Issue with this “benign” extension is that it will be using
“host_permissions”: “<all_urls>”
In its manifest means it can basically do anything on any webpage you visit, scrape data etc.
As an extension developer, no thanks. “Fun” pointless extensions like this that have no real utility, but funnily enough require broad permissions, are dangerous
> [...] but funnily enough require broad permissions
I don't think there is a way to implement this without said permission. You can always check out the code from GitHub and install the extension locally to avoid any malicious changes in the future.
And that’s why it shouldn’t be in the Chrome app store at all.
As a hobbyist developer, having that kind of access in other people’s browsers is not something I want, and I’m suspicious of developers who do seem to want it. It’s like “hey, I wrote a fun game that requires root access.”
At least limit it to people who know what Github is.
No. They are large and presumably have some sort of trust, and can lose the trust of people if they do particularly shady things. This may not bear itself out in practice of course. But a game studio has something to lose, whereas hobbyist developer 73683 asking for root permissions for no real gain to you has nothing to lose from any number of things like scraping sites you visit or using your browser as a tor exit node or any number of things.
yeah, I'm sure Genshin impact's creators went out of business when their Kernel access anti-cheat was hacked by ransomware or more recently the hacks mid live broadcasted tournaments (don't remember which game, I think it was apex).
I mean that's what kids, teenagers, and young adults and non technical people in general are known for: their prudence and good technical decision making.
lets not talk about the other risk vector that Tencent, a chinese company is the one buying most of these game studios that have Kernel access (not exclusively).
Which is the problem with games having kernel access for anti-cheat and <whatever-else-they-want-to-do-with-it>.
You don't know what they are doing in there. You don't really know who they are. Even if you do, corporate machinations might mean who has access to the facility to <what-ever-they-want-to-do> on your PC could change at any moment without your knowledge.
Most end-users are blissfully unaware of the potential consequences of these level of access (Games having kernel access, and browser extensions having all-sites/all-contexts access).
Right, but Google is surely the one at fault here. There should be absolutely no reason that this extension can "change all my data on all websites", whatever the hell that actually means.
Not "change all my data on all websites" but "read the content of all websites I visit".
Because an extension that finds all button elements on all websites you visit, must necessarily start by reading the content of all websites you visit.
I was under the vague impression that Manifest V3 was supposed to prevent this sort of thing. But looking at the extension, it is using MV3. Maybe it really was just about weakening ad blockers.
What are you even talking about? Every piece of desktop software you have ever ran has more permissions than a browser extension.
Is your stance that hobbyist developers should not be allowed to develop desktop software or CLI tools? The entire software development ecosystem would collapse in an instant. Or are you just not familiar with Windows & Macs (lack of a) permission system?
Unbelievably poor comparison... for several reasons:
1. Most antivirus solutions built into operating systems such as Microsoft defender are unlikely to find suspicious extensions that are exfiltrating your data
2. Extensions autoupdate (and don't require you to re-authenticate their permission set)
3. It is not uncommon for large spyware companies to buy up a bunch of the most popular chrome extensions, and proceed to inject them with malware.
4. Since an extension runs inside your browser, it's much easier to forget that they're essentially always running, whereas once I exit a desktop app it's presumably gone. There's a dangerous level of passivity to browser extensions for an average user who might forget they even have them installed on the browser.
Maybe number 2 has changed in the last 10 years, but it certainly didn't used to be the case.
> Most antivirus solutions built into operating systems such as Microsoft defender are unlikely to find suspicious extensions that are exfiltrating your data
They can flag antivirus signatures just like everything else, and I've experienced this happening in the past. In the end, extensions are just some javascript/css files in a folder and they get scanned just like everything else.
> Extensions autoupdate
So can any piece of software if it wants to. It's trivial to make an updater start on boot.
> It is not uncommon for large spyware companies to buy up a bunch of the most popular chrome extensions, and proceed to inject them with malware
The same can, and has, happened for "regular" software.
