Over 15 years ago now, I had a popular chrome extension that did a very specific thing. I sold it for a few thousand bucks and moved on. It seemed a bit strange at the time, and I was very cautious in the sale, but sold it and moved on.
It's abundantly obvious to me now that bad actors are purchasing legitimate chrome extensions to add this functionality and earn money off the user's data (or even worse). I have seen multiple reports of this pattern.
It is a classic supply-chain attack. The same modality is used by gamers to sell off their high-level characters, and social media accounts do "switcheroos" on posts, Pages, and Groups all the time.
You know, a lot of consumer cybersecurity focuses on malware, browser security, LAN services, but I propose that the new frontier of breaches involves browser extensions, "cloud integrations", and "app access" granted from accounts.
If I gave permission for Joe Random Developer's app to read, write, and delete everything in Gmail and Google Drive, that just set me up for ransomware or worse. Without a trace on any local OS. A virus scanner will never catch such attacks. The "Security Checkup" processes are slow and arduous. I often find myself laboriously revoking access and signing out obsolete sessions, one by one by one. There has got to be a better way.
Pardon the ignorance but what's being exploited by someone buying a video game character?
I think he was just saying that it is similar business to that. Just drawing comparison that there are a market like selling video games accounts. Also usually people who cheats in games will buy high level accounts because they will be banned much faster if they start playing with new accounts for cheats. This happens in some of the games I play all the time.
15 years ago was probably this type of business in its very early stage. There is little that can be done about "selling" extensions. Chrome Web Store should have tighter checks and scans to minimize this type of data exfiltration.
It's a moronic industry, waiting for the catastrophic data-theft disaster to happen before they do anything... Google is doing it, Apple did it, Zuck did it (the only hindrance Cambridge Analytica had to go over seemed to be the apps developer agreement that devs had to click to promise you won't do anything bad with the personal information of all those Facebook users...).
Which is all the more incredible, considering Blackberry (the phone company that was big before the age of iPhones or YouTube) had a permission model that allowed users to deny 3rd-party apps access to contacts, calendar, etc, etc. The app would get a PermissionDeniedException if it can't access something. I remember the Google Maps app for Blackberry, which solution to that was "Please give this app all permissions or you can't use it"...
> It seemed a bit strange at the time, and I was very cautious in the sale, but sold it and moved on.
What a mensch! I wonder how many other people your payday hurt.
He sold a software he wrote. It's something totally legit that happens all the time.
And we don't know if the new owner changed anything or if anybody at all got hurt by that. We do know you rudely insulted the parent, however.
How were they supposed to know that was going to happen? You think they walked up and said, “Hi. I’m here to buy your software and hurt people with it”?
If a stranger walks up to the chef in a restaurant and offers to pay them to put some mystery stuff in the food, or someone walks up in during a surgery and asks if they can make some incisions and inject some mystery stuff, would you (as a customer of the restaurant or hospital) expect this to be allowed?
If someone walks up to the owner in a restaurant and offers to pay them money to buy the restaurant, it's not considered suspicious.
This is what I'd say about someone who sold their extension today, but I don't think this business model was nearly as well-known 15 years ago.
Couple of quick thoughts on how to protect yourself from having a formerly trustworthy extension go rogue on you:
- https://github.com/beaufortfrancois/extensions-update-notifi...
And then you can do whatever you feel is an appropriate amount of research whenever a particularly privileged extension gets updated (check for transfer of ownership, etc.)
- brave://flags/#brave-extension-network-blocking
You can then create custom rules to filter extension traffic under brave://settings/shields/filters
e.g.:
! Obsidian Web
*$domain=edoacekkjanmingkbkgjndndibhkegad
@@||127.0.0.1^$domain=edoacekkjanmingkbkgjndndibhkegad
The code is usually minified and heavily obfuscated but you CAN view the source code for any extension:
https://kaveh.page/snippets/chrome-extensions-source-code
Even a tiny extension like this one I wrote with 2k users gets buyout offers all the time to turn it into malware: https://chromewebstore.google.com/detail/one-click-image-sav...
This is why I only run open source extensions that I can actually audit. uBlock Origin, SponsorBlock, the kind of tools where the code is available and the developer isn't anonymous. The Chrome Web Store is basically unregulated and Google doesn't care as long as they get their cut. Open source at least gives you a chance to see what you're installing before it starts exfiltrating your data to some server in a country you've never heard of.
