This type of thing is all too common. We wrote about a worse case last year where an extension XSS'd quite literally the entire internet: https://www.tinfoilsecurity.com/blog/building-a-browser-exte...

The scariest thing here is that you have arbitrary code execution, so your options are limitless. Check out XSS Harvest: https://github.com/Miserlou/XSS-Harvest

Yeah so I'm uninstalling every plugin/extension I have that I don't absolutely trust. I'd recommend you do the same.

It's not a question of trust but competence, and that's practically impossible to evaluate as an end user.

Wow, that's scary stuff.

I guess the lesson here is to only use extensions from vendors where you have absolute confidence in their capabilities or from popular open source projects (Basically the same thing).

Honestly, I'd rather just not use extensions at all. They've proven insecure in the past and will probably be insecure in the future. Even if they come from a trusted vendor, that won't mean that it won't be compromised.

Are all these extensions that "prettify" our browsing experience all this necessary? Some, maybe (HTTPS everywhere, Ghostery, NoScript, etc etc), but most of them aren't. I personally prefer to keep my browser clean, it's even more responsive this way.

Agreed. I read "extension that alters or scrapes pages you visit" and I hear "quick and dirty hack that does nearly-blind poking around in a foreign DOM tree that could change at any time." It doesn't exactly inspire confidence that someone who would rely on such a fragile technique would put a ton of thought into security.

What i'd like to see, and as far as i know it doesn't exist in any browser, is a way to prevent any extensions from running on certain sites. I want some things like adblock installed for general browsing, but there's no reason i need it running on my email, my banking, my employer's control panel. I can white-list sites inside of extensions, but that still leaves me trusting the extension to properly implement their white-listing feature. I'd much rather have chrome managing a list of sites where the extension doesn't get to run at all.

You always can use the incognito window to do that, but I agree it is really annoying.

Interesting. Looks like the most potentially dangerous extensions are the ones pulling stuff from other websites to inject into the current site, and ones doing text processing/conversion on document contents. I don't have any extensions that do that, so hopefully I'm safe...

Security problems like this are so common in 3rd party extensions / plugins / add-ons. While the most widely used open source ones tend to have less bugs many of the less popular ones are full of problems. Take a look at WordPress plugins to see what I mean.

rapportive is a quite versatile tool... http://jordan-wright.github.io/blog/2013/10/14/automated-soc...

See this talk: https://www.usenix.org/conference/usenixsecurity12/evaluatio...