I was optimistically hoping some of the MV3 changes would result in Chrome webstore policy enforcement being standardized, but that hasn't happened.
Sensor Tower (https://sensortower.com/) makes a lot of popular extensions, like StayFocusd https://www.stayfocusd.com/. They seem to resell ad data (in violation of [1]?) and ship likely obfuscated code [2] (in violation of [3]?), but there's no enforcement or even clear reporting mechanism.
MV3 makes it considerably harder to introduce a security vulnerability, but it doesn’t really help with outright malicious extensions. In the end this isn’t an issue which can be solved by technical means. It’s a moderation issue, and Google currently seems to be scaling back moderation despite not being great at it to start with.
Event with MV3 you still have access to `chrome.webRequest.onBeforeRequest` and content scripts, so this particular issue won't be 100% solved.
I don't think the solution is technical. The solution would be a strict policy, and nuke every extension and publisher from the store who even hints at doing this kind of BS.
There was a question raised but not really answered about "what do these extensions what with all this browsing data?" - while it may be that they're used for direct ad targeting (like real time ad buying against your IP address) it's more likely that they're selling "click stream" data.
In its most innocuous form, this is stuff like SimilarWeb (which is like a more advanced Google Trends), but in the B2B world, it's also custom enterprise reports that are like "how many people that use our bank at xyz also use any other bank at this array of domains and which are most common?"
I've decided that browser extensions are too much of a security/privacy risk.
I just stick with 1password extension and an ad blocker extension that uses Safari's Content Blocker API only.
And then from time to time I have a dedicated profile on Chrome to use other extensions that might be useful, but I don't do day-to-day browsing there.
Is there any way to only allow chrome extensions to update with permission? It seems like any extension on the store could become malicious overnight, automatically, for millions of users.
Most users have no way to vet a chrome extension update (or on initial install). If we want strong security for everyone, we need better solutions than that
AFAIK there are two ways for this, neither of which is convenient to use: install all extensions from the source (you can unpack an existing crx for it or use their clonned repo if it's opensource) or use a group policy to disable extensions autoupdate and update each of them manually when the new version has something you want.
I don't think so. However, extensions are automatically disabled if they request more permissions. And in Manifest v3 most extensions won't have access to most pages unless you click on them.
Personally I have 15 extensions installed. Only four of them have access to all sites, and two of those are because they are not updated to Manifest v3 yet. I didn't say it was impossible for a Manifest v3 extension to have access to all sites. Most will not.
Can a firewall rule distinguish between an extension update and a new install? Would blocking the entire chrome web store cause other problems in chrome?
I am absolutely flabbergasted at the fact that Chrome extension security is the way it is, considering how much Google spends to keep chrome secure.
How is it, in 2024, users can still blindly install malicious software directly into their browser from a web store with Google’s name at the top of it?
This goes to show even the most cautious and conscientious of users can get caught out by their extension changing hands. What, is Google expecting us to review our extensions, and their permissions, and their authors, and their authors’ associated businesses, every time we want to use our computer?
Additionally, are we even able to review the source code of extensions if they are not open source?
> I am absolutely flabbergasted at the fact that Chrome extension security is the way it is, considering how much Google spends to keep chrome secure.
It's crazy and it's not even a "Google Scale" problem. There are only around 2,000 extensions that are popular (100k+ users) and the co-ordinated malicious activity is super blatant.
> Additionally, are we even able to review the source code of extensions if they are not open source?
Yes and you can even do this without installing the code by downloading the zip file (that contains the extension code) by using the extensionId + a get request (or using a browser)
You can unpack and view the code of any extension after you've installed it. There's even a rule against obfuscation, though I'm not sure how enforced that is.
A Chrome extension is basically a zip archive with a bunch of JavaScript inside. There's no safeguarding of the code within.
Does that only cover the background/web-worker or does it also include the UI parts (popup, content-ui, dev-tools...) ? That would make using something like React or Vue almost impossible.
They care about making money, but malicious extensions: damage the Google/Chrome brand, often are directly distorting the search experience and it opens them up to long tail liability (think Cambridge Analytica).
The problem is the organization isn't set up to promote people for proactively managing these risks. Similar to why Twitter never got rid of the bots
>They care about making money, but malicious extensions: damage the Google/Chrome brand, often are directly distorting the search experience and it opens them up to long tail liability (think Cambridge Analytica).
More importantly, they're not getting paid for any of the malicious addons. Sure, they might be getting a cut when they show fake download button (because they run the ad network), but what are they getting when sensor tower exfiltrates your browsing history? At best they're helping their competitors get better targeting data.
Where's the evidence for that? The OP only mentions affiliate fraud and user data harvesting. Neither of that seem to benefit google. To my knowledge google doesn't run an affiliate network, and data harvesting likely helps rival ad networks rather than google.
Just because there's affiliate fraud happening doesn't mean google is benefiting. What evidence is there that google is benefiting? Are they even using google's affiliate network? Does google even have one?
I had no idea until I made an extension how messed up the ecosystem is.