An extension from a trusted, non anonymous developer which is released as open source is a good signal that the extension can be trusted. But keep in mind that distribution channels for browser extensions, similarly to distribution channels for most other open source packages (pip, npm, rpm), do not provide any guarantee that the package you install and run is actually build verbatim from the code which is open sourced.
Actually, npm supports "provenance" and as it eliminated long lived access tokens for publishing, it encourages people to use "trusted publishing" which over time should make majority of packages be auto-provenance-vefified.
https://docs.npmjs.com/trusted-publishers#automatic-provenan...
pypi also added this last year [1] and encouraging people to use trusted publishing as well.
If the RPM/deb comes from a Linux distribution then there is a good chance there is a separate maintainer and the binary package is always built from the source code by the distro.
Also if the upstream developer goes malicious there is a good chance at least one of the distro maintainers will notice and both prevent the bad source code being built for the distro & notify others.
How do you check that the open sourced code is the same one that you are installing from the extension repository and actually running?
I agree but let me play the devil's advocate. I'll channel Stallman:
Same argument can be applied to all closed source software.
In the end its about who you trust and who needs to be verified and that is relative, subjective, and contextual... always.
So unless you can read the source code and compile yourself on a system you built on an OS you also built from source on a machine built before server management backdoors were built into every server... you are putting your trust somewhere and you cannot really validate it beyond wider public percetptions.
Don't forget to channel Ken Thompson ("Reflections on Trusting Trust") -- you can read the source code, but where did you get the compiler?
CRX Viewer is handy for quickly checking what's been published:
> How do you check that the open sourced code is the same one that you are installing from the extension repository and actually running?
Extensions are local files on disk. After installing it, you can audit it locally.
I don't know about all operating systems but on Linux they are stored as .xpi files which are zip files. You can unzip it.
On my machine they are installed to $HOME/.mozilla/firefox/52xz2p7e.default-release/extensions but I think that string in the middle could be different for everyone.
Diffing it vs what's released in its open source repo would be a quick way to see if anything has been adjusted.
I'm running Uniget on Win11 and this is my worry there. Provenance of installs vs the actually released files.
This kind of nihilistic comment doesn’t do anything for me.
There’s always a possibility of problems along the chain. You are reducing your risk not eliminating it.
I wish we had something like "source hash" available in all repositories.
Do you also audit every part of every car you buy or medicine you take? Or do you rely on large well-established institutions to do that for you?
"Dont trust google" imo is the wrong response here. We are at the mercy of our institutions, and if they are failing us we need mechanisms to keep them in check.
There are no established institutions for checking add-ons. The stores claim doing some checks, but seems enough is slipping through their net. It's also common sense to not buy something critical from a random anonymous source on the internet.
“Don’t trust Google” is table stakes for being on the Internet over the past couple decades.
>Do you also audit every part of every car you buy or medicine you take? Or do you rely on large well-established institutions to do that for you?
Cars are under quite strict laws that software isn't. And there is only a small number of car vendors, while there are several orders of magnitude more extension vendors. Also a car vendor is a big company with many audits and controls, an extension "vendor" could just be some guy in his garage office, who just sold it to scammers, even for popular extensions.
And I still wouldn't trust a modern car using subscriptions and code updated.
My car can't login to my bank account.
Your car and fellow road users' cars generally have your life, your passengers' lives, and other road users' lives in its hands while in use.
Give it a few years. After all how will Tesla get that $99 every month for your self driving susbscription?
This is the safest way. You also want to disable auto update to version lock, which means using Firefox or Safari or loading unpacked if you use Chrome.
It’s one of the reasons I run Safari, which strictly limits what extensions can do for these reasons
No, Safari is really no different here from Chrome, and indeed there's broad compatibility between the extension API, such that in many cases you can use a Chrome extension unmodified in Safari.
And you audit every update? Ahem.
> This is why I only run open source extensions that I can actually audit.
How far does your principle extend? To your web browser too? Google Chrome itself is partly but not entirely open source. Your operating system? Only Linux? Mac and Windows include closed source.
On HN of all places it's not that implausible that someone might be running Linux and Chromium or Firefox, surely?
I didn't claim that it's implausible. I asked a question.
On the other hand, it's not that implausible either that someone might be running Google Chrome, Windows, Mac, etc. We know that many HN commenters do. Thus, while the OP may be 100% consistent, "I only run open source extensions that I can actually audit" would not be a consistent principle for those who also use closed source software.
If they live in California, they're most assuredly borrowing prestige through licenced usage of apple hardware.
Because let's get real, no one ever gets a job in tech if they're not an iPhone user right?
