
Popular Google Chrome extensions are constantly tracking you by default - kevindeasis
http://labs.detectify.com/post/133528218381/chrome-extensions-aka-total-absence-of-privacy
======
oelmekki
> more often than not, the extensions are also embedding third-party scripts
> which are gathering all your browser traffic.

As someone who writes a lot of chrome extensions, I find that annoying, not to
mention a bit insulting. Please provide the complete list of bad behaving
extensions instead of implying we're mostly writing extensions to lure users
into a trap.

There are so many cool things you can do with chrome extensions, which are
largely unexplored yet. Actually, it reminds me the state of javascript in the
early 2000. It was not uncommon then too to say javascript developers were
only in to write malwares and javascript should be avoided as much as
possible. What would the web look like today if we listened to them?

Now, the state of chrome permissions is indeed very bad. It is very
restrictive by essence (you wouldn't have that many restrictions writing a
desktop app, and you could do way more harm), but it makes everything looks
suspicious. Do you need to access something to build a feature? Now user, when
installing the extension, will catalog all the bad things you could do with
this permission.

Worst part is, the perimeter of permissions is often poorly delimited. Do you
want user to be able to use an extension that enhance their experience on a
website of their choice? You have to ask to be able to edit just any website.
You often reach the "this extension can read all your browser history" state
when you couldn't care less.

I would gladly pay google to review my extension code and mark it as trusted.
The confusion between good and bad developers must stop.

~~~
makomk
They can't provide a list not just because it's widespread, but because
extensions can silently add this through automatic updates. Even if your
extension is clean right now, and even if you wouldn't add anything like this
yourself, you could sell your extension to someone a year or two down the line
and the buyer could start tracking all your users' browsing with no
notification to them.

~~~
oelmekki
I get your point, but the same argument could be made to say we should avoid
having computers, or at least avoid connecting them to a network :) (any
hardware or software company could be sold to bad people who will find clever
ways not to be detected)

There is a trust issue here, not sure why it hits chrome extensions harder
(although, I'm pretty sure the whole permissions system made people turn
paranoid). We will probably need some kind of trusted party audit system to
get further.

Also, the list of extensions they have should be published, IMO, even (and
especially) if developers are not aware about it. This should be treated as
vulnerabilities and disclosed so there's a chance to take action on it.

------
melted
This is basically why I only install a few extensions from trusted developers
such as Google, EFF, and uBlock. Google tracks me anyway, EFF doesn't track me
and it would destroy their reputation if they chose to start tracking, and
uBlock Origin is the only popular remaining adblock extension which hasn't
sold out (yet).

Edit: uBlock Origin is the one that doesn't suck, uBlock is to be avoided.

~~~
hartator
uBlock origin, beware of uBlock.

~~~
jokoon
I've read the difference, ublock doesn't seem very harmful, would I should I
be wary ? Is it just because it's not free on ios or something ?

~~~
tim333
It's a question of the character of the people running the thing. The ublock
guy seems a bit sketchier than the ublock origin guy.

------
kawera
For those looking for a HoverZoom alternative, Imagus[1] works very well and
does no tracking. (just a happy user)

[1]
[https://chrome.google.com/webstore/detail/imagus/immpkjjlgap...](https://chrome.google.com/webstore/detail/imagus/immpkjjlgappgfkkfieppnmlhakdmaab/related?hl=en)

------
myztic
When it comes to Google and Data Collection just always assume the worst. Not
to bash on Google, I am no hater, but it's what they make money with. Browser
for free? Google Mail with 15 GB of storage? We all know their business model.
Either you pay with money or with information.

I have been non-trusting of many Scripts for years now, call me paranoid, but
if Facebook actually has the capability to just track you via Facebook Scripts
that are executed on every site you have the option to Log in with Facebook or
share via Facebook directly from the site, why would they not do it?

Google also tries to keep you logged by all means possible.

I block their Scripts, only temporarily allow if I need them, I don't keep
cookies for longer than my current session except for Fastmail, I use VPN,
have no DNS-Leak and WebRTC Detection turned off (last I checked you could not
turn WebRTC Detection off in Chrome and the Extensions promising to do that
were not working).

And that's also why I use Mozilla Firefox. Not because it's the technically
better browser, but I have trust in Mozilla and their API just allows
capabilities Chrome isn't capable of (that's why there is no NoScript in
Chrome and no, there is no NoScript-Alternative in Chrome with the same
features and capabilities, look it up).

Back when I used both Chrome and Firefox side by side, Firefox for example
would turn off some Add-Ons/Extensions in Private Browsing Mode, while Chrome
would not. I guess we all can grasp what most likely was the reason for it
(Add-Ons/Extensions should not be able to obtain information from the user if
in private browsing).

I am not saying that everyone should do it this way, I even recognize I am not
the normal user and this is not for everyone, but complaining about Google
because of Data Collection is like complaining about Facebook and the
information they have about people while using it heavily and putting
sensitive information up on it willingly. Get over it ;)

~~~
kevindeasis
Well, the topic of the article is not Google collecting data. It is about
Chrome extensions.