Now I regularly get offered ~5 figures a month in recurring revenue to turn my extension into malware & I've see how blatant the abuses are by other extensions / the sellouts.
Is it that you don't believe these pieces of malware are generating fake engagement on Google's properties? Or that Clicks, Views & Users don't matter to Google?
>Is it that you don't believe these pieces of malware are generating fake engagement on Google's properties?
The extensions engage in affiliate fraud (ie. injecting affiliate code/cookies to links/sessions) and collect user data. That hardly counts as "engagement on Google's properties", which are mostly search ads and youtube. To my knowledge google doesn't have an affiliate network, so they're not getting anything there either.
You seem to imply that the extensions are engaging in ad fraud (eg. viewing/clicking on ads), but there's no evidence of that presented in the OP or in this comment section.
Most people aren't (or at least feel they aren't) able to take a hardline stance about only using free software, but if there's one area of your digital life you should be able to apply it to, it's browser extensions.
If anything the non Developer Editions of Firefox disabling the ability to load an extension locally (without resetting it every time the browser starts) closes one path to preventing auto-updating of extensions.
That's a path necessary only in Chrome - Firefox allows you to disable auto-update of extensions, both wholesale and individually, without extraneous steps like that.
(The ability to load extensions locally would be great for its own reasons, but that's irrelevant to this discussion.)
I was optimistically hoping some of the MV3 changes would result in Chrome webstore policy enforcement being standardized, but that hasn't happened.
Sensor Tower (https://sensortower.com/) makes a lot of popular extensions, like StayFocusd https://www.stayfocusd.com/. They seem to resell ad data (in violation of [1]?) and ship likely obfuscated code [2] (in violation of [3]?), but there's no enforcement or even clear reporting mechanism.
[1] https://developer.chrome.com/docs/webstore/program-policies/...
[2] https://robwu.nl/crxviewer/?crx=https%3A%2F%2Fclients2.googl...
[3] https://developer.chrome.com/docs/webstore/program-policies/...
Note: I am the author of this article.
MV3 makes it considerably harder to introduce a security vulnerability, but it doesn’t really help with outright malicious extensions. In the end this isn’t an issue which can be solved by technical means. It’s a moderation issue, and Google currently seems to be scaling back moderation despite not being great at it to start with.
Event with MV3 you still have access to `chrome.webRequest.onBeforeRequest` and content scripts, so this particular issue won't be 100% solved.
I don't think the solution is technical. The solution would be a strict policy, and nuke every extension and publisher from the store who even hints at doing this kind of BS.
There was a question raised but not really answered about "what do these extensions what with all this browsing data?" - while it may be that they're used for direct ad targeting (like real time ad buying against your IP address) it's more likely that they're selling "click stream" data.
In its most innocuous form, this is stuff like SimilarWeb (which is like a more advanced Google Trends), but in the B2B world, it's also custom enterprise reports that are like "how many people that use our bank at xyz also use any other bank at this array of domains and which are most common?"
Note: I am the author of this article.
That question is answered, in the last section of the article. And: yes, they are selling it, as they admit in the privacy policy.
I've decided that browser extensions are too much of a security/privacy risk. I just stick with 1password extension and an ad blocker extension that uses Safari's Content Blocker API only.
And then from time to time I have a dedicated profile on Chrome to use other extensions that might be useful, but I don't do day-to-day browsing there.
I'm similar
I have all relatives set up with a separate browser for e.g. banking, and it has no extensions at all
then the usual internet browsing one with the security nightmare than is the chrome/firefox app store
Is there any way to only allow chrome extensions to update with permission? It seems like any extension on the store could become malicious overnight, automatically, for millions of users.
Most users have no way to vet a chrome extension update (or on initial install). If we want strong security for everyone, we need better solutions than that
Here is one workaround: if you have to use a Chrome extension, make a separate profile just for that task. Don’t run any by default.
AFAIK there are two ways for this, neither of which is convenient to use: install all extensions from the source (you can unpack an existing crx for it or use their clonned repo if it's opensource) or use a group policy to disable extensions autoupdate and update each of them manually when the new version has something you want.
I don't think so. However, extensions are automatically disabled if they request more permissions. And in Manifest v3 most extensions won't have access to most pages unless you click on them.
> And in Manifest v3 most extensions won't have access to most pages unless you click on them.
That's not necessarily true.
Personally I have 15 extensions installed. Only four of them have access to all sites, and two of those are because they are not updated to Manifest v3 yet. I didn't say it was impossible for a Manifest v3 extension to have access to all sites. Most will not.
> Is there any way to only allow chrome extensions to update with permission?
With a firewall.
Can a firewall rule distinguish between an extension update and a new install? Would blocking the entire chrome web store cause other problems in chrome?
Why is Google not policing this? Liability concerns?
Not reliably detectable by machines, not willing to allocate humans.
I am absolutely flabbergasted at the fact that Chrome extension security is the way it is, considering how much Google spends to keep chrome secure.
How is it, in 2024, users can still blindly install malicious software directly into their browser from a web store with Google’s name at the top of it?