My daughter, in grade school, uses a Chromebook at school and access Google Classroom through Chrome. The school has very few restrictions on extensions and when I log into her account, Chrome is littered with extensions. They all innocuous (ex. change cursor into cat, pets play around on your screen etc). However, without fail, each time I log in and go to the extension page, Chrome notifies me that one or more of the extensions was removed due to malicious activity or whatever.
I don't think that your daughter might know if say any web cam might take photos and see what she's searching if the extensions are indeed malicious.
I'd either go ahead and talk to her and remove extensions altogether and ask her to have a stock/only open source extensions (yes opensource also has supply issues but its infinitely more managable than this) or the second option being to maybe create them yourself . I don't know about how chrome works (I use firefox) but one thing that you can do is if the thing is simple for your daughter, then just vibe code it and use tampermonkey (heck even open source it) and then audit the code written by it yourself if you want better security concerns.
Nowadays I really just end up creating my own extensions with tampermonkey before using any proprietory extension. With tampermonkey, the cycle actually feels really simple (click edit paste etc.) and even a single glance at code can show any security errors for basic stuff and its one of the few use cases of (AI?) in my opinion.
That can't be true, right? I mean, Google broke Adblockers in Chrome to prevent this very issue. And it had absolutely nothing to do with Google's Ad business.
So it's completely impossible that such malicious extensions still exist.
(may contain sarcasm)
Capital One just offered me $45 to install a Firefox extension. I declined, though I'm sort of tempted to get paid for getting spied on which I assume is happening anyway. And who knows, maybe I could get a couple more bucks later in the class action.
https://addons.mozilla.org/en-US/firefox/addon/wikibuy-for-f...
Their offers are very hard to claim - only eligible to be used in their store, only given after making a purchase in their store, among other random strings. I tried to claim the same offer but could never actually get it.
At this point, someone should make a site to check whether installed extensions are malicious or not.
Great idea! Someone please do this.
And then an extension to alert you to bad extensions.
And the ones that are not will probably get bought out at some point and become malware as well.
The only extension I trust enough to install on any browser is uBlock Origin.
I have published an extension [1] that has 100k+ users and I've probably received hundreds of emails over the years asking me to sell out in one way or another. It's honestly relentless. For that reason I also only trust uBlock Origin, Bitwarden and my own extensions.
I'd also note that all this spam is via the public email address you're forced to add to your extension listing by Google. I don't think I've ever had a single legitimate email sent to it. So yeh, thanks Google.
[1] https://chromewebstore.google.com/detail/old-reddit-redirect...
Respect for not selling out. I have to admit though... If I had a browser extension and someone suddenly offered me a million dollars for it, I think I would take it.
This realization made me distrust any system where it is even possible to sell out. In order for a system to be trustworthy, it must be impossible for this sort of exploitation to ever occur, no matter how much money they put on the table.
Just to say thanks for this extension, and keeping Reddit usable (at least for me).
Just curious how much does it sell? It gives an idea about how much my personal data is worth
I was just having a quick search and the only email I can find that offered a price range up front was for $0.1-0.4 per user, and that was from 2023. So I assume up to a dollar per user these days?
I imagine it must be very tempting to take that bag while old reddit is still usable.
Thank you for not doing so.
No, fortunately in my case it's not tempting at all.
It's easy to see how many people in less advantaged positions would end up selling out, though.
That's the only extension I have installed too!
I used to have tree-style tab, but now firefox has got native support for vertical tabs so I don't need to install anything extra.
Installing new extensions is sometimes appealing, but the risk is just too high.
I often make the argument that uBlock Origin is so essential that it should be built into the browsers instead of being a separate extension. The restrictions imposed by manifest v3 are good, it's just that uBlock Origin is special enough that it should be able to bypass them.
Unfortunately, the huge conflicts of interest make this unrealistic. Can't trust developers funded by ad money to develop an ad blocker.
> The only extension I trust enough to install on any browser is uBlock Origin.
Note however that the origin of uBlock Origin is that the developer Raymond Hill transferred control of the original uBlock project to someone who turned out not to be trustworthy, and thus Hill had to fork it later.
And why didn't one of the wealthiest companies of the world capture this themselves?
Considering the barriers they build to prevent adblockers, that doesn't shine a good light on them.
> And why didn't one of the wealthiest companies of the world capture this themselves?
Assume they did.
And the question becomes "Why didn't they come clean?" ... and much easier to answer.
