Browser extensions are the most vulnerable every day apps people use.
They're given so much power so quickly. Users agree to 'view and modify website data' not realizing that the app can now run arbitrary code on their gmail/banking/whatever accounts to report all information including passwords. For all the concern over application security, little is talked about here.
Browser extensions are also super important. They stand as the only tool for users to take back control over their experience from companies that are in the interest of manipulating them for profit whenever they can. They are uniquely our agents here.
Still, each extension is a potential huge vulnerability. It's tough to find a balance here.
It's laziness on the browser makers side. We used to have real extension frameworks, then it turned out just having extensions load arbitrary JS in the context of every webpage is a super easy way to have "rich extensions" so they did that and went shopping.
Now the result is that to implement "backspace for back", your extension needs to be able to load arbitrary JS on every domain.
You're viewing the past with rose-colored glasses. If by "real extension frameworks" you mean XUL, that gave significantly more power to extensions than is even possible under Chrome extensions / WebExtensions.
the problem is that the hive mind has no clue, and downvotes like maniacs facts it doesn't like. here's a previously discussion of what means the read all extension permission https://news.ycombinator.com/item?id=21336246 with all the factual, sourced post downvoted and a chain of people with finger in their hears singing lalalala
_of course_ I rarely bring up the topic anymore; once enough people get burned they'll learn on their own anyway, I guess.
Browser extensions have exactly as much power as the browser itself; that's why browser vendors controlling the distribution of extensions is not a bad idea in itself. Maybe there's a greater discussion to be had about the power that browsers themselves have over what has now become the life of their users.
> Browser extensions have exactly as much power as the browser itself
I would say this is false. Browsers can run arbitrary code on your machine. Extensions can't even access local files. If we are just talking about site information like cookies I would agree.
I'm making extensions that talk to native apps. When that kind of communication is authorized then any vulnerability in the target apps does allow arbitrary execution.
No, browser extension's can't. From their overview:
>HOW TO SET UP
>For security reason, Google has made a policy to not allow webpages to read-write local resource on hard drives. So we need an integration between the Chrome Extension and File System (Windows Explorer, Mac OS Finder) using an external software. To install both, just follow the simple steps described in http://www.vnprodev.com/browser-extensions/local-explorer-in...
On a different note, Chrome "apps" historically have had higher access that allowed some file access (I forget the details), but as far as I can remember extensions have not had any ever. Though since you can communicate between apps and extensions, it was possible to install both and work around it a bit. I'm not sure if that has changed since I last toyed around with this though (it has been a couple years at least).
I believe this ecosystem is simply an extension of the prior systray ecosystem wherein small, sometimes free windows applications would bundle a "helper" app that would basically spy on, and advertise to, the end user.
This resulted, among other things, in an almost universal degradation of performance and usability of Windows XP/Vista for ... our parents and grandparents, basically.
Not just small free apps. Oracle would install the Ask toolbar when you installed their database server, unless you noticed and un-ticked that option in one of the installer dialogs. Oracle.
It's worse now because browser extensions auto-update which means that when a malicious actor buys an extension they gain access not only to future users but to all current users as well. Also, the Chrome Extension Store publicizes how many users each extension has, which allows malicious actors to operate extremely efficiently as they can easily find extensions to acquire and they know exactly what they're buying.
And even worse, because they don’t only hurt performance and usability, but they also report private information. Even is the data is sent anymously, the url itself may contain private information. For instance, Google themselves still allow sharing documents via a “private” link which is then stored on some monitoring service. And some of those services allow anyone access and search these urls for some premium plan.
I think the implication here was that your parents and grandparents were less computer savvy at the time. This resulted in them installing all kinds of toolbars that destroyed performance.
The biggest problem is that Chrome Extensions don’t have granular enough permissions. I’ve seen developers write explanations of needing access to “all your data” because of one small feature they need access to.