I can agree to some parts of what you said.

~~~
myztic
Yep, but since Google's whole business model revolves around monetizing user
information, I am not surprised about this article. Google's Motto is "Data
Collection for monetary purposes is not evil".

Think about Android Application Permissions for example, I am not sure whether
or not you now can revoke permissions one by one on your own (think I read
something about this), but for how long was this not possible?

~~~
stingraycharles
This has nothing to do with Google's business model. This is about the
business model of extension developers.

~~~
myztic
It's also what the Platform allows the Extension Developers to do and the
users not to do.

One Example? I have been disabling what Apps get access to on my Blackberry
for I don't know how long. Forbid Whatsapp to have Access to the Camera? No
Problem, if I want to make a photo from within Whatsapp it then says something
that it isn't capable of doing so, just how it should be.

How a Browser behaves in private Browsing also is a browser-side issue.
Whether or not the API allows Extension developers to give users the
functionality NoScript for example provides to its users it also a browser-
side issue.

See for example here (you won't see Google spearheading this cause)
[http://techcrunch.com/2015/08/14/mozilla-makes-private-
brows...](http://techcrunch.com/2015/08/14/mozilla-makes-private-browsing-
more-private-in-firefox-adds-tracking-protection/)

The distinction between "This concerns only the Extensions" and "this concerns
only the browser itself" is not as clear and easy as you say it is, especially
in this case.

Since Google is all about obtaining information and using it, I don't think
they are to be trusted in developing a browser that is highly concerned with
user's privacy. Everybody has to make their own decision.

~~~
kevindeasis
So do you feel like Google Chrome as a platform is not giving you enough
information about what the Google Chrome extensions are doing and not giving
users enough power to act on such information?

Also about firefox from the comments in this discussion by zetafunction:
zetafunction 5 hours ago:

    
    
        From the article:
        Are Firefox extensions any better?
        To be honest, no.

------
sheensleeves
I would have thought that past 1,000,000 downloads you could trust the plugin
but that is shown to be wrong. With Windows software I do a skim of the
Wikipedia article for controversy as a sanity check but there aren't any for
these extensions.

Previously I would search the apps name + some obvious terms like malware but
those results are too spammy to be helpful now. Extensions are very useful, so
I'd hope there'd be some reaction from Google on this.

------
xnx
Are there any adblocker-like/privacy-proxy tools to neuter extensions like
this?

~~~
plorg
uBlock Origin can be used to block requests made by the browser and by
extensions. The logger UI allows you to inspect these requests, and the
'behind-the-scenes' keyword can be used instead of a domain to construct
blocking rules.

See [https://github.com/chrisaljoudi/uBlock/wiki/Behind-the-
scene...](https://github.com/chrisaljoudi/uBlock/wiki/Behind-the-scene-
network-requests), which is applicable to both uBlock and uBlock Origin.

~~~
gorhill
> uBlock Origin can be used to block requests made [...] by extensions

This is no longer true for the Chromium version. There were changes in
Chromium which now prevent extensions from being able to inspect/block network
requests made by other extensions.

See:
[https://github.com/gorhill/uMatrix/issues/338](https://github.com/gorhill/uMatrix/issues/338)

~~~
plorg
Well that certainly is disappointing.

------
borski
Extensions have a lot of power. We've written about a situation in the past
where an extension actually XSS'd sites unintentionally, even if the site
itself had XSS protections built-in:
[https://www.tinfoilsecurity.com/blog/building-a-browser-
exte...](https://www.tinfoilsecurity.com/blog/building-a-browser-extension-be-
careful-not-t-17787)

------
xirdstl
Once in awhile, I just yearn for the good ol' days of ActiveX.

~~~
tajen
ActiveX awesomely enabled a popular antivirus to execute from a webpage. Or at
least that's what I understood at the time, but nevertheless that's the day I
switched to Firefox.

------
hyperknot
Does anyone have any knowledge about Wappalyzer? I cannot find it on this
list, but it requests an inject.js on every webpage, even if the anonymous
data sending is switched off in options.

It's quite a popular and valuable extension for web developers, I hope someone
can explain how it works.

~~~
ycosynot
I read the file, it seems safe to me. It keeps track of javascript variables,
and displays them in an element. There are many legit uses of injected
scripts. I recommend the extension "Chrome extension source viewer", CRX
viewer, to read the code without installing an extension.
[https://chrome.google.com/webstore/detail/chrome-
extension-s...](https://chrome.google.com/webstore/detail/chrome-extension-
source-v/jifpbeccnghkjeaalbbjmodiffmgedin)

------
cdnsteve
So this is essentially the same as man in the middle attacks but your
basically saying here are all my keys. Scary. They better step up security on
the extensions review process.

I've already dumped chrome/Google because it tracks everything possible about
you, especially when signed in.