I’ve always thought that it’s crazy how so many extensions can basically read the content of the webpages your browse. I’m wondering if the research should go further: find all extensions that have URLs backed in them or hashes (of domains?) then check what they do when you visit these URLs
Without any doubt the research could continue on this. We had many opportunities to make the scan even wider and almost certainly we would uncover more extensions. The number of leaking extensions should not be taken as definite.
There are resource constrains. Those extensions try to actively detect if you are in developer mode. Took us a while to avoid such measures and we are certain we missed many extensions due to for example usage of Docker container. Ideally you want to use env as close to the real one as possible.
Without infrastructure this doesn't scale.
The same goes for the code analysis you have proposed. There are already tools that do that (see Secure Annex). Often the extensions download remote code that is responsible for data exfiltration or the code is obfuscated multiple times. Ideally you want to run the extension in browser and inspect its code during execution.
The fact that most of these are capturing query parameters:
"u": "https://www.google.com/search?q=target",
If a service is sending auth tokens as URL parameters, stop using it. Those are always public.
I don't disagree with the advice (especially for long lived tokens), but query parameters are encrypted during transit with https. You still need to worry about server access logs, browser history, etc that might expose the full request url.
Can extensions:
be scoped, meaning only allowed to read/access when you visit a particular domain whitelist (controlled by the user)?
be forced (by the extension API) to have a clear non-obfuscated feed of whatever they send that the user can log and/or tap onto and watch at any time?
If not, I wouldn't touch them with a 10000ft pole.
Browser extensions have much looser security than you would think: any extension, even if it just claims to change a style of a website, can see your input type=password fields - it's ludicrous that access to those does not need its own permission !
It's hard to see how you would implement that, any script run within the context of the page needs access to these fields for backwards compatibility reasons, so the context script of the extension would just need to find a way of running code in the context of the page to exfiltrate the data. It could do this by adding script tags, etc.
Browsers break backwards compatibility for security all the time. Most recently Chrome made accessing devices on a local network require a permission. They completely changed the behavior of cookies. They break loads of things for cross origin isolation.
Sure, but this would break a significant portion of sign in UIs.
Even scripts within the page itself cannot read the value of password input fields. This is less of an issue than you are presenting it as.
...uhh, yes they can? Are you talking about input type=password fields, i.e. the ones 99% of passwords are entered in?
I think the industry needs to rethink extensions in general. VSCode and browser extensions seem to have very little thorough review or thought into them. A lot of enterprises aren't managing them properly.
Absolutely. I have not installed useful browser extensions because Mozilla isn't the maintainer. E.g. the Google container.
Hopefully people will start learning that you want to install as few browser extensions as possible.
In principle I agree with you, there is just so much crap online that it's tempting to just add this one more extension to fix something.
Looking at my own installed extensions, I have a password manager, Privacy Badger and Firefox Multi-Account Containers, which I suppose is the three I really need. Then I have one that puts the RSS icon back in the address bar, because Mozilla feels that RSS is less important than having the address bar show me special dates, and two that removes very specific things: One for cookie popups and one for removing sign in with Google.
The only one of these I feel should actually be a plugin is my password manager. Privacy management (including cookies), RSS and containers could just be baked into Firefox. All of those seems more relevant to me than AI.
Maybe adding a GreaseMonkey lite could fix the rest of my problem, using code I write and control.
My honest reaction to your comment is "What? No!".
I want to block ads, block trackers, auto-deny tracking, download videos, customize websites, keep videos playing in the background, change all instances of "car" to "cat" [1], and a whole bunch of weird stuff that probably shouldn't be included in the browser by default. Just because the browser extension system is broken it doesn't mean that extensions themselves are a problem - if anything, I wish people would install more extensions, not less.
Nobody is going to even do anything about SimilarWeb for pulling this off? My understanding from the article is that they're actively behind this.
When I was the CTO in a previous role, SimilarWeb approached us. I read through the code snippet they gave us to inject onto our site. It was a sophisticated piece of borderline spyware that didn't care about anyone in the entire line of sight - including us. They not only were very persistent, they also had a fight with our management - for refusing to use their snippet. They wanted our data so bad (we had very high traffic at the time). All we wanted was decent analytics for reporting to senior management and Google had just fucked up with their GA4 migration practices. I switched them to Plausible.io and never looked back. It was the least I could do, we had to trade-off so many data points in comparison to GA, but still works flawlessly till date. Fuck SimilarWeb.
It seems crazy to me that the offered way to install an extension on Chrome is to click a button on a privileged website, and then the installed extension autoupdates without an option to turn it off.