This goes to show even the most cautious and conscientious of users can get caught out by their extension changing hands. What, is Google expecting us to review our extensions, and their permissions, and their authors, and their authors’ associated businesses, every time we want to use our computer?
Additionally, are we even able to review the source code of extensions if they are not open source?
> I am absolutely flabbergasted at the fact that Chrome extension security is the way it is, considering how much Google spends to keep chrome secure.
It's crazy and it's not even a "Google Scale" problem. There are only around 2,000 extensions that are popular (100k+ users) and the co-ordinated malicious activity is super blatant.
> Additionally, are we even able to review the source code of extensions if they are not open source?
Yes and you can even do this without installing the code by downloading the zip file (that contains the extension code) by using the extensionId + a get request (or using a browser)
You can unpack and view the code of any extension after you've installed it. There's even a rule against obfuscation, though I'm not sure how enforced that is.
A Chrome extension is basically a zip archive with a bunch of JavaScript inside. There's no safeguarding of the code within.
> There's even a rule against obfuscation
This is definitely not enforced. I’ve downloaded multiple extensions in the past when I wanted to learn how they worked. All of them were obfuscated.
edit: saw the below comment and editing before this gets questioned. I’m not talking about minification. It was definitely obfuscation.
> There's even a rule against obfuscation
Does that only cover the background/web-worker or does it also include the UI parts (popup, content-ui, dev-tools...) ? That would make using something like React or Vue almost impossible.
There's no rule against minification, which I assume is what you're referring to when you say it would make using React or Vue impossible.
There's a difference between minification and obfuscation, but again, I'm not sure how they adjudicate it or how much they enforce it.
> This goes to show even the most cautious and conscientious of users can get caught out by their extension changing hands
That's why on chromium I only install extensions that have their source on GitHub, as unpacked extensions.
Googles ad business is pop-ups and fake download buttons. What makes you think they care about user security vs making money?
They care about making money, but malicious extensions: damage the Google/Chrome brand, often are directly distorting the search experience and it opens them up to long tail liability (think Cambridge Analytica).
The problem is the organization isn't set up to promote people for proactively managing these risks. Similar to why Twitter never got rid of the bots
>They care about making money, but malicious extensions: damage the Google/Chrome brand, often are directly distorting the search experience and it opens them up to long tail liability (think Cambridge Analytica).
More importantly, they're not getting paid for any of the malicious addons. Sure, they might be getting a cut when they show fake download button (because they run the ad network), but what are they getting when sensor tower exfiltrates your browsing history? At best they're helping their competitors get better targeting data.
Disagree, they are getting paid. Fake views, Fake clicks, Fake users on their platforms inflating the numbers.
Making money off them didn't incentivize the grifts from coming about, but it slows down getting rid of it
>Fake views, Fake clicks, Fake users on their platforms inflating the numbers.
???
How does this apply to a malicious third party addon?
Because the extensions generate fake engagement on Google's properties & ad-network for affiliate fraud.
Where's the evidence for that? The OP only mentions affiliate fraud and user data harvesting. Neither of that seem to benefit google. To my knowledge google doesn't run an affiliate network, and data harvesting likely helps rival ad networks rather than google.
It's part of the affiliate fraud...
Just because there's affiliate fraud happening doesn't mean google is benefiting. What evidence is there that google is benefiting? Are they even using google's affiliate network? Does google even have one?
I had no idea until I made an extension how messed up the ecosystem is.
Now I regularly get offered ~5 figures a month in recurring revenue to turn my extension into malware & I've see how blatant the abuses are by other extensions / the sellouts.
Is it that you don't believe these pieces of malware are generating fake engagement on Google's properties? Or that Clicks, Views & Users don't matter to Google?
>Is it that you don't believe these pieces of malware are generating fake engagement on Google's properties?
The extensions engage in affiliate fraud (ie. injecting affiliate code/cookies to links/sessions) and collect user data. That hardly counts as "engagement on Google's properties", which are mostly search ads and youtube. To my knowledge google doesn't have an affiliate network, so they're not getting anything there either.
You seem to imply that the extensions are engaging in ad fraud (eg. viewing/clicking on ads), but there's no evidence of that presented in the OP or in this comment section.
Not just ad fraud but yes... Fake google accounts, fake reviews, fake downloads, fake views etc. etc.
Again not saying they are profiting off of it as much as those are numbers you get promoted for moving up and to right in the OKR, not down.
Can share some receipts if you send me an email.
Most people aren't (or at least feel they aren't) able to take a hardline stance about only using free software, but if there's one area of your digital life you should be able to apply it to, it's browser extensions.
[flagged]
How does Firefox avoid this problem?
If anything the non Developer Editions of Firefox disabling the ability to load an extension locally (without resetting it every time the browser starts) closes one path to preventing auto-updating of extensions.
That's a path necessary only in Chrome - Firefox allows you to disable auto-update of extensions, both wholesale and individually, without extraneous steps like that.
(The ability to load extensions locally would be great for its own reasons, but that's irrelevant to this discussion.)
There are very few users, so no one buys the extensions.