
Ask HN: Are People Overlooking the Dangers of Browser Extensions? - CM30
Because as strange as it sounds, the generous permissions they often ask for and the fact they can modify all the pages you&#x27;re viewing mean that they&#x27;d theoretically be a great vector for man in the middle attacks, and bring back the exact problems https supposedly solved.<p>They also seem like a great way to manipulate audiences with &#x27;fake news&#x27; or &#x27;misinformation&#x27;. Imagine a fake version of adblock that replaced news site content with propaganda or what not. That could be far worse than anything any &#x27;Russian trolls&#x27; ever could do, and could even let an adversary manipulate a group into thinking the world is against them (since their posts about such content would appear as gibberish to everything else, and get them banned from social media sites).<p>Just feels like there are a ton of sneaky things that could be done here, and that the way Google and co are handling these things could be extremely dangerous in the long run.
======
MiddleEndian
With both Chrome and Firefox preventing users from running unsigned extensions
at all, even with a configurable option, we are being too paranoid about
extensions in my opinion, handing our decisions over to centralized
organizations.

If I lost the ability to filter out shit on the web, whether it be ads, the
junk YouTube displays over videos, or just things that I find visually
unpleasant, I'd probably stop browsing most sites. User control is more
important than anything, in my opinion.

~~~
jordanthoms
You can still load any old unsigned JS in Chrome by going to
chrome://extensions, tuning on developer mode and choosing 'Load Unpacked'

~~~
MiddleEndian
In Firefox I could also enable a developer profile but it's still a pain and
not equivalent to just a setting.

------
olliej
People who care about security* are acutely aware of the potential damage an
extension can cause, that’s why browsers have been increasingly locking down
what extensions can do, and locking down installation mechanisms.

All browsers have invested significant effort in technical controls designed
to prevent malicious apps from installing extensions automatically.

That said do end users misjudge the safety of extensions? Maybe: I would guess
that people who would not download and run random binaries could be convinced
to install an extension - essentially the user is judging an extension as
being safer than a regular download. But that assessment is not wrong: an
extension runs in a much more tightly constrained environment, is
theoretically at least marginally more vetted than a random download, etc

* not talking about end users who care about security, but rather the engineers ensuring that a platform is secure and robust.

------
cypherg
It's def something that the security folk in sv are looking at. see:
[https://github.com/facebook/osquery/blob/master/packs/unwant...](https://github.com/facebook/osquery/blob/master/packs/unwanted-
chrome-extensions.conf) Problem is that it's currently only reactive.

------
elwell
This happened recently with a fake version of MetaMask stealing crypto.

------
cecja
There is a pet peeve I have with firefox on the regard of extension security.
While chrome disables all extensions in private browsing in firefox they are
all enabled. So most people use private browsing for critical sites like
banking if there is a rogue extensions you are completely exposed from
firefox. Even if you disable the extensions in private there are active again
the next time you start it. I filled a bug months ago not a single response.

