
Massive spying on users of Google's Chrome shows new security weakness - commoner
https://www.reuters.com/article/us-alphabet-google-chrome-exclusive/exclusive-massive-spying-on-users-of-googles-chrome-shows-new-security-weakness-idUSKBN23P0JO
======
ThePhysicist
There is a web intelligence company in Israel that is known to buy popular
browser extensions like “Web of Trust” and use them to exfiltrate browsing
data (with tons of sensitive and personal information). They have been called
out for this several times already and some of their extensions got removed
from the store, they invariably turn back up again after a few weeks though
(good connections to Google/Mozilla I guess). Firefox isn’t better than Chrome
in that regard btw as it also turns a blind eye on this kind of data
collection.

Extensions are ideal to exfiltrate data from browsers as they bypass all
security measures and can literally see everything you do on every single page
you visit. It still boggles my mind how you can call a browser secure and
privacy-friendly (in the case of Firefox) and at the same time allow such
blatant abuse for years and years. Me and other people have been pointing this
out since at least 2016 and demanded better security controls for plugins /
extensions but I’m getting really tired of it.

~~~
matheusmoreira
The only trustworthy extensions are uBlock Origin and EFF's Privacy Badger.
Everything else is best viewed as potential malware, no different than random
downloadable executables.

Honestly, uBlock Origin and Privacy Badger are so important at this point they
should just become part of the browser itself. They're already in a league of
their own.

~~~
AareyBaba
What makes uBlock Origin a trustworthy extension ? because it is open-source ?

~~~
matheusmoreira
I monitor the issue tracker and explore the source code from time to time. The
developer posts on HN and seems to be committed to the project and everything
it stands for.

I'm not sure if builds are reproducible though. I don't think the author would
allow the extensions to be hijacked by malicious actors but it'd still be nice
to be able to verify a packaged extension was built from a given git commit.

~~~
Crespyl
Reproducible builds for extensions is a good idea that I hadn't considered
before.

Most browser extensions these days are just some JS zipped up with some
metadata and maybe a few assets, right?

There might be trouble with minified JS, but I'd assume most
optimizers/minifiers are either deterministic or could be configured that way.

------
0xy
I wonder if these extensions are so hard to spot because spying is a core
feature of Google Chrome, and most top extensions do this.

For example, the extraordinarily popular extension Honey phones home about
your purchases, shopping habits and other data without adequately disclosing
that fact.

It's hard to see why Google would care when Chrome was always a trojan horse
to co-opt web standards for their own purposes and to prevent measures taken
against invasive tracking and data collection in the first place.

Tracking is built directly into Chrome's source. Chrome will send "X-Client-
Data" headers with a low-entropy identifier on every request to DoubleClick,
an advertising agency owned by Google. DoubleClick's hostname is explicitly
whitelisted in Chrome source code.

Chrome was always meant for massive spying, and any "crackdowns" are only a
reaction to media pressure.

~~~
dontblink
Wow talk about revisionism! Chrome was meant as a hedge against IE and lesser
so against Firefox. Microsoft owned the desktop with Windows and could easily
shut Google out. See the reason surrounding the creation of the Google
toolbar.

Similarly Android is a hedge against IOS and mobile search.

~~~
0xy
IE had bad standards support and bad defaults, while Chrome will actively
track you on practically every site by sending an identifier to a whitelist
including DoubleClick.

Would you be defending it if it was called "DoubleClick Browser"?

Google wants to secure the status quo with their own browser. What is the
status quo? Massive spying, surveillance and tracking.

This is why Safari and Firefox implemented strict measures against third-party
cookies which Chrome watered down until it was practically useless or didn't
implement at all.

If Chrome is such an open and independent project, what do you think are the
chances of a PR being approved that removed DoubleClick from the tracking
header whitelist?

~~~
nl
You claimed:

> Chrome was always a trojan horse to co-opt web standards for their own
> purposes

That wasn't the case. Google was concerned about Microsoft's ability to lock
them out, and the lack of high quality browsers on non-Windows platforms.