They should also add some monitoring regarding domains extensions talk to. Or even make developers add a description of outgoing requests from extensions somehow.
You already have to do that. In the extension manifest you need to specify URLs you need to access. I'm pretty sure the process of approving an extension is entirely automated though, so there isn't any real accountability unless an extension is specifically investigated.
I have a small website that can get a surprising amount of traffic. Every other day I get an email from some "SEO expert" wanting to redesign my site or offer some partnership so I get more traffic.
Which is slightly amusing because I must be getting enough traffic for them to want to find me.
Almost every SEO "guru" and "expert" is a glorified snake oil salesman. I look at that whole industry the same way I look at the traditional woo-woo peddlers.
Bottom line is that they ruin the quality of search and create a tremendous amount of churn that requires search engines to constantly refine their algo.
I get those even without a website at the domain. They just spam everyone who can be found from whois data (lists of non-expired domains they probably just buy from somewhere).
I linked the Instagram handle of a friend on one of my posts, and now I even get posts about promoting and marketing my Instagram handle with “real likes and comments”.
Have an extension on the chrome store too and receive these emails regularly. Promising cash to turn your extension into malware. Mine is a small, specific project that took a weekend or so of work, so I'm sure others in the same position would be tempted to take them up.
The claim that X is allowed on the Chrome Web Store is extremely fishy given the "single purpose policy". You're not allowed to upload extensions that serve multiple purposes, e.g. "something useful the user wants" and "provide an exit point for a shady proxy network".
It’s pretty obvious what infatica is doing and while I agree it’s shady, I wouldn’t call it a scam.
Peer-to-peer proxy doesn’t mean a botnet, at least not how I think most people think that to mean. Rather they are routing traffic through residential IPs for a number of customers. $25-45/1000 users sounds exactly within the margins of a VPN provider (they even mention hola.org in the 3rd email, which is $2.99/m per ‘premium’ user or free if you become a node in the network) and residential proxies are also commonly used for scraping and other IP-sensitive work, again within those margins.
I didn’t find the code sample to be obfuscated, it was actually quite clear. It establishes a web socket with a server and simply passes requests through an endpoint, I.e. literally just a proxy.
All that said, it’s definitely shady to put this in your extension without users knowing. But, if you need to monetize something free, and make at least a good effort to inform users or allow them to opt out, and we trust infatica doesn’t allow illegal use of its proxy network, then I don’t really see the problem.
There’s a real need for residential IPs, no market to give each user $.025 and I can’t really fault someone for making a business out of this.
Edit: I also find irony that the author labels datos.live a “scammer” when in fact they are a very legitimate business engaged in similar data collection to what Google already does. ...The same author who published an extension (in the Chrome Store) for YouTube
> it’s definitely shady to put this in your extension without users knowing
I don't think it would be an exaggeration to say that the number of "users" of extensions running these service that know that their computer is being used to make web requests on behalf of the highest bidder is 0. The number of Hoola users that know how it works is also probably below 10%.
What "legitimate" need is there for residential IPs? These are internet connections that are generally less reliable than commercial connections. The biggest usage for them is for fooling web sites into the nature of the traffic they are serving.
That’s pretty much exactly the point. On the consumer facing side there is the VPN market, which people use to access content in remote locations or obfuscate their traffic to prevent surveillance/fingerprinting.
On the business side, there’s a real need to be able to scrape say LinkedIn or Amazon, which necessitates rotating IPs to avoid getting blocked. The legal precedent currently incentivizes this sort of behavior between both parties.
Mentioned also, however, is that criminals can use the technology to advance fraud.
The idea is usually to use hundreds or thousands of IPs, avoiding (ideally) detection, and not having any banned. Obviously if hundreds of people are using the same blocks, it doesn't quite work like that.
The real user/owner would get a captcha and be fine for most big sites.
*not sticking up for any of these companies, but I have required residential proxies in the past to scrape Google PLAs.
