Let's build a Chrome extension that steals as much data as possible

&gt; Chrome scrolls the permission warning message container, so more than half of the warning messages don’t even show up. I’d bet most users wouldn’t think twice about installing an extension that appears to ask for just 5 permissions.<p>An egregious and nearly unbelievable oversight on Google&#x27;s part. :-\<p>As a developer, it&#x27;s unimaginable to me to not test the extreme high and low numbers of inputs cases to ensure things look and operate as expected. Especially for a security sensitive UI element.<p>The chain of humans who&#x27;ve been responsible for developing and testing Chrome Extension functionality and security has been asleep at the wheel this whole time, for something like 15 years.<p>There are so many risk-reduction controls in place; tons of red tape and umpteen security and privacy reviews required to ship even minor features or updates, yet here we are.<p>How many hands have been in the pot and not noticed&#x2F;raised&#x2F;resolved what amounts to a pretty obvious security vulnerability? And if this kind of issue can fly undetected for so long, what can organizations with drastically less resources than $GOOG do to ensure adequate velocity while not leaving the proverbial barn doors open?<p>The author deserves the highest tier of bug bounty reward for bringing this to light. What&#x27;s that? It wasn&#x27;t submitted through the proper channels to be eligible? Right.<p>&lt;insert relevant Dildbort cartoon&gt;

Wait until you see what’s possible with executables!<p>I like this project, but I also worry that eventually we’re going to lose access to extensions entirely because people will take away the wrong message.<p>Safeguards are good, but at a certain point I want my devices to trust that I know what I’m doing.

Now try actually distributing it.<p>My <i>guess</i> is this wouldn&#x27;t even get close to getting through the review process for the Chrome Webstore. From our experience with Streak, this would def get picked up in review.<p>Seeing other comments in the thread pointing to this article as a reason why MV3 is bad I think misses the point. Personally I think MV3 is a step in the right direction (even though it negatively affects us!). But it&#x27;s only one piece to make extensions more secure - the others being manual review, policy adjustments and automated scanning. Even though the APIs allow for all sorts of functionality doesn&#x27;t mean you&#x27;ll be able to get through the rest of checks.

This is a spicy essay for sure but what is the author&#x27;s actual point? If the user grants you permission to do all these things, then you have permission to do all these things. If you can&#x27;t be trusted and abuse that permission then you are not ethical. If you aren&#x27;t ethical someone will find out and your extension will be removed in the worst case and simply not approved in the common case. The author even admits as much saying this thing would never pass Google&#x27;s review process in a million years. Sounds like there&#x27;s no real risk here and we&#x27;re mostly just enjoying the show...<p>I do agree about the permission UI box. Surely that&#x27;s a completely simple fix on Google&#x27;s part to force the user to scroll through the permissions box before accepting.

Look, I hate MV3 as much as the next guy. I&#x27;ve even wasted part of my life porting a large extension to it, so I might hate it MORE than the next guy. But I don&#x27;t draw any security conclusions from this article.<p>For every permission in your manifest you need to provide the chrome web store reviewer with a written justification for why your extension needs that permission. Even the ones that don&#x27;t prompt the user. And they definitely read it, and your code.<p>Shipping malicious extensions is almost entirely a social engineering problem and not a technical one.

&gt; If we’re expecting the page DOM to change often (for example, with SPAs), we certainly don’t want to miss out on any valuable data. Just set a MutationObserver to watch the entire page, and reapply listeners as needed.<p>The code below this text is highly inefficient and may lead the user detection solely from page interactivity slowdown alone. A more efficient implementation could read input using the &#x27;input&#x27; event[1]. For example, here[2] is how you would use the input event to detect changes to any fields in a page.<p>1. <a href="https:&#x2F;&#x2F;developer.mozilla.org&#x2F;en-US&#x2F;docs&#x2F;Web&#x2F;API&#x2F;HTMLElement&#x2F;input_event" rel="nofollow">https:&#x2F;&#x2F;developer.mozilla.org&#x2F;en-US&#x2F;docs&#x2F;Web&#x2F;API&#x2F;HTMLElement...</a><p>2. <a href="https:&#x2F;&#x2F;gist.github.com&#x2F;eligrey&#x2F;615fcc9fa9edbfb5153478109b5b1185#file-universal-unsaved-changes-detector-js-L21-L37" rel="nofollow">https:&#x2F;&#x2F;gist.github.com&#x2F;eligrey&#x2F;615fcc9fa9edbfb5153478109b5b...</a>