~~~
kevingadd
Chrome was great (and offered some unique advantages at the time), but it's
absurd to say there weren't high quality browsers on non-Windows platforms.
Firefox was fine, and WebKit was good enough for Google to decide to adopt it.
They raised the bar by throwing engineering muscle at the problem but there
was nothing "low quality" about Safari, Opera or Firefox at the time.

~~~
dao-
A good part of the initial engineering muscle came from Mozilla. Google used
to pay people working on Firefox, including the Firefox lead developer Ben
Goodger, but pulled them to work on Chrome instead. So they already had a
system set up for moving the web forward, but clearly they wanted more than
that.

------
DuckConference
The other side of this is the many complaints in HN threads about restrictions
on what extensions can do and which ones are allowed. I can't say whether
chrome's extension library strikes the right balance, but I think it's a
difficult tradeoff.

~~~
Mirioron
Instead of just outright limiting extensions you could give users the choice.
Give us an option to make it impossible for extensions to send out data for
example.

~~~
bgdam
Exactly. What Chrome and Firefox should do, is bundle their own analytics
program into the extensions program, make these analytics available via AMO or
Chrome Web Store (already has a very basic version), and remove the ability
for extensions to perform outgoing network requests unless the user explicitly
whitelists the extension. Even then, show big scary warnings about extensions
given this permission being able to steal your bank passwords, just to keep
the less tech-savvy informed.

~~~
Thorrez
One thing extensions commonly do is modify the page. If an extension can
modify the page, it can insert an <img> which will cause a network request to
happen. How do you plan to prevent this? Prevent extensions from modifying the
page?

~~~
AznHisoka
Same suggestion applies. Show users the warning that extensions can modify
your page and have users explicitly approve of it.

~~~
pornel
And they already do that. The problem is, almost every extension has a
legitimate need to read and/or modify the page, so people click through this
permission warning like Vista's UAC.

------
fabian2k
Potentially dumb question here, but would it be generally possible to create a
permissions system for browser extensions that can distinguish between an
extension that is actually sending information based on sensitive sources like
page content and browser history and an extension that only sends harmless
stuff over the network like e.g. asking for updated ad block lists?

I'm imagining something like a sufficiently advanced type system that could
tag data from sensitive sources, and force you to use a different API if you
e.g. want to put that kind of tagged information in a network request. Though
even if this would be available, I suspect there are many more indirect
methods of exfiltrating information e.g. if you have the permission to change
page content, which are probably very hard to impossible to distinguish
effectively from benign stuff.

Some of the most useful extensions need really scary permissions. I don't see
any good way to robustly fix malicious extensions than to create a permissions
system that would make the scary permissions unnecessary for most cases.

The current system is broken enough that I try very hard to minimize which
extensions I use. It's essentially just an ad blocker and a password safe in
my main browser. And then a bunch of dev tools in a different browser I use
for development, but not for browsing in general.

~~~
Asuchug4
It is almost a 'stopping problem'. You can send any data by sending GET with
data encoded in url path, without any query string. How is any sandbox
supposed to detect if you are sending data or really just getting information
(like updating adblock list).

~~~
aembleton
The url path shouldn't change on each call, so ask the user to whitelist each
request the first time that they are made. Subsequent GET requests to the same
endpoint and same params can go through without a prompt.

------
bartkappenburg
I would pay money for an extension that keeps track on datatraffic of other
installed extension and creates firewall rules (or something equivalent) based
on my permission/deny. (I know that this is the other way around, but
apparantly chrome isn't fixing these data issues...)

~~~
ricardo81
While I only have limited experience writing extensions, this seems doable.

You can most definitely add a hook for every outgoing request, though I'm not
sure if the browser lets you know the origin of the request, i.e. the browser
window or an extension.

If it could, at the most basic level it could write outgoing data to a log
file.