> Since an extension runs inside your browser, it's much easier to forget that they're essentially always running, whereas once I exit a desktop app it's presumably gone
Desktop apps can trivially just not show a window if they want to. They can trivially add themselves to autostart. It depends entirely on what they're doing, just like an extension.
The lack of sandboxing in desktop applications is bad, but you aren’t going to be writing code to read every web page a user visits by accident, and that’s what some browser extensions do on purpose. They’re inherently working with more sensitive data. So that’s worse in certain ways. (And they are more sandboxed in other ways.)
> but you aren’t going to be writing code to read every web page a user visits by accident
No, instead you're just reading all files on the filesystem, including the browser's cookie store or whatever. The data you are, or can be, handling is just as, if not more, sensitive since it's literally a superset of what the browser has access to.
> The lack of sandboxing in desktop applications is bad
Some sandboxing would be nice, but the Google/Apple approach of needing to beg the vendor for every little permission isn't the way to go, either. I'd rather have software that can actually do things as opposed to only having useless sandboxed "apps".
My Mac sometimes prompts me to see if a Mac application should have access to certain directories, such as “Downloads,” so I’m not sure that’s entirely true anymore?
But in any case I think this is missing a distinction between what software developers can install in “developer mode” versus stuff that’s in the store for non-technical people to use. Apps in app stores see widespread use by people who barely know what a computer is, so I think there should be hoops you need to jump through to get distribution to the masses, at least for certain types of apps.
And those apps aren’t useless, they do important but security-sensitive things like banking, things us developers need to do too sometimes.
It’s a different world than hacking around on your Raspberry Pi or an old phone, and I think it should be different. Treating these situations the same muddies the issues.
1) Extension could use the “activeTab” permission (would require user to click the extension once when inside the current tab to activate the extension, then the extension will run for any url they visit
It seems crazy that extensions don't have a permission for making network requests. Getting permission to access the DOM on all pages I visit is fine if there's no way to exfiltrate!
Yes, a network access and DOM write permission should be one and the same. I think the reason it isn't done is because there are so many ways to leak data over a network. If the extension can trigger a DNS lookup somehow, it can exfiltrate data.
Android used to have a network permission but Google removed it.
> Android used to have a network permission but Google removed it.
That's because google is in the ads business and wants apps to always be able to exfiltrate data to google (google analytics, google ads, etc) & display ads without needing additional permissions.
Having a network permission means there is an incentive for apps to not have the network permission which means they can't load ads. And Google wants you to look at their ads.
that happened to me. I installed a plugin that would parse all pages for email addresses and store them for later reference. A few months later i started to see strange ads on pages that shouldn't have ads.
The permissions need to be more specific some how.
I think the correct approach is to have the option to have a function isolated from the rest of the code. Then pay a trusted party to review the functionality of the function.
In this case said function may only 1) access the html on the website, 2) find the button and 3) return only that what makes the button.
Then the permission prompt, written by the trusted party, can be something accurate like: This extension wants to copy buttons from websites.
I'm calling it DEWISOTT computing: does exactly what it says on the tin
You can go wild update your extension 1000 times per day without touching the function.
If the potentially dubious part can be isolated the notary, the publisher, the other developer and the user can easily review it. It seems much better than the current installing black boxes?
Grammarly has to be able to connect back to their online service while the button addon could be implemented in a way that it can read every website but not send antyhing anywere (in theory, the addon could of course simulate a form and send data out through that or somehow).
But yeah i tested grammarly for 5 minutes and found it crazy.
there has to be a better way getting both worlds :|
In DayJob we've had to block (actually block, because people didn't listen to being asked not to use it and similar tools) Grammarly because it sending text that could potentially include client data off to their servers for checking would have given us a nasty fail should a client request or conduct an audit.