&quot;Let&#x27;s build a Chrome extension that taps what google is already stealing.&quot;<p>But it isn&#x27;t stealing if you clicked something somewhere sometime so &quot;stealing&quot; is wrong will be the PR response because people are being paid to not understand &quot;stealing is wrong&quot;

Author here! I&#x27;m tickled to see that this whimsical cautionary tale is so resonant.

I&#x27;d like a fork of chrome which removes all (or at least most) the &quot;features&quot; mentioned - a browser that renders well but just doesn&#x27;t support these masses of unsecure features.<p>If you want to give 3rd parties access to all that stuff, you can run chrome. But I don&#x27;t - I want the bare minimum that will run normal websites. I know that will break some pages, I&#x27;ll accept that. (And that would give me a smaller &amp; faster browser.)

Maintainer of a Chrome Extension with 10,000+ installs here. Chrome doesnt willy nilly approve your extension. They even take down extensions that ask for permissions you do not legitimately use. The article doesnt say for how long op was able to put his extension on the chrome store without it being reviewed or taken down.

What&#x27;s up with the tons of fresh accounts (all created 3 days ago) posting plagiarized snippets in the comments? Various snippets from news articles, Quora, etc.<p>Sample of accounts: ChillNilly, LadyXaga, NerdAlerts, SuperDud, QueenBean, Moonshining, LetFree, FoxyFox22, TurkeyTurtle, LovableLily, BeingBean, CandyRandy, AdorableLama, WiseWolfie, WoozyWarrior, PenguinPeace, SunnyHorsey, SunnyMaylor, WiseSnail, ZappyHippo, FriendlyFlame, PudgyPanda, FriendlyFlame

I have a chrome extension with about a 1000 DAU right now [link below]. I&#x27;m getting messages to buy the whole thing out but the buyer always fails to answer why they want to buy it. they are also open to buying any extension whatsoever. I suspect it&#x27;s to open up the permission model and started stealing user&#x27;s data.<p>link: <a href="https:&#x2F;&#x2F;github.com&#x2F;prakhar897&#x2F;workaround-gpt">https:&#x2F;&#x2F;github.com&#x2F;prakhar897&#x2F;workaround-gpt</a>

One of the issues here is that the browser is prompting the user for all the Permissions at install time. Both Android and IOS have moved away from that. Perhaps it is time browsers to move away from that as well.

And this is why I am hesitant to install any and all Chrome extensions.<p>Well done!

&gt; Without looking, can you name more than half of the extensions you have installed right now?<p>Sure.<p>uBlock Origin, Multi-containers, Temporary Containers and cookies.txt on Firefox, which I only use for specific purposes. History and all data is wiped frequently.<p>None on Chromium, which I always use in incognito mode. I use this daily, but don&#x27;t need even uBlock on it, since I run a DNS ad blocker on my network.<p>And none on my main browser, Luakit, since it doesn&#x27;t support extensions. :) Technically, I have some user scripts, which I&#x27;ve all reviewed or written myself.<p>Browser extensions are the number one security and privacy risk for all users, more than any OS exploits. The fact they&#x27;ve historically been handled so poorly, and these issues exist even today, should be terrifying.<p>Great article and extension! &lt;3

&gt; Just set a MutationObserver to watch the entire page, and reapply listeners as needed.<p>I did not know such thing is possible. I want to make an extension which undeletes some chat messages in typical chats (usually that happens because of moderation)

&gt;<i>Identify and eject storage devices</i><p>I mean, why?

100% this is how people are getting their social media accounts hacked for scams, crypto stolen, etc.<p>Stronger passwords is useless when the session is stolen, when the actual data is read and sent off

The author notes that this sort of extension would be laughed out of the review queue....but there are plugin authors who get plenty of users by putting up a website and making the plugin available directly from their site.<p>For example, the author of FB Purity hasn&#x27;t explained to anyone why his plugin is not available via Firefox&#x27;s extension store, only via his page. Presumably, he didn&#x27;t meet some requirements they had...but he won&#x27;t say what they were...