~~~
tim1994
AFAIK this is not possible. I don't think you can block request made by other
extensions. I assume the API you were referring to is
[https://developer.mozilla.org/en-US/docs/Mozilla/Add-
ons/Web...](https://developer.mozilla.org/en-US/docs/Mozilla/Add-
ons/WebExtensions/API/webRequest)

~~~
ricardo81
I wasn't sure if you could identify the origin of the request, I guess it
makes sense that would not be possible or it could end up being cat and mouse
between extensions.

For me specifically I had done some work with Firefox extensions, pre-quantum.

------
phantom_oracle
This will make the rounds because it has appeared on a large news agency and
will be amplified louder than Joe Blog could do on his/her own, but this isn't
a novel or shocking news.

You don't need to look very far to see how shady the internet gets. Go to any
mainstream news website that runs ads and you will see those scam 3rd-party
ads(they used to promote bitcoin ads a few years ago until the mainstream
outrage) you wouldn't click on in a million years.

Now I'm not saying those ads are connected to broader malware, but if you
start there you will uncover these shady operators(I discovered this when I
did a little digging on a streaming website that provided content I could not
obtain from the 32nd streaming service that I have to pay $10 a month to watch
- and the amazing fact is that the same scammy ads you see on majornews.com is
no different to the scammy ones you will see on torrentxyz.com).

------
azinman2
I feel like Google Chrome should just have some icon or other visual indicator
of when an extension has made a networking request. In addition, use the iOS
model of permission and prompt the user when it wants to do something like
access the network or read your browsing history. Perhaps if this happens on a
frequent basis, give another indication that it's happening all the time with
the ability to ignore such warnings. You need to repeatedly show such evidence
to users for them to understand what's happening.

~~~
s_gourichon
Most people would click on any warning without even reading, unfortunately.

~~~
azinman2
Which is why I say "You need to repeatedly show such evidence to users for
them to understand what's happening."

But showing the warning at least lets the more sophisticated people know
what's up, and alerts them sooner that an extension that they previously
trusted in one context now is doing something unexpected post-update.

------
TheChaplain
I'd say most such issues with extensions could be solved if they were "read-
only", i.e. were prevented from inserting data into documents, making or
adding data into outbound requests.

~~~
_puk
Kind of, but you can still leak a lot of information in a simple read-only GET

    
    
        GET /realylongstringwithmeaningfulbits/{user identifier}
    

This is basically what tracking pixels have been doing for years (1x1
transparent PNG).

~~~
TheChaplain
Sorry, I wasn't clear, I meant making _any_ outbound connections from the
extension. If it can read or simply drop (such as for blockers) requests it
should be fine, and make it harder to leak data.

------
sergeykish
A chain is only as strong as its weakest link:

* developer wants compensation

* browser gallery has no resources

* users has no time to audit

Why as a user of Linux distribution I feel safer than installing extension? I
asked maintainers, they have no answer, they don't perform audit. What if push
to the gallery and update automatically is bad idea?

I mean in Linux distribution maintainers pull updates, they test it and push
to stable. Each distribution can block update, it makes sense for author and
maintainers to easy update with reproducible builds, source version control.
Distribution may audit application - it is much simpler than audit by each
user. Distribution may patch application to its standards.

In theory authors and maintainers can be bought, in practice it is much
harder. And by itself this reduces pressure.

So I believe gallery should be split to trusted and others. And browsers
should allow alternative galleries. I have a few extensions I trust.

What do you think?

------
ComodoHacker
I see this as an argument in favor of native apps. I mean really native, not
Electron-esque ones.

As you more and more turn the browser into an OS, you have to treat it like an
OS. Don't allow unprivileged user to install unsigned kernel modules.

~~~
kevingadd
It's really funny that on native there are all sorts of well-established
models for communication between applications, sharing of files, etc. There
are per-file and per-folder permissions systems, there's per-user permissions,
and programs can be run with differing levels of access. If an app running in
an App Store style sandbox (available on both OS X and Windows) wants to get
its paws on my Outlook inbox files, it has some hard work ahead of it, and
that's pretty nice. Even outside of a sandbox, the tools available to a
regular (non-administrator) process are relatively restricted which helps
limit the mischief they can easily get up to.

And then on the web, you just load pages. Pages are pages, except ones that
come over https get Special Privileges because the Chrome team decided that
was the best way to decide whether user content could be trusted. And pages
that load from the local filesystem are less trusted, because it's only safe
if it's coming through a socket. Any content hosted on a given domain is just
as trustworthy as other content on that domain, and most importantly - very
importantly - if the end user installs an extension, it's very essential that
the extension be able to easily exfiltrate every single byte of your gmail
inbox. After all, pages are pages - why should gmail or my bank be special
compared to any other website?

