actual identity, device id, phone number, access to all
your phone accounts, all of your contacts, full write access to media, photos,
camera, microphone, full internet access, ability to change network settings,
view and change account settings, view and change google service configuration
(whatever that means)....... the list actually goes on, if you can believe it.

Now, you might think "well, don't install apps from companies that use too
many permissions" and, well, I don't. But it's also pervasive and I no no one
else that even gives a second thought to it.

Basically they say "I trust Apple / Google to provide quality applications" or
"[Map My Run] wouldn't misuse my data. What would they possibly gain? That's
just silly. Quit pestering me. _install_ "

(Note: I don't have a beef with Map My Run, it was just a recent app I wanted
to install.)

~~~
DrScump
This is _exactly_ why I don't install 3rd-party apps on my primary phone
unless they request nothing more than absolutely necessary (e.g. Lampa as a
flashlight).

I have a second (backup) phone that I put anything that can't be done via
browser (e.g. Lyft and such), but it has nothing on it in terms of contacts or
data.

I'm baffled that 98% of people seem to care nothing about privacy risks.

~~~
nebula
you carry both phones most of the time?

