This type of thing seems to keep happening. And there doesn't seem to be a good solution. Browser vendors don't want to scrutinize every extension available on their platforms since there is no financial incentive to. Notably, I don't think extension authors want browser vendors to scrutinize their extensions as that would delay getting out updates and fixes. Users want vendors to catch all the bad stuff, but would probably be outraged on behalf of their favorite extension the second any review process went away (ie: users want the magical no downside approach).<p>So, it's not really clear to me than anyone really wants a real review process created.<p>However, any extension which becomes popular instantly is put under pressure to sell to someone else who wants to do this type of nonsense. Of course, the extension author may not know which companies that want to buy their work want to viloate user privacy and which don't - they just have an offer to pay for their work. So, even the authors that sell aren't necessarily doing anything wrong (at least not intentionally).<p>And there doesn't really seem to be a way for browser vendors to alert users when ownership of an extension changes - they may not even know, and even if they did, it seems unlikely that most users would know what to do with that information.<p>There just doesn't seem to be anyone in this whole process that really has an incentive to make things better. It seems like the only reasonable advice is to avoid extensions or only use extensions from major companies - which is kinda sad advice.
Could they have captured banking or other financial or sensitive data?<p>The author used burp, but couldn't you also validate what is collected more explicitly by viewing the xpi contents for that add-on?
Still open discussion of the original, of which this is a news report:<p>* <a href="https://news.ycombinator.com/item?id=17447816" rel="nofollow">https://news.ycombinator.com/item?id=17447816</a>