As an alternative there is LanguageTool which you can install locally. We have it running on a small VM that people can configure their installs to talk to, and block the public service end-point (as sending to that would be a big no-no for us for the same reason as Grammarly). It doesn't have all the features of Grammarly so isn't a complete drop-in replacement, but the self-hosted version works as well as the free features of Grammarly.
>As an alternative there is LanguageTool which you can install locally. We have it running on a small VM that people can configure their installs to talk to, and block the public service end-point
I'm surprised that Grammarly hasn't come up with a local service like that, I bet they have a ton of enterprise users that would appreciate it.
Local software of course! But good luck getting funding for a product that doesn’t phone home every 5 seconds and present an opportunity to plague the user with ads “that they want to see”
As a fellow extension developer, you'll know that remote code is extremely sandboxed by the review process and you can jump into the code easily.
Hell if you're that paranoid, sniff any remote connections with mitmproxy and generally just... understand what an extension does before you leave it on your machine.
Some extensions are just fun; this extension is wicked for me as design inspiration but yeah, salty take and hackernews PB+J
My dude. Google Chrome hoovers up all your browsing history. Google knows the content of pages you visit, because you make search queries to visit them, and most sites use Google Analytics or Webmaster tools, or the sites are in their index and can be looked up by URL reported by Chrome. Google has your Gmail, YouTube, Google Drive… if it wanted to, it could access your private stuff because it has access to your email. You are whinging about a silly joke project with a hypothetical concern, when you are already granting broad permissions to all of your data.
I'd be worried about installing these sorts of extensions in case someone decides to offer the developer a lucrative amount of money to buy it and then uses it for less-than-fun purposes. Not sure if they'd need additional permissions for it, but at least the current content script is ran against "https://*/\*" already.
Is there a particular reason this uses Chrome-specific APIs instead of the standard WebExtensions API? I have considered experimenting with web extensions, but wondering what the practical limitations of the standard API are compared to the browser-specific APIs.
There's some difference but a lot of overlap in the basic functionality - Firefox is compatible with all the chrome.* API calls I use in my own extension
Technically correct, but it is a bit more complex. The original web extension API is based on the chrome extension API. So most (there are some annoying exceptions at times) of the chrome extension API calls also work with very little adjustment on firefox. It becomes even easier when you use mozilla's polyfill library https://github.com/mozilla/webextension-polyfill
Then you can just target the promise based webextension syntax and as long as you still stick to the calls also available in chrome your extension works with very little effort in both browsers.
Safari is a different story which basically amounts to Apple being Apple and sort of supporting webextensions but in such a roundabout way that it is barely worth it for the majority of extension devs.
On windows the location of chrome's extensions is "AppData\Local\Google\Chrome\User Data\Default\Extensions". You can read the source code of all of your installed extensions there. This requires you to install the extension first. It is also possible to download the crx file of any extension from the chrome web store and just unzip it to inspect the source, though i'm not sure how to do it with the official chrome. Ungoogled chromium downloads the crx file if you press "add to chrome" and then cancel.
I diff'd the chrome extension against the github repo and they are basically the same, outside of a few lines in the README.md missing and the manifest.json containing an update URL key to "https://clients2.google.com/service/update2/crx".
I love the idea but the <all_urls> access is a bit scary.
This could be recreated in a bookmarklet ideally, though it would require saving the button html snippets into a file that you'd have to make downloadable with some Blob weirdness.
I worked on something similar before that serves the same purpose, except that it steals css/scss and it's not an extension but rather a CLI tool, you can find it in github as coalio/rfscss
Does it store the HTML/CSS for creating the buttons so you can easily repurpose them (which would be quite useful), or are they stored as images (which would be fun but less useful)? If the latter, how difficult are they to extract from the page that shows them all?
“host_permissions”: “<all_urls>”
In its manifest means it can basically do anything on any webpage you visit, scrape data etc.
As an extension developer, no thanks. “Fun” pointless extensions like this that have no real utility, but funnily enough require broad permissions, are dangerous