&gt; Who maintains them? Is it the same entity that maintained it when you first installed? Are you sure?<p>Oh yeah, got bitten hard myself on that one a couple years back, it took Google <i>days</i> to respond to the extension buyer uploading a malware&#x27;d version. The worst problem is that extensions auto-update silently so you as an user don&#x27;t even have the chance to spot anything in time.

I don&#x27;t understand why Chrome even does up-front permissions.<p>iOS got this right from the start: ask on the first attempted access of the gated resource, allow the user to grant the permission once or on an ongoing basis, respect the choice. Don&#x27;t allow permission prompt spam.<p>Even Android recently moved to this model from up-front permissions, so Google is aware of it.

Is anyone aware of a Chrome extension (or other spyware) that uses the macOS system clipboard to steal WhatsApp data?<p>I recently had an incident where WhatsApp Web was open in a tab in the background in a different browser window to the one I was actively using. I received and replied to a message on my phone. So imagine my surprise when I went to paste what I had previously copied from a web app in one Chrome tab to into a textfield in another, both in the active Window, to find that what was pasted was the second last message that I had sent in WhatsApp on my phone.<p>I have since deleted my Chrome profile at a system level, and the only extension currently installed is a well known password manager, but it bothers me to think what could have caused this aberrant behaviour, and whether there&#x27;s something still installed on my system that&#x27;s stealing data.

Probably off-topic. Has anyone done a security review of <i>ublock origin</i> chrome extension?

You really know how to write an article which is technical and at the same time fun to read.

The probable intent of the author of this article is to let devs to know about his book: “Building Browser Extensions”. Ordered mine just now.

This is an excellent accidental rebuttal to the entire Manifest v3 project. The stated reason for the new major version and breaking changes is officially:<p>&gt; <i>Manifest V3 represents one of the most significant shifts in the extensions platform since it launched a decade ago. Manifest V3 extensions enjoy enhancements in security, privacy, and performance...</i><p><a href="https:&#x2F;&#x2F;developer.chrome.com&#x2F;docs&#x2F;extensions&#x2F;mv3&#x2F;intro&#x2F;" rel="nofollow">https:&#x2F;&#x2F;developer.chrome.com&#x2F;docs&#x2F;extensions&#x2F;mv3&#x2F;intro&#x2F;</a><p>Web developers (see uBlock origin for one) have been complaining that Manifest v3 breaks chrome extensions for no discernible benefit and Manifests v3 exists entirely to protect Google&#x27;s ad business. This review gives fresh evidence to support that assertion and showcases Google&#x27;s deception. As seen in this blog post, extensions can request literally every permission and the user permission warning actively hides the permissions beyond the content fold.These changes haven&#x27;t been made for security&#x27;s sake.<p>I wish the entire Manifest v3 was scrapped, but that likely won&#x27;t happen. I&#x27;ll settle for people assuming Google is lying by default.

It&#x27;s funny. They crippled extension usefulness in the name of &quot;security&quot;, yet you can still make something like this that will steal every piece of your data and masquerade as your tabs while performing malicious behavior.<p>Very secure, indeed! But at least those pesky adblocks are defeated.

This is my main worry with Firefox as well.<p>How can I even be confident beyond reasonable doubt that the uBlock Origin extension I have installed won&#x27;t suddenly start exfiltrating any passwords I enter on websites, for example.

Reading this makes the Apple App Store walled garden not seem so bad after all.<p>If someone were to add an extention with this manifest, would it even be reviewed, or would it need to be flagged first?

Cool. What’s the easiest way to push this data to a remote server?

If not alerting the user was a primary goal, they done messed up using MutationObserver. It would absolutely halt the browser completely, especially running across multiple tabs.

Great stuff! This is what I come here for.

Yea Chrome would be a lot more secure if we didn&#x27;t let anyone view any data at all.

chrome.tabs.captureVisibleTab()<p>Anyone knows what is the actual legitimate use case for this API ? Seems very dangerous to allow extensions access to it.