

Why Do Chrome Extensions Need to Access All My Data? - bradleybuda
http://lifehacker.com/5990769/why-do-chrome-extensions-need-to-access-all-my-data

======
borisjabes
A couple of notes on the article:

1\. I'm really surprised legit vendors like LastPass don't become verified
authors on the Chrome webstore; it's trivial to setup. We were able to do this
for Meldium easily.

2\. Joe's comments that it's hard to write an extension that steals data does
not seem very true. Someone who is dedicated can do a lot with Javascript.

3\. The author doesn't mention the model Mozilla follows with its addons:
actual humans code review extensions to determine trustworthiness. They reject
extensions containing obfuscated code for example.

~~~
rictic
Agreed. It would be a rather short script to, e.g., send every js-accessible
cookie on every site you visit up to a third party. It doesn't take a lot of
code to capture a lot of high value data. The supposition that it does is
quite strange.

------
jonknee
Chrome is addressing this with a feature that grants access on a temporary
basis to the active tab. This is a great improvement for many types of
extensions.

<http://developer.chrome.com/beta/extensions/activeTab.html>

> The activeTab permission gives an extension temporary access to the
> currently active tab when the user invokes the extension - for example by
> clicking its browser action. Access to the tab lasts until the tab is
> navigated or closed.

> The main benefit of the activeTab permission is that it displays no warning
> message during installation.

------
VeejayRampay
Hi, would someone be kind enough to explain why exactly the article and
subsequent comments are limited to Chrome?

Doesn't the very same problem exist with Firefox extensions / add-ons? After a
quick online search, it seems that this problem is far from being a Chrome
thing... [1]
[http://www.computerworld.com/s/article/9152578/Mozilla_confi...](http://www.computerworld.com/s/article/9152578/Mozilla_confirms_infected_Firefox_add_ons_slipped_through_security)
[2]
[http://www.networkworld.com/columnists/2009/020309antonopoul...](http://www.networkworld.com/columnists/2009/020309antonopoulos.html)

~~~
bpatrianakos
Because a reader asked a question specifically about Chrome. The article
begins, "I'm a big fan of Google Chrome and I love using extensions. However,
I've noticed that a lot of them request permissions to access all of my data
on every site. Why is this?".

------
gingerlime
This is also true for android apps.

They ask for permissions that are very hard to figure out as a user.

When the user is faced with two options:

1\. Click Ok and get started with this app that looks cool.

2\. Click No, and go back to the previous screen without the app.

The choice becomes pretty obvious.

My wife simply ignores it and clicks ok. I'm sure most users do the same after
the first or second app they install and from then on it becomes a reflex
response. Install. Ok. Ok.

~~~
IheartApplesDix
Woe is the poor user, who is forced to make do with a free app that violates
his privacy. Woe is the poor programmer, who is forced to offer his app for
free.

I mean, their is obviously no other solution. We should just quit complaining
about it.

~~~
mehrzad
>their is obviously no other solution I don't like it in games, but for
applications a freemium model (I hate the buzzword too) seems to be best for
developers. Charge for extra features, like Instapaper, App.net, etc.

Or go the route of free without ads and hope that the goodwill leads to
recognition and donations.

~~~
IheartApplesDix
Freemium is best for software firms with accounting departments, not
developers, and not users. 99% of people writing software do not work for
Valve or Google. If you are writing quality software, charge for it and people
will pay for it. If you're porting another butt scratching tip calculator with
twitter integration, then perhaps freemium is just the 5th buzzword you need
to get that billion dollar eval.

------
r3m6
The amazing thing here is: A few of my non-programmer friends told me that
they would NEVER install a Chrome extension that can access all their data.

At the same time, all of them have no issue at all to install a regular
Windows application from, say, Download.com. They are surprised when I tell
them that any Windows application can not only access all their data but could
also format their hard drive...

To cut a long story short: Google does a good job of educating users.
Microsoft should follow (and innovate with a more fine grained security
system).

------
Mahn
_No one would likely be able to cram enough code into a single plugin to
manage to get "all" your information and still have a functioning plugin in
only JavaScript._

Does not compute. I don't see the logic in this statement.

