

Think twice before installing Chrome extensions - vgnet
http://www.securelist.com/en/blog/208193414/Think_twice_before_installing_Chrome_extensions

======
Adaptive
Chrome extension users are suffering Warning Fatigue.

The user can review some information about access permissions but so many
extensions make the same plea: "i know that my extension is using lots of
permissions, but it's totally safe".

Much like Windows and Android, the endless alerts about permissions and
confirmations, while perhaps holding real information, end up becoming little
more than noise.

Combine that with a free-fire zone where apparently little moderation or
pruning occurs... it's bad news waiting to happen.

(edit: I'm a Chrome user in addition to FF and I use a lot of extensions...
they are super useful, but I have serious concerns about this)

~~~
aboodman
Reducing the typical permission level, and the resulting warning fatigue, is
our team's highest priority right now.

For example, the new permissions API can be used to request permissions at
runtime, rather that install time:

<http://code.google.com/chrome/extensions/permissions.html>

And the new webRequest API can be used by many extensions in lieu of content
scripts:

<http://code.google.com/chrome/extensions/webRequest.html>

There's a lot more we have planned though. Personally, I would like to
eventually get to a world where many extensions - in particular the ones that
novice users usually see - require no warnings at all. I think that can be
done by putting access to most elevated privileges behind explicit user
gestures (like clicking a button or invoking a keyboard shortcut).

In general, balancing utility and security in a browser extension system turns
out to be a very, um, interesting design problem. But I think we have some
good, new ideas coming. Now, just need to implement them.

~~~
Adaptive
Thanks for commenting on this. Glad to hear you are tackling what is
definitely a hard problem without turning it into a completely walled garden.

Do you discuss this problem space with the Android Market/Play team? It seems
to have not only a lot of overlap in terms of problem domain, but likely a lot
of overlap in terms of actual users.

------
andrenotgiant
The possibility of what malicious extensions could gain access to (credit card
#s, passwords, bank accounts, email accounts), combined with the ease of
installing and lack of suspicion users have with these extensions really
scares me.

Does anyone know how actively moderated the Chrome Extensions store is?

I know recently Google made all developers use a credit card to verify names
better, but this seems more of a reactive safety measure, i.e. after lots of
people get hacked, Google can provide prosecutors with information.

~~~
aderaynal
it is not moderated at all. Updates to existing extensions are available
within seconds on the chrome webstore...

------
matznerd
It is definitely not moderated, I've had multiple plugins inject ads into my
web browsing. One was a Facebook app to enlarge photos and it started adding
these banners to the sides of facebook. I though it was Facebook using a new
form of ads until I realized otherwise. I had another do it on yelp...

------
fruchtose
The article does a good job of showing what can go wrong with Chrome, but I
have a gripe with the article itself. Notice, it uses very subtle fear
mongering in the way they printed the JavaScript code. At first glance, I
thought it was going to be a screenshot of a Windows BSOD. I'm not sure what
the author is trying to accomplish (code = evil?) but at the very least the
screenshots are ugly and garish.

~~~
dchest
BSOD? It's a pretty known old color scheme used in many DOS programs
([https://encrypted.google.com/search?tbm=isch&q=dos+edito...](https://encrypted.google.com/search?tbm=isch&q=dos+editor)).
This one is probably from FAR Manager's editor/viewer.

What color scheme does your text editor have? Is it evil and fear mongering?

~~~
fruchtose
Pardon my ignorance, but the last time I saw DOS was around the time I was six
years old. Thank you for providing some insight on this subject. DOS text
editors are before my time.