I hate the idea of installing stuff without an ability to look at what's inside first, so what I did was patch Chromium binary, replacing all strings "chromewebstore.google.com" with something else, so I can inject custom JS into that website and turn "Install" button into "Download CRX" button. After downloading, I can unpack the .crx file and look at the code, then install via "Load unpacked" and it never updates automatically. This way I'm sure only the code I've looked at gets executed.
Is there a way to use extensions from a private repository only, where I control the code and build pipeline?
If someone would like to replicate, a good approach would be to reduce the cost by removing a full-chromium engine. I doubt these extensions are trying to do environment detection and won’t run under (for eg) JSDOM+Bun with a Chrome API shim.
Here are 3 examples identified in their results.
Play Store pages for all 3 list strong assurances about how the developer declares no data is being sold to third parties, or collected unrelated to the item's core functionality.
Brave Web browser (runapps.org) https://chromewebstore.google.com/detail/mmfmakmndejojblgcee...
Handbrake Video Converter (runapps.org) https://chromewebstore.google.com/detail/gmdmkobghhnhmipbppl...
JustParty: Watch Netflix with Friends (JustParty.io) https://chromewebstore.google.com/detail/nhhchicejoohhbnhjpa...
My open question to Google is: What consequences will these developers face for lying to you and your users, and why should I have any faith at all in those declarations?
The browsing data itself is only half the problem. Even if you remove the spying extension, the profile it helped build persists and keeps shaping what you see as it gets sold and changes hands.
We focus a lot on blocking data collection and spyware.. but not enough about what happens after the data is already collected/stolen and baked into your algorithmic identity. So much of our data is already out there.
Load extensions in developer mode so they can't silently install malware on you
Most of them jump out as immediately dodgy -- except Stylsh. That is the only one I've ever used on the list but it's been several years.
HN story about what Stylish was up to 7 and a bit years ago:
https://news.ycombinator.com/item?id=17447816
I'd assumed most people would have jumped ship to Stylus [1] after that, but most people probably never heard anything about what Stylish was/is doing.
[1] https://chromewebstore.google.com/detail/stylus/clngdbkpkpee...
"zoom", "LibreOffice Editor", "Enhanced Image Viewer", "Video Downloader PLUS"
I guess I shouldnt be surprised on how many use "LibreOffice" or other legit company names to lend legitimacy to themselves. I'm wondering if companies like Zoom don't audit the extension store for copyright claims
I for sure used to use Video Downloader PLUS when I still used chrome (and before youtube-dl)
Stylish was sold in 2016, and has had spyware from at least 2018 on.
It’s obvious CWS has given up on oversight of these extensions. It’s a minefield.
> We built an automated scanning pipeline that runs Chrome inside a Docker container, routes all traffic through a man‑in‑the‑middle (MITM) proxy, and watches for outbound requests that correlate with the length of the URLs we feed it.
The biggest problem here is that "We" does not refer to Google itself, who are supposed to be policing their own Chrome Web Store. One of the most profitable corporations in world history is totally negligent.
GOOG didn't get to be one of the most profitable corporations in the world by spending big on cost centers.
It can't cost that much if some random blogger can do it.
Only 37M? I'd have guessed a higher number than that.
We were hoping to see that as well. There might be v2 of this research ;)
I legit do not understand the Chrome hegemony.
I don't really understand the complaint here. It seems for most of those extensions have it in their literal purpose to send the active URL and get additional information back, for doing something locally with it.
And why does this site has no scrollbar?? WTF, is Webdsign finally that broken?
> And why does this site has no scrollbar
Seems someone decided it was a good idea to make the scrollbar tiny and basically the same colour as the background:
scrollbar-width: thin;
scrollbar-color: rgb(219,219,219) rgb(255,255,255);We beg to differ. Consider for example "BlockSite Block Websites and Stay Focused" why would you need to send browsing data to remote server if your job is only to block selected domains?
My initial solution was:
>Before installing, make each user click a checkbox what access the extension has
However, as I've seen on android, updates do happen, and you are not asked if new permissions are granted. (Maybe they do ask, but this is after an update automatically is taken place, new code is installed)
Here are the two solutions I have, neither are perfect:
>Do not let updates automatically happen for security reasons. This prevents a change in an App becoming malware, but leaves the app open to Pegasus-like exploits.
>Let updates automatically happen, but leaves you open to remote, unapproved installs.
Yes, and?
Chrome/Google/Alphabet is spying on 100% of their users.
Quit using Alphabet stuff, and your exploitation factor goes down a LOT.
Just create an AI service and users will voluntarily send you all their data.
No need for such complicated attacks /s
Yo dawg...
I heard you wanted spyware in your spyware