The Karma connection in Chrome Web Store

(palant.info)

132 points | by supermatou 4 hours ago ago

25 comments

  • semenko 3 hours ago

    I was optimistically hoping some of the MV3 changes would result in Chrome webstore policy enforcement being standardized, but that hasn't happened.

    Sensor Tower (https://sensortower.com/) makes a lot of popular extensions, like StayFocusd https://www.stayfocusd.com/. They seem to resell ad data (in violation of [1]?) and ship likely obfuscated code [2] (in violation of [3]?), but there's no enforcement or even clear reporting mechanism.

    [1] https://developer.chrome.com/docs/webstore/program-policies/...

    [2] https://robwu.nl/crxviewer/?crx=https%3A%2F%2Fclients2.googl...

    [3] https://developer.chrome.com/docs/webstore/program-policies/...

    • Raed667 3 hours ago

      Event with MV3 you still have access to `chrome.webRequest.onBeforeRequest` and content scripts, so this particular issue won't be 100% solved.

      I don't think the solution is technical. The solution would be a strict policy, and nuke every extension and publisher from the store who even hints at doing this kind of BS.

  • _fw 2 hours ago

    I am absolutely flabbergasted at the fact that Chrome extension security is the way it is, considering how much Google spends to keep chrome secure.

    How is it, in 2024, users can still blindly install malicious software directly into their browser from a web store with Google’s name at the top of it?

    This goes to show even the most cautious and conscientious of users can get caught out by their extension changing hands. What, is Google expecting us to review our extensions, and their permissions, and their authors, and their authors’ associated businesses, every time we want to use our computer?

    Additionally, are we even able to review the source code of extensions if they are not open source?

    • rKarpinski 2 hours ago

      > I am absolutely flabbergasted at the fact that Chrome extension security is the way it is, considering how much Google spends to keep chrome secure.

      It's crazy and it's not even a "Google Scale" problem. There are only around 2,000 extensions that are popular (100k+ users) and the co-ordinated malicious activity is super blatant.

      > Additionally, are we even able to review the source code of extensions if they are not open source?

      Yes and you can even do this without installing the code by downloading the zip file (that contains the extension code) by using the extensionId + a get request (or using a browser)

    • timabdulla 2 hours ago

      You can unpack and view the code of any extension after you've installed it. There's even a rule against obfuscation, though I'm not sure how enforced that is.

      A Chrome extension is basically a zip archive with a bunch of JavaScript inside. There's no safeguarding of the code within.

      • hysan an hour ago

        > There's even a rule against obfuscation

        This is definitely not enforced. I’ve downloaded multiple extensions in the past when I wanted to learn how they worked. All of them were obfuscated.

        edit: saw the below comment and editing before this gets questioned. I’m not talking about minification. It was definitely obfuscation.

      • Raed667 2 hours ago

        > There's even a rule against obfuscation

        Does that only cover the background/web-worker or does it also include the UI parts (popup, content-ui, dev-tools...) ? That would make using something like React or Vue almost impossible.

        • timabdulla 2 hours ago

          There's no rule against minification, which I assume is what you're referring to when you say it would make using React or Vue impossible.

          There's a difference between minification and obfuscation, but again, I'm not sure how they adjudicate it or how much they enforce it.

    • zb3 31 minutes ago

      > This goes to show even the most cautious and conscientious of users can get caught out by their extension changing hands

      That's why on chromium I only install extensions that have their source on GitHub, as unpacked extensions.

  • michaelbuckbee 3 hours ago

    There was a question raised but not really answered about "what do these extensions what with all this browsing data?" - while it may be that they're used for direct ad targeting (like real time ad buying against your IP address) it's more likely that they're selling "click stream" data.

    In its most innocuous form, this is stuff like SimilarWeb (which is like a more advanced Google Trends), but in the B2B world, it's also custom enterprise reports that are like "how many people that use our bank at xyz also use any other bank at this array of domains and which are most common?"

    • palant 2 hours ago

      Note: I am the author of this article.

      That question is answered, in the last section of the article. And: yes, they are selling it, as they admit in the privacy policy.

  • barumrho 2 hours ago

    I've decided that browser extensions are too much of a security/privacy risk. I just stick with 1password extension and an ad blocker extension that uses Safari's Content Blocker API only.

    And then from time to time I have a dedicated profile on Chrome to use other extensions that might be useful, but I don't do day-to-day browsing there.

    • blibble 2 hours ago

      I'm similar

      I have all relatives set up with a separate browser for e.g. banking, and it has no extensions at all

      then the usual internet browsing one with the security nightmare than is the chrome/firefox app store

  • tencentshill 4 hours ago

    Is there any way to only allow chrome extensions to update with permission? It seems like any extension on the store could become malicious overnight, automatically, for millions of users.

    • advisedwang 3 hours ago

      Most users have no way to vet a chrome extension update (or on initial install). If we want strong security for everyone, we need better solutions than that

    • skybrian 3 hours ago

      Here is one workaround: if you have to use a Chrome extension, make a separate profile just for that task. Don’t run any by default.

    • sovok_x 3 hours ago

      AFAIK there are two ways for this, neither of which is convenient to use: install all extensions from the source (you can unpack an existing crx for it or use their clonned repo if it's opensource) or use a group policy to disable extensions autoupdate and update each of them manually when the new version has something you want.

    • modeless 3 hours ago

      I don't think so. However, extensions are automatically disabled if they request more permissions. And in Manifest v3 most extensions won't have access to most pages unless you click on them.

      • lapcat 3 hours ago

        > And in Manifest v3 most extensions won't have access to most pages unless you click on them.

        That's not necessarily true.

        • modeless 3 hours ago

          Personally I have 15 extensions installed. Only four of them have access to all sites, and two of those are because they are not updated to Manifest v3 yet. I didn't say it was impossible for a Manifest v3 extension to have access to all sites. Most will not.

    • lapcat 3 hours ago

      > Is there any way to only allow chrome extensions to update with permission?

      With a firewall.

      • extraduder_ire 3 hours ago

        Can a firewall rule distinguish between an extension update and a new install? Would blocking the entire chrome web store cause other problems in chrome?

  • bborud 3 hours ago

    Why is Google not policing this? Liability concerns?

    • altairprime 3 hours ago

      Not reliably detectable by machines, not willing to allocate humans.

  • cxr 3 hours ago

    Most people aren't (or at least feel they aren't) able to take a hardline stance about only using free software, but if there's one area of your digital life you should be able to apply it to, it's browser extensions.