Button Stealer(anatolyzenkov.com) |
Button Stealer(anatolyzenkov.com) |
“host_permissions”: “<all_urls>”
In its manifest means it can basically do anything on any webpage you visit, scrape data etc.
As an extension developer, no thanks. “Fun” pointless extensions like this that have no real utility, but funnily enough require broad permissions, are dangerous
I don't think there is a way to implement this without said permission. You can always check out the code from GitHub and install the extension locally to avoid any malicious changes in the future.
As a hobbyist developer, having that kind of access in other people’s browsers is not something I want, and I’m suspicious of developers who do seem to want it. It’s like “hey, I wrote a fun game that requires root access.”
At least limit it to people who know what Github is.
1) Extension could use the “activeTab” permission (would require user to click the extension once when inside the current tab to activate the extension, then the extension will run for any url they visit
Also the extension could have no network access and have read-only access to the DOM to name a few improvements.
2. Sell it to a company with malicious intentions
3. Get ad/spy/malware in your browser
I think the correct approach is to have the option to have a function isolated from the rest of the code. Then pay a trusted party to review the functionality of the function.
In this case said function may only 1) access the html on the website, 2) find the button and 3) return only that what makes the button.
Then the permission prompt, written by the trusted party, can be something accurate like: This extension wants to copy buttons from websites.
I'm calling it DEWISOTT computing: does exactly what it says on the tin
You can go wild update your extension 1000 times per day without touching the function.
> written by the trusted party
This is the weak, and expensive, link.But yeah i tested grammarly for 5 minutes and found it crazy.
there has to be a better way getting both worlds :|
Hell if you're that paranoid, sniff any remote connections with mitmproxy and generally just... understand what an extