For over 10 years that I maintain a reasonably popular cross-browser extension, I've been collecting various monetization offers. They simply don't stop coming: https://github.com/extesy/hoverzoom/discussions/670

It is a classic supply-chain attack. The same modality is used by gamers to sell off their high-level characters, and social media accounts do "switcheroos" on posts, Pages, and Groups all the time.

You know, a lot of consumer cybersecurity focuses on malware, browser security, LAN services, but I propose that the new frontier of breaches involves browser extensions, "cloud integrations", and "app access" granted from accounts.

If I gave permission for Joe Random Developer's app to read, write, and delete everything in Gmail and Google Drive, that just set me up for ransomware or worse. Without a trace on any local OS. A virus scanner will never catch such attacks. The "Security Checkup" processes are slow and arduous. I often find myself laboriously revoking access and signing out obsolete sessions, one by one by one. There has got to be a better way.

While assuming absolutely zero bad will on your part, I would nevertheless find it fair if you were legally on the hook for whatever happened after the sale, unless you could prove that you provided reasonable means for the users of your extension to perform their due diligence on the new owner of the extension.

This is of course easy to say in hindsight, and is absolutely a requirement that should be enforced by the extension appstore, not by individual contributors such as yourself.

15 years ago was probably this type of business in its very early stage. There is little that can be done about "selling" extensions. Chrome Web Store should have tighter checks and scans to minimize this type of data exfiltration.

An extension from a trusted, non anonymous developer which is released as open source is a good signal that the extension can be trusted. But keep in mind that distribution channels for browser extensions, similarly to distribution channels for most other open source packages (pip, npm, rpm), do not provide any guarantee that the package you install and run is actually build verbatim from the code which is open sourced.

How do you check that the open sourced code is the same one that you are installing from the extension repository and actually running?

consider how the xz supply-chain attack occurred 2 years ago [0]. the malware isn't auditable with a `git clone` as easily as you might want.

[0] https://research.swtch.com/xz-timeline

Do you also audit every part of every car you buy or medicine you take? Or do you rely on large well-established institutions to do that for you?

"Dont trust google" imo is the wrong response here. We are at the mercy of our institutions, and if they are failing us we need mechanisms to keep them in check.

This is the safest way. You also want to disable auto update to version lock, which means using Firefox or Safari or loading unpacked if you use Chrome.

Annoyed with how the AWS console sometimes changes regions on its own, I recently decided that I need an extension to make the current region displayed prominently. After a bit of research, I found the AWS Colorful Navbar [0] extension, which does pretty much exactly what I wanted, but (understandably) requires granting it "This extension can read and change your data on sites" on `://.console.aws.amazon.com/*`, which I'm not willing to give to an external extension. So my solution was forking the repo [1], carefully auditing the code, and then installing it from a local clone (which they actually have a nice explanation for). Going forward, I think I'll try using this approach for all sensitive extensions.

[0] https://chromewebstore.google.com/detail/aws-colorful-navbar...

[1] https://github.com/nalbam/aws-navbar-extension

It’s one of the reasons I run Safari, which strictly limits what extensions can do for these reasons

And you audit every update? Ahem.

> This is why I only run open source extensions that I can actually audit.

How far does your principle extend? To your web browser too? Google Chrome itself is partly but not entirely open source. Your operating system? Only Linux? Mac and Windows include closed source.

Damned if you do, damned if you don't.

I don't think that your daughter might know if say any web cam might take photos and see what she's searching if the extensions are indeed malicious.

I'd either go ahead and talk to her and remove extensions altogether and ask her to have a stock/only open source extensions (yes opensource also has supply issues but its infinitely more managable than this) or the second option being to maybe create them yourself . I don't know about how chrome works (I use firefox) but one thing that you can do is if the thing is simple for your daughter, then just vibe code it and use tampermonkey (heck even open source it) and then audit the code written by it yourself if you want better security concerns.

Nowadays I really just end up creating my own extensions with tampermonkey before using any proprietory extension. With tampermonkey, the cycle actually feels really simple (click edit paste etc.) and even a single glance at code can show any security errors for basic stuff and its one of the few use cases of (AI?) in my opinion.

I have published an extension [1] that has 100k+ users and I've probably received hundreds of emails over the years asking me to sell out in one way or another. It's honestly relentless. For that reason I also only trust uBlock Origin, Bitwarden and my own extensions.

I'd also note that all this spam is via the public email address you're forced to add to your extension listing by Google. I don't think I've ever had a single legitimate email sent to it. So yeh, thanks Google.

[1] https://chromewebstore.google.com/detail/old-reddit-redirect...

That's the only extension I have installed too!

I used to have tree-style tab, but now firefox has got native support for vertical tabs so I don't need to install anything extra.

Installing new extensions is sometimes appealing, but the risk is just too high.

> The only extension I trust enough to install on any browser is uBlock Origin.

Note however that the origin of uBlock Origin is that the developer Raymond Hill transferred control of the original uBlock project to someone who turned out not to be trustworthy, and thus Hill had to fork it later.

If a service is sending auth tokens as URL parameters, stop using it. Those are always public.

> And why didn't one of the wealthiest companies of the world capture this themselves?

Assume they did.

And the question becomes "Why didn't they come clean?" ... and much easier to answer.

And then an extension to alert you to bad extensions.

