How browser extensions steal and exfiltrate logins & browsing habits; conduct corporate espionage


[Read the post]


It’s like computing just isn’t fun any more.


It sure does feel a lot less innocent and exploratory than it did 15 or so years ago, but I guess it’s just that the scumsuckers and predators took a little while to find this new place to con people.

Needs to be a crackdown on this privacy wild west on the web…


I use Chrome for exactly one work-related site. All other surfing is via Mozilla. And, while I have a ton of extensions and add-ons, save for Flash I haven’t installed any of the add-ons listed in the article.

Edited to add:
Ditch Chrome, send them a message.




Dang it all… But I’m not using the apps mentioned in the article. And I’m about as sure as can be that Ublock Origin isn’t tracking me. Raymond Hill sound about as anti-tracking as RHS might be.


Is there any chance they have a list of malevolent extensions?


I question the veracity of that statement since it is a throwaway bit at the end of their article.


Ironically, Mozilla has people screaming bloody murder about their moves to have all addons (extensions) digitally signed after a review or else they cannot be installed in upcoming versions of Firefox.


I don’t, Firefox is only now getting on board with adding granular permission to extensions that can be selectively revoked, and other critical features that have been in Chrome for a while. So the likelihood of there being some bad players in the huge firefox addon pool is currently pretty high but they are actively take steps to improve this situation.

That being said, I trust Mozilla a heck of a lot more, Mozilla is a company dedicated to privacy and freedom, whereas Google is a company based around tracking and datamining.


I agree with the former (although Google office software – yes, that Google, docs, forms, email, calendaring, maybe others – now appears to be the Mozilla corporate standard, reportedly with strong partitioning and protection to keep the datas out of Google’s hands, but once data is collected it tends to live a long long long time, and no one knows the future). I used to believe the latter too, and I hope to one day believe it again. Preferences have been revealed, and freedom didn’t win.


I certainly trust the purity of Mozilla’s motives more; but that doesn’t do much to protect me from 3rd parties looking to take advantage of Firefox users; and at present it looks like both Mozilla and Google are absolutely rotten with extensions that cannot and should not be trusted. Unfortunately, even better permission granularity, code signing, and the like are going to have a hard time stemming the tide unless a race-to-the-bottom where most extensions just demand expansive capabilities can be avoided(this seems to be what has happened on the mobile side: you can have a fancy security architecture, with security cake; but applications just demand expansive privileges in the vaguest possible terms.

It looks like I’m going to have to stop procrastinating and get my snort+Squidguard proxy box set up.


Maybe we are headed to a future where everyone has to write their own browser and crypto? :wink:


I hope not. The only thing I’d trust less than a package that somebody else might have bugged is a package I’ve certainly made dumb mistakes on.


make sure to give it a knife!!! :slight_smile:


I use Chrome and FF, but mainly FF, and have a few extensions that I use a lot. I just checked them out and noticed each one has the option to view the source on, which sounds like it should be useful for transparency, etc. It gives me a glimmer of confidence that hopefully someone with more coding skills than me would notice something malicious but who has time to check them all?

Having verified or digitally signed extensions would definitely have its benefits if it removes, or at least alert to, this kind of crap.


Am I naive if my first idea was that we need a plugin that checks all your plugins?


the check will happen in the cloud?


Caveat: I work for Mozilla, as many here know. :slight_smile:


… which makes you about the least useful person to be talking about how secure it is or isn’t. :wink: