
More on DataSpii: How extensions hide their grabs and how they’re discovered - sohkamyung
https://arstechnica.com/information-technology/2019/07/dataspii-technical-deep-dive/
======
gorhill
> The Hover Zoom extension can be seen downloading the 156KB payload

I have tried to find out from the article or the original report[1] how the
extensions could execute the payload from remote servers. I could find no
details about this -- I consider this one of the key point.

I could download and unzip one of the extension hosted on the owner's server,
"SaveFrom.net Helper".

As expected, the manifest.json contained an entry which allows the extension
to execute code not part of the package, in the context of the extension (i.e.
can access extensions API):

    
    
        "content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
    

I have often pointed out that one of the key issue with the Chrome store is
that it allows extensions with ability to execute remote code in extension
context[2], this makes it impossible to code review such extension, as it can
at any time download and execute code not part of the package.

If privacy and security were a genuine concern, all extensions which ask for
`unsafe-eval` should be removed from the Chrome store -- they are essentially
un-reviewable.

Firefox's AMO does not allow extensions with such ability.[3]

* * *

[1] [https://securitywithsam.com/2019/07/dataspii-leak-via-
browse...](https://securitywithsam.com/2019/07/dataspii-leak-via-browser-
extensions/)

[2]
[https://twitter.com/gorhill/status/1139306139072507906](https://twitter.com/gorhill/status/1139306139072507906)

[3]
[https://twitter.com/gorhill/status/1139308498825732096](https://twitter.com/gorhill/status/1139308498825732096)

~~~
itcrowd
> one of the key issue with the Chrome store is that it allows extensions with
> ability to execute remote code in extension context

I agree. It is also "strongly recommended against" by the dev page [1]. Do you
know a strong argument to allow usafe-eval? (i.e. what would be the rationale
of continuing to allow it?)

[1]
[https://developer.chrome.com/extensions/contentSecurityPolic...](https://developer.chrome.com/extensions/contentSecurityPolicy#relaxing)

~~~
vengefulduck
I bet it’s for user script extensions like tamper monkey.

~~~
itcrowd
Tamper monkey is also available for Firefox, which doesn't allow unsafe-eval
..

[edit]: just checked, tamper monkey on chrome has the following policy:

"content_security_policy": "script-src 'self' [https://ssl.google-
analytics.com;](https://ssl.google-analytics.com;) object-src 'self'"

~~~
heavenlyblue
Firefox doesn’t allow plugins with unsafe-eval to their store.

------
kumbel
This seems like a nightmare especially for corporate IT security. I wonder if
we'll start seeing more company-wide bans on browser extensions?

~~~
JayOC84
I work for on of the companies listed and yes we're working to block
extensions internally.

------
theamk
Why do browser extensions do so much worse compared to, say generic Linux
software? I think the biggest problem is lack of reputation -- the "value" of
being trusted extension author is low, as long as people can find you in the
appstore, you'll get the installs.

There are probably many ways to fix this, but one of the least-impactful ways
to do so is to use third parties for extension approval -- if extension
authors do not care about their reputation, let's find someone else who does!

The system would be simple:

(1) Anyone can publish an "extension whitelist", a list of (extension,
version, hash) entries. Maybe it's just a webpage in a special format.

(2) In my browser, I can optionally subscribe to as many extension whitelists
as I want.

(3) If I have any whitelist installed, then any extension versions must be on
the whitelist. Auto-update does not work if the next version won't be on the
whitelist.

That's it! I am sure that once such system is in place, then would be people
who would provide such whitelists. There are already people out there that
examine source code of extensions they run, as the original article shows.

And additionally, one could make automatic approvals -- say an AV vendor could
scan extensions from app store, and automatically make a whitelist of all
scanned and safe versions.

This will be a big departure from the current extension model, and it will
bring control back to the user.

... and of course, this is why there is approximately 0% chance this or
similar idea will ever get implemented. Chrome nowdays is not about user
control at all.

------
gruez
hover zoom was known to be spyware _long_ time ago.

[https://old.reddit.com/r/chrome/comments/19nndn/hoverzoom_st...](https://old.reddit.com/r/chrome/comments/19nndn/hoverzoom_stealing_all_its_users_browsing_data/)

~~~
kakuri
Indeed, and I'm glad I saw the discussion and switched to Imagus and then
Hover Zoom+, but if I had missed discussion of Hover Zoom's spyware activity I
would have kept using it. We need better mechanisms of keeping people
constantly informed about bad extensions, and ideally, ways of shutting them
down.

------
fastest963
This is why we need the changes that Chrome is making to their extension APIs
[1][2]. We cannot trust extensions to have access to all URLs since it lets
them collect all browsing history and content. Even if they're not doing it
now, who's to say they won't sell their extension next year to the highest
bidder who will. By forcing content blockers to use a new API that doesn't
expose every visit to the extension itself a whole class of _potentially_ bad
actors can't turn around and sell your data.

The average consumer that is installing these extensions are not aware of the
risks they come with. An extension could easily be collecting usernames and
passwords for banks, crypto wallets, etc. They have this ability because the
extension requests access to all URLs and it's so common that no one questions
it anymore. I'm glad to see Chrome taking steps to limit that access.

[1] [https://blog.chromium.org/2018/10/trustworthy-chrome-
extensi...](https://blog.chromium.org/2018/10/trustworthy-chrome-extensions-
by-default.html)

[2] [https://blog.chromium.org/2019/06/web-request-and-
declarativ...](https://blog.chromium.org/2019/06/web-request-and-declarative-
net-request.html)

~~~
gorhill
> I'm glad to see Chrome taking steps to limit that access.

Given your opinion, I think it is important to disclose that your Twitter
profile says "Co-Founder @ getadmiral.com"[1] -- Admiral's primary purpose is
to counter content blockers[2]. I have repeatedly pointed out that Google's
manifest v3 plans will cripple uBlock Origin[3].

* * *

[1] [https://twitter.com/jameshartig](https://twitter.com/jameshartig)

[2] "Admiral is the industry’s leading adblock revenue recovery specialists"

[3]
[https://twitter.com/gorhill/status/1139186208049905664](https://twitter.com/gorhill/status/1139186208049905664)

~~~
ryeights
...and there it is