Great idea! Someone please do this.

So this would require a list of decided malicious extensions or not and someone can go ahead and check through that.

To find the list of decided malicious extensions, I can imagine that a github repository where people can create issues about the lack of safety (like imagine some github repo where this case could've also been uploaded) and people could discuss and then a .txt/json file could be there in the repo which gets updated every time an extension is confirmed to be malicious.

Thoughts?

Edit: (To take initiative?) I have created a git repo with this https://github.com/SerJaimeLannister/unsafe-extensions-list but I would need some bootstrap list of malicious extensions. So I know nothing about this field and the only extension I can add is this one maybe but maybe someone can fork this idea (who is more knowledgable within the extension community space) or perhaps they can add entries into it.

Edit 2: Looks like qcontinuum actually have a github repo and I hadn't read the article while I had written the comment but its not 1 extension but rather 287 extensions and they have mentioned all in their git repo

https://github.com/qcontinuum1/spying-extensions

So they already have a good bootstrapped amount & I feel as if qcontinuum is interested they can maybe implement the idea?

Their offers are very hard to claim - only eligible to be used in their store, only given after making a purchase in their store, among other random strings. I tried to claim the same offer but could never actually get it.

Nothing happens when I click `Scan`.

In principle I agree with you, there is just so much crap online that it's tempting to just add this one more extension to fix something.

Looking at my own installed extensions, I have a password manager, Privacy Badger and Firefox Multi-Account Containers, which I suppose is the three I really need. Then I have one that puts the RSS icon back in the address bar, because Mozilla feels that RSS is less important than having the address bar show me special dates, and two that removes very specific things: One for cookie popups and one for removing sign in with Google.

The only one of these I feel should actually be a plugin is my password manager. Privacy management (including cookies), RSS and containers could just be baked into Firefox. All of those seems more relevant to me than AI.

Maybe adding a GreaseMonkey lite could fix the rest of my problem, using code I write and control.

And apps, and software dependencies in general.

My honest reaction to your comment is "What? No!".

I want to block ads, block trackers, auto-deny tracking, download videos, customize websites, keep videos playing in the background, change all instances of "car" to "cat" [1], and a whole bunch of weird stuff that probably shouldn't be included in the browser by default. Just because the browser extension system is broken it doesn't mean that extensions themselves are a problem - if anything, I wish people would install more extensions, not less.

[1] https://xkcd.com/1288/

It's hard to see how you would implement that, any script run within the context of the page needs access to these fields for backwards compatibility reasons, so the context script of the extension would just need to find a way of running code in the context of the page to exfiltrate the data. It could do this by adding script tags, etc.

Even scripts within the page itself cannot read the value of password input fields. This is less of an issue than you are presenting it as.

Absolutely. I have not installed useful browser extensions because Mozilla isn't the maintainer. E.g. the Google container.

Without any doubt the research could continue on this. We had many opportunities to make the scan even wider and almost certainly we would uncover more extensions. The number of leaking extensions should not be taken as definite.

There are resource constrains. Those extensions try to actively detect if you are in developer mode. Took us a while to avoid such measures and we are certain we missed many extensions due to for example usage of Docker container. Ideally you want to use env as close to the real one as possible.

Without infrastructure this doesn't scale.

The same goes for the code analysis you have proposed. There are already tools that do that (see Secure Annex). Often the extensions download remote code that is responsible for data exfiltration or the code is obfuscated multiple times. Ideally you want to run the extension in browser and inspect its code during execution.

It is, but the particular ways Google will harm you are very different from how small/medium criminals will harm you.

> be scoped

Yes. Not usually user-controllable though.

> be forced to have a clear non-obfuscated feed

Kinda. You can usually open a devtools instance that shows whatever the extension is doing. But you can’t enforce it to not obfuscate the network requests though (you’d have to make extensions non-Turing complete).

You could mitigate some of these issues by vetting the extensions harder before letting them into the stores. Mozilla requires all extensions to have a readable source code, for example.

HN story about what Stylish was up to 7 and a bit years ago:

https://news.ycombinator.com/item?id=17447816

I'd assumed most people would have jumped ship to Stylus [1] after that, but most people probably never heard anything about what Stylish was/is doing.

[1] https://chromewebstore.google.com/detail/stylus/clngdbkpkpee...

"zoom", "LibreOffice Editor", "Enhanced Image Viewer", "Video Downloader PLUS"

I guess I shouldnt be surprised on how many use "LibreOffice" or other legit company names to lend legitimacy to themselves. I'm wondering if companies like Zoom don't audit the extension store for copyright claims

I for sure used to use Video Downloader PLUS when I still used chrome (and before youtube-dl)

Stylish was sold in 2016, and has had spyware from at least 2018 on.

GOOG didn't get to be one of the most profitable corporations in the world by spending big on cost centers.

We were hoping to see that as well. There might be v2 of this research ;)

I heard you wanted spyware in your spyware

> And why does this site has no scrollbar

Seems someone decided it was a good idea to make the scrollbar tiny and basically the same colour as the background:

    scrollbar-width: thin;
    scrollbar-color: rgb(219,219,219) rgb(255,255,255);

We beg to differ. Consider for example "BlockSite Block Websites and Stay Focused" why would you need to send browsing data to remote server if your job is only to block selected domains?