~~~
borisjabes
Agreed, that's definitely the weakest statement in the article. Mozilla does a
better job here by having human editors review extension code.

------
cickpass_broken
For any Extension developers, there are some workarounds to avoid asking for
the "tabs" permission.

If you just need to know when a tab is visible for your content scripts to do
things, use the Page Visibility API[1].

If you want your Extensions background scripts to notify all content scripts
of something, you can rely on `chrome.storage.onChanged` event. The storage
API does not warn users about permissions[2]

If anyone's interested in code samples, I could through some snippets in a
gist.

[1] [http://www.w3.org/TR/2011/WD-page-
visibility-20110602/#sec-p...](http://www.w3.org/TR/2011/WD-page-
visibility-20110602/#sec-page-visibility) [2]
[http://developer.chrome.com/extensions/permission_warnings.h...](http://developer.chrome.com/extensions/permission_warnings.html#nowarning)

------
crandles
I think it would be beneficial for Chrome (Android as well) to allow for an
app to have a dynamic set of permissions.

Instead of requiring all web access just so an app can perform an action on
any page (when you decide for it to) - what if a specific user action could
grant temporary/permanent access to a domain? E.g. Clicking an icon if the app
is in the toolbar, or selecting a certain action from a menu.

Chrome has a way to prompt for temporary permissions - but this brings up an
alert box, and that is never ideal, it would be nice if the user interaction
could be taken for permission.

edit: apparently its in beta (<https://news.ycombinator.com/item?id=5383011>)

~~~
gizmo686
Other features I wish Android's security model has are 'soft permissions', and
'pseudo permissions'.

Soft permissions would be where an app can function without permission, but
has feature(s) that require it. For example, if I install a game, I should be
able to play it without giving it internet access. However, if they want to
have a online high-score system they must require that I give them internet
access in order to install the app;

Pseudo permissions would be where the app thinks it has permission to use
something, but it is really receiving bogus data. For example, say an app
'requires' access to my phones GPS system (when such access is not critical to
the function of the app), it would appear to the app that it has access, but
the data it receives would not corralate to the actually data.

I think I recall seeing a project to implement both of these features in
Android, but I do not recall what it is called.

------
hrwl
Am I paranoid for not wanting to install any extensions in Chrome? There are
some I'd like to use, Feedly is an example, but I can't get past the part of
allowing them access to anything on any website. I would prefer something that
lets you allow access on a case by case basis.

------
nooneelse
Perhaps all data access by extensions should be logged. It wouldn't be of much
interest to most programming laymen, but it would be more
accessible/understandable than pointing them to Extension Gallery and Web
Store Inspector so they can look at the code. I wouldn't recognize well
obfuscated code that can grab my CC#, but I can recognize the number itself
just fine.

At the least, it would let everyone know that their extension's activities are
being watched. And laymen knowing that extension authors know that this
activity is watched would be reassuring to the laymen.

Could such logging be done by a separate extension?

------
Silhouette
On Windows, Chrome also deliberately circumvents the normal system security
model, installing in the unprotected user directory rather than as a real
application in order to allow its background updates.

It also installs (silently, without permission, and for reasons unspecified) a
Firefox plug-in, and it reinstalls/reactivates that plug-in even if the user
has explicitly chosen to disable it.

It amazes me that Google seem to get such a free ride with Chrome. A lot of
the things it does are either indistinguishable from a lot of the things that
malware does or leaving itself wide open to compromise if malware gets onto a
system by some other mechanism.

~~~
jmillikin

      > [Chrome] also installs (silently, without permission,
      > and for reasons unspecified) a Firefox plug-in, and it
      > reinstalls/reactivates that plug-in even if the user has
      > explicitly chosen to disable it.
    