~~~
myztic
Have you tried using Chromium? _(I still recommend Firefox though)_

Chrome is basically a stable release from Google of the Chromium Browser
(which in itself is an Open Source Project), as such Chrome is more tightly
integrated with Google Services, Chromium should be the better choice
considering not wanting to be tracked.

I think some systems (*BSD, GNU/Linux distributions) even only have Chromium
available through their package systems, others possibly both.

~~~
4ad
Chromium won't help you: [https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=786909](https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=786909)

~~~
myztic
Phew... interesting, though it is marked as fixed?!

------
free2rhyme214
Does Adblock plus do this?

In Chrome's permissions they can read your browsing history.

~~~
fnordian_slip
I don't know for sure, but there's been quite a bit of controversy about them
in the last year, mainly because of their whitelisting
([https://en.wikipedia.org/wiki/Adblock_Plus#Controversy_over_...](https://en.wikipedia.org/wiki/Adblock_Plus#Controversy_over_ad_filtering_and_ad_whitelisting)).
I switched to ublock origin, works well for me, others recommend ublock
(there's been quite a bit of drama between the original dev who's responsible
for ublock origin, and the new dev who's responsible for ublock, I can't
really recommend one over the other, if you're interested you might want to do
some research there)

~~~
kzar
"I don't know for sure..."

Please stop spreading FUD.

Adblock Plus is not mentioned in the blog post, has a privacy policy and is
open source. If you're worried about how it handles your data you can have a
look at the code for yourself.

[https://adblockplus.org/en/privacy](https://adblockplus.org/en/privacy)
[https://github.com/adblockplus/adblockpluschrome](https://github.com/adblockplus/adblockpluschrome)

------
banku_brougham
I feel I should hand roll my own extensions from copies of favorites that I no
longer trust (dead mouse, etc). Is there a good tutorial out there for this?

~~~
peterhartree
1\. You can download the source code of any extension on the Chrome Web Store
using this extension: [https://chrome.google.com/webstore/detail/chrome-
extension-s...](https://chrome.google.com/webstore/detail/chrome-extension-
source-v/jifpbeccnghkjeaalbbjmodiffmgedin?hl=en)

2\. Review the source code.

3\. Visit chrome://extensions and enable developer mode.

4\. Click "Load unpacked extension" and point to the folder containing the
extension source code you've reviewed.

C.f.
[https://developer.chrome.com/extensions/getstarted#unpacked](https://developer.chrome.com/extensions/getstarted#unpacked)

~~~
banku_brougham
Awesome, thanks!!

------
theseatoms
Does anyone know how big a deal this really is?

So a handful of developers (and their employers) have my full browser history.
What could possibly go wrong?

~~~
danr4
They store access tokens to your private accounts ie. Gmail. They/future
hackers can use them to access your accounts.

~~~
striking
They can't steal cookies, because HttpOnly exists:
[http://blog.codinghorror.com/protecting-your-cookies-
httponl...](http://blog.codinghorror.com/protecting-your-cookies-httponly/)

They can take your passwords, though. If you install an extension that "can
access your data on all sites", I hope your trust is well-founded.

~~~
borski
To be clear, they can definitely steal cookies if the HTTPOnly flag isn't
enabled. About 60% of the session cookies we see in our scans don't have it
enabled. Scary.

------
jokoon
There have been many bad points for chrome this year, I'm glad I switched a
long time ago to firefox.

~~~
VMG
The article has a section about Firefox plugins.

------
zobzu
popular android and ios app as well, i may add ;-)

------
mark_l_watson
I went through my Chrome extensions today and removed all that were not from
Google or EFF. A bit painful but I thought I should do it.

~~~
kevindeasis
I think Ublock Origin is definitely a google chrome extension that should be
installed. I think it will absolutely benefit you.

~~~
danieldk
uMatrix is from the same developer and incredibly useful.

------
mcnemesis
One solution I see (though not optimal), is to install only those extensions
you really can't do without, and then have them disabled by default. When you
need to use its function though, enable it (only for that short session), and
then disable it later.

Otherwise, I have inspected many seemingly innocent extensions like JaSON and
REST Console (both meant to run in own tabs, without need to read/modify data
on sites I visit, but which nevertheless request for these permissions!). I
quickly noted that many other extensions did request for these perms as
well... So, for now, for the ones I can't uninstall, I'll just disable them,
and only opt-in (maybe in incognito), when I need to use them.

------
mirimir
OK, so I'm glad that I never trusted Chrome.

But now I'm wondering whether Firefox extensions are generally safe.

~~~
zetafunction
From the article:

 _Are Firefox extensions any better?_

 _To be honest, no._

~~~
mirimir
Oops, I missed that :(