I don’t believe the users are made aware of this kind of usage of their network. In fact, I’m pretty confident that most extension burry this purposefully In such small letters it’s impossible to understand. Which, for me, qualifies them as malware.
Nothing really prevents same thing happening when it's VPN service's exit node (except maybe the fact that people doing illegal things would usually choose tor over VPN provider (though more technical ones are likely using both)).
I certainly am not going to defend the whole market. I’m aware of many issues.
But, there is a strict business need for these proxies. If you plan to fight giants, the first thing you need is their data. And you can’t get it without proxies.
Sure, that’s another subject for debate; whether scraping/crawling is ethical itself.
Unfortunately it's not just scraping, they're also often used for outright fraud. Various online payment payment processors' fraud detection systems can be circumvented partially by appearing as a legit residential end user on a comcast cable connection, for instance. Or lots of other fraudulent activities where you have a click worker in a cube farm in a low labor cost location, using the proxy, pretending to be an end user in the usa.
About Datos, I'll reply and see if I can get more info about them. I still do not understand how it would be "gdpr friendly", as the data for sure would not be required for the service
They call it GDPR-friendly because there is no serious enforcement of the GDPR and so they know they will fly under the (non-existent) radar.
This is the same reason how websites claim to “comply” with the GDPR with a cookie consent prompt that only allows you to accept (and declining is hard/impossible).
Absolutely. I’m not sure why you’re surprised when 90% of websites out there with a cookie banner also lie (maybe even to themselves) about their GDPR “compliance”.
Time to add user privacy and data usage dialogs to web extensions to inform users about "monetized" extensions, especially those trying to sneak in such SDKs later.
I don't get such emails. I'm feeling left out! But I do have a pretty strict and solid privacy policy, though, and it's open source:
Privacy Policy
The creator of "Twitter 'Likes' Hider" has zero interest in tracking you. Your privacy is sacrosanct. No data will be kept, tracked, transferred, sold, traded, nor even coveted in any respect, from now until the end of time.
I came across your extension on the Google chrome store and wanted to reach out to you to offer a way to increase revenue earnings from your extension. We are providing our partners with Bing landers and feeds that pays really well on extensions for search. It can earn up to $800 a month per 5000 users, and it is a premium product by invitation only. If your extension does not have search this is not a problem with a simple update this can be added, furthermore it is completely acceptable by google chrome store.
If this is something you would be interested in, I would be glad to schedule a call to discuss this with you! Also if you are looking to sell your extension we can discuss this opportunity as we buy extensions.
Hello from ru extensions community! Nobody will read this, but all we need is just browser devs to finish this useless shit:
https://i.ibb.co/C6nsNhX/2021-2-6-11-19-25.png
Add a blacklist and the ability to manually edit lists. So that the extensions themselves are unloaded from memory or isolated on certain domains. You are and google assholes only think about further curtailing powers and opportunities for expansion and that's wrong.
How do he know these emails are from scammers? Some of these seem like legimate offers at the first glance. Please don't downvote if this is a stupid question for you. I'd really like to know how to recognize a scam email in these situations as a browser extension dev.
I believe the "scammer" parts comes from them wanting to leech data off the users of the given extensions. They are upfront about their intentions, I think, so scammer is maybe not the appropriate term. "Scummer" maybe.
I agree with calling them “scummers” but “scammers” is also apt as they intend to scam the user of the extension - not necessarily the developer. Reading those emails brought to mind Bill Hicks' famous rant about “Satan's little helpers”: https://vimeo.com/36651896
I just added another email I got that I forgot about. In that one, they it looks like they steal the user's request headers. Their website also disappeared a month after their email.
one of the things that is keeping me on firefox is how many open source extensions there are. i use maybe 16 and they are all open source, which doesn't mean they're free of malware, but it definitely reduces the likelihood
Some of these problems might disappear if Google would introduce a payment scheme for Chrome extension developers. Then authors might not be tempted to sell them to scammers.