Could you elaborate more on this? Most of my machines have both Chrome and
Firefox installed, but I don't see any unexpected or Chrome-related plugins in
Firefox. A web search for [chrome installs firefox plugin] also turns up no
relevant hits.

~~~
Silhouette
Interesting. Right now I'm looking at a Firefox plug-in called Google Update
1.3.21.135 in Firefox, which I recently disabled (again) because it offers no
uninstall option. I certainly didn't put it there myself, nor have I ever
knowingly approved it. I just checked, and a similar plug-in has been
installed on every other machine we've got handy. Is it possible that you've
got something installed that somehow blocks this? It's been happening for
years for us, causing much gnashing of teeth.

[Edit] Here's a link describing the plug-in:
[http://superuser.com/questions/156913/what-is-the-google-
upd...](http://superuser.com/questions/156913/what-is-the-google-update-
firefox-add-on)

~~~
nivla
You are right, I just went through my Firefox plugins and I see "Google
Update" along with a few "Google Talk" plugins. Given that I installed Firefox
after Chrome, could those plugins have been installed and updated with Google
Talk or does Chrome have an active app monitoring in the background?

------
andyl
I don't trust Chrome with sensitive data.

It's not that Firefox is so much better. But Mozilla doesn't have Google's
motive or ability to cross-correlate data-streams.

------
zspade
Working in IT security at a large corp, this is exactly why we cannot allow
install of Chrome on any machine in the firm.

~~~
joelthelion
Wide-ranging policies like this actually damage security as users will do
anything to access the functionality that they want.

Plus they will make users hate you.

~~~
Silhouette
There is truth in this, and always some tension between users and IT/corporate
security.

But the bottom line is that the machines are there for work, and a single
security problem caused by a single careless/uneducated user _can_ cause
devastating consequences for the organisation as a whole, so I find myself
increasingly taking the IT guys' side on this one.

Put it this way: the employee who wants to install Chrome because it's their
favourite browser or to bring their own device because they don't want to
carry a second company one probably isn't the employee who's going to get
paged at 3am and then spend all weekend reinstalling clean images on
compromised machines if there's a security breach, nor the one who is going to
have to explain to senior management why the company has lost $6M this week
due to downtime because the recovery had to happen during business hours.

So unless the user wanting to break the rules is willing _and able_ to
underwrite all potential losses to the employer, which they aren't, it is
perfectly reasonable to not only restrict what they can do with the employer's
systems but also to penalise them severely if they try to circumvent those
rules.

~~~
sethist
This is an oversimplification and the type of thinking that gets IT labeled as
nothing more than a business cost center. IT shouldn't just be limited to
preventing downtime and making sure things continue to work. It should also be
focused on making employees more productive. You might say allowing Chrome
cost the company $6 million due to downtime, but are you factoring in the
potential losses from having a more draconian IT policy. For example, how much
more productive would employees be if they could automate part of their normal
workload with a good browser extension or how does a more employee focused IT
policy alter employee moral and in turn employee retention?

~~~
Silhouette
Of course I was oversimplifying, and of course any good IT department
recognises that that its job is to help other people do theirs. I did start by
acknowledging joelthelion's point, and I have no problem with the idea that
someone who has a genuine business need to do something outside the normal
rules should be able to request a reasonable exception to whatever general
policies might apply.

However, you need an awful lot of indirect benefit to make up for one screw-up
that breaches corporate security, particularly if you work in a regulated
industry like healthcare or finance. Lawyers and industry regulators don't
care about any goodwill you got from letting Bob bring his own laptop to work
if Bob's laptop was subsequently left on a train opening access to thousands
of customers' medical records or credit card details. You could probably have
fired Bob and hired an entire team of other people who didn't care about using
their own laptop with the money you're instead paying as a fine for that one,
though perhaps not so much if the business collapses due to the adverse PR and
an executive or two gets thrown in jail for negligence.

------
joelthelion
How do Firefox extension fare?

~~~
msujaws
Extensions found at <https://addons.mozilla.org/> get reviewed by a human. If
there are issues with the code (obfuscated, security risks, etc) the add-on is
not approved.