Nobody put any real thought into how to structure the permissions model to
combat real security threats. WebExtensions (the de-facto Worse is Better
standard) basically dumps a bunch of different features into the 'do anything'
permission bucket and leaves it up to the user to decide whether to trust an
extension, despite the fact that an extension's ownership can change at any
time. If an extension starts out without requesting any permissions,
requesting a new permission (to do something useful) will silently disable
your extension for all your customers - so naturally, what people do is
request every single permission from the beginning, and users click Install
anyway.

It's positively grotesque that the warning for this is still "read and change
all your data on the websites you visit", and that so many trivial things
require it. Chrome still makes no effort to draw your attention to how very,
very dangerous this permission is. Say what you will about the UAC trainwreck
but at least the SmartScreen 'this software is suspect' popups are suitably
scary Red or Yellow and large, legible text.

------
Fiveplus
What extensions do you primarily use on Chrome (if you do)?

My list (on brave) includes:

>uBlock Origin

>Decentraleyes

>Stylus

~~~
AlexanderDhoore
> I don't care about cookies

~~~
rsanek
No need for a separate extension, just go to ublock's filter lists and enable
the cookies list under 'annoyances'

------
amatecha
Get something like Pi-Hole or the MVPS hosts file (
[https://winhelp2002.mvps.org/hosts.htm](https://winhelp2002.mvps.org/hosts.htm)
) to block the majority of ads. Deal with the few ads that remain and enjoy
blocking the vast majority trivially easily, without sharing all your browsing
activity with an extension you can't easily audit the functionality of.

------
endsofinvention
The "mystery" company behind the extensions is Genimous, parent company of
Polarity Technologies. Polarity owns the extension referenced in the Awake
blog post:

[https://awakesecurity.com/blog/google-doppelganger-
malicious...](https://awakesecurity.com/blog/google-doppelganger-malicious-
chrome-extension/)

------
jaredtn
Which extensions were compromised? Not seeing a list anywhere.

~~~
sergeykish
Mozilla maintains a list
[https://blocked.cdn.mozilla.net/](https://blocked.cdn.mozilla.net/)

It would be nice to have it in Chrome
[https://bugs.chromium.org/p/chromium/issues/detail?id=109643...](https://bugs.chromium.org/p/chromium/issues/detail?id=1096436)
(star it please)

------
tannhaeuser
Is Chromium safe to use, or at least safe to use as packaged with Ubuntu's
snaps? I know, I know, snaps are a difficult topic on their own, but my point
is that, if Chrome's (and Edge's AFAIK) general hunger for data is a generally
accepted fact at this point, then wouldn't employers/enterprises advising to
use Chrome in their corporate networks not put themselves under risk of being
sued for gross neglect in case customer data were leaking from Chrome
sessions?

~~~
zelphirkalt
Well,once at umiversity I saw Chrome installed on all machines, so I asked,
why they installed spyware on _university_ machines. All I got was disbelieve
and ridicule. These people are not even aware of what they are doing, nor
informed enough to make such decisions.

~~~
tannhaeuser
I guess if it were a CompSci faculty, the therapy is making these actions of
your uni public, then see their academic reputation asymptotically approaching
zero :) Though it's not clear what Chrome sends home, and TFA is only about
Chrome _plugins_ , so lets not prematurely start a witch hunt.

------
qmmmur
Yet the majority of people here will read this and continue to use it because
they are 'poweruser' web devs.

------
noir_lord
Other than a couple of minor developer related extensions the _only_ extension
I couldn't live without (in the sense it would make using the web
significantly worse) is ublock origin - which is open source, vettable and you
can install from the source if you really distrust the extension fronts.

------
algesten
Given that they're the engine now, does anyone know if Microsoft Edge is
better than Chrome for for privacy?

~~~
Fiveplus
Given that we're on HN, I distinctly remember reading on a comment that the
new Edge supposedly dials home to MS and is not really secure either.

~~~
GoblinSlayer
The concern is not that Chrome dials home to Google, but that any random dude
scatters your data across entire internet.