It's a way to know that there's a real human behind the computer screen and that the address is not fake. Even a single bit of information can be valuable.
The scammers want to know if the developer's email works?
If s/he doesn't click unsubscribe, maybe they've been talking with the wrong address, so they could continue with trying to find another address to the developer?
If you're referring to deliverability of emails in the context of email spam filters then no. Having an unsubscribe option on repeated, unanswered solicitations would be helpful. The emails are not spam, and in the first email chain they are rather straightforward about their proposal and methods. I'm not sure what the scam actually is here.. people offering money for dev to scam users out of bandwidth? I do think it's noble of dev ignore the solicitation and provide exposure to this market however.
That one email from Datos looking pretty professional. I don't know what their business is about, but they don't necessarily seem like scammers per se.
First I want to remark how SERIOUS of a security hole browser extensions are, that can work on all websites without user interaction needed. They can READ ALL YOUR DATA including the passwords you type into gmail, and can do “forgot password” on any site and hijack your gmail in the background as you read it. And ONE PERSON is often all that’s required to push malware to everyone.
This is what capitalism looks like, folks. Someone "built it" so they now privately "own it", no matter how big it gets. It's not put into the hands of an organization. The profit motive is quite strong, which is why someone can be "corrupted" by very tempting messages like this. If you had a lake or a forest privately owned by one or two people, and they had a lot of debts, they could easily sell it to polluters and loggers.
Some people scoff and say "socialism has been tried, it never works." I admit that socialism simply trades one class of elites (the capitalists with a lot of shares) for another (the bureaucrats with a lot of political clout). BUT! I would like to say that socialism is not the only alternative. The other alternative is decentralized systems with no private ownership. I'm talking about science, open source software, and so on. There can be a Merkle tree of version updates (e.g. git version control) and each one can have various reputable organizations (like Zagat for software) building their reputation vetting it. Then, each community would run their own app store (think Wordpress plugins) which would work with these reputable organizations. There would be no heroes, no celebrities, no tweets at 3 am to 5 million people, no pulling from repos without peer review, no scientists instantly believed after publishing on arxiv.org .
Congratulations for building a popular extension. You live in a world where you it's really bad to "criticize the profit", and where building it means you are responsible for it no matter how big it gets, but then we are all depending on your integrity and ability to rebuff life-changing amounts of money to not mine our data. We can pass laws to punish people after the fact, or we can gradually change our culture by rejecting "immediate gratification" of updates that are not vetted, just as corporations have done with bleeding edge vs stable Linux distros etc. Unfortunately, the Web has made it so that anything can be updated at any time, with no sysadmins or reviewers in the loop. It's a wonder more malware isn't silently everywhere already.
>First I want to remark how SERIOUS of a security hole browser extensions are, that can work on all websites without user interaction needed. They can READ ALL YOUR DATA including the passwords you type into gmail, and can do “forgot password” on any site and hijack your gmail in the background as you read it.
I'm not sure what you mean. There is a security check in place for Chrome extensions. Are you saying that it's inadequate or that it is security theater only? Because it sounds like you're implying that no security exists whatsoever.
Please elaborate on this security check and let’s discuss. Have you heard of chrome extensions extending your gmail on the desktop browser? How do you think they operate?
Why yes, internet stranger, I will get right on elaborating for you that which is readily found in the chrome extension developer docs, for I have nothing else to do. Right after I finish watching this Hee Haw marathon. Have you seen that show? It's terrible
They're given so much power so quickly. Users agree to 'view and modify website data' not realizing that the app can now run arbitrary code on their gmail/banking/whatever accounts to report all information including passwords. For all the concern over application security, little is talked about here.
Browser extensions are also super important. They stand as the only tool for users to take back control over their experience from companies that are in the interest of manipulating them for profit whenever they can. They are uniquely our agents here.
Still, each extension is a potential huge vulnerability. It's tough to find a balance here.