~~~
Fiveplus
My comment is the answer to a specific comment asking about a tangential
derivative based on the discussion (which is why it is not a new parent
comment under the post itself). Thank you.

~~~
GoblinSlayer
Yeah, I mean a disconnected reply to a tangential question is misleading.

------
dkthehuman
I've been developing Chrome extensions full-time for about a year now [1], and
it's honestly terrifying just how much access extensions have to sensitive
user data.

Best practices I've adopted for my own extension use:

\- Create a separate test Chrome profile to try out extensions

\- Delete extensions that ask for the overly broad "Read and change all your
data on the websites you visit" permission unless (a) the extension is open-
source (b) backed by a reputable company or (c) has a very good reason for
requesting it, and I trust the makers

One of the biggest issues with extensions today is the permissions model. On
more established platforms like iOS and Android, all sensitive permissions
have to be requested at runtime rather than at install-time, which forces
developers to explain why they need the permissions they ask for. With browser
extensions, there's no such requirement, which leads many developers to ask
for all the permissions they can get because there's no downside to doing so.
That's why over 80% of the top 1000 extensions ask for access to ALL domains
[2], which means they have the power to steal any of your data (emails,
passwords, etc.) on any site if they wanted or became compromised.

I've written about this issue before [3] and the good news is that with
Manifest V3, the Chrome team is planning to require that host permissions
(which specifies the domains an extension can run on) be requested at runtime.
I think the team should go even further and enforce the runtime restriction
for _all_ sensitive permissions, not just host permissions — if you agree,
feel free to chime in on the post I made about it on the chromium-extensions
mailing list [4].

The extension ecosystem is pretty broken right now security and privacy-wise,
but with the upcoming changes, it's headed in a better direction.

[1]
[https://news.ycombinator.com/item?id=22936742](https://news.ycombinator.com/item?id=22936742)

[2]
[https://docs.google.com/document/d/1nPu6Wy4LWR66EFLeYInl3Nzz...](https://docs.google.com/document/d/1nPu6Wy4LWR66EFLeYInl3NzzhHzc-
qnk4w4PX-0XMw8/edit#heading=h.oenw1ekaaubz)

[3] [https://www.notion.so/dkthehuman/Day-4-The-Dangers-of-
Chrome...](https://www.notion.so/dkthehuman/Day-4-The-Dangers-of-Chrome-
Extensions-af93b84006ed48c18b807f512b6c0a07)

[4] [https://groups.google.com/a/chromium.org/d/msg/chromium-
exte...](https://groups.google.com/a/chromium.org/d/msg/chromium-
extensions/gJZFu8UsX4M/DigVX25cBQAJ)

------
andirk
I am curious as to how Brave browser works out of the box to thwart these
types of malicious extensions. Brave neuters the common abuses of browser
technology like tracking, but what about detecting third requests _even if you
have agreed to them_?

------
koalaman
I guess Microsoft is timing some negative Chrome PR for their launch.

I was gob smacked by the way they jammed Edge down my throat in the last
Windows update. Nothing has changed at that company.

------
GoblinSlayer
People want to use IE6 and have security at the same time. History must
repeat.

------
afrcnc
oh, the clickbait

it's just shitty chrome extensions gobbling traffic history to resell to ad
companies

"massive spying" lol... making it sound like cyber-espionage

~~~
dewey
You make it sounds like ad companies are more trustworthy than cyber espionage
companies. Do you think the ad companies actually keep all that data? It's
resold, hacked and shared.

------
jimbob45
At this point, I treat Chrome like a Huawei phone: never secure and only to be
used at work for those sweet sweet dev tools.

~~~
tarkin2
I use Firefox’s tools. The console as a tiny editor is cool. I think Chrome
has a better network timeline/waterfall and performance monitor thing. But I
only use those occasionally.

~~~
chopin
I hate Chrome with a passion. But: Annoyingly, Firefox hides the the call
stack for some error messages which is especially painful if these come from a
framework. Chrome never fails me to show the entire call stack.

As well inspection of request and response content is painful. Mouse scroll
doesn't work and the horizontal bar shows only up when scrolling all the way
down.

Finally copying and pasting any header content is abysmal. I never get it to
work.

I use Firefox, even for development because I reject any support for Google
but I wish there weren't these usability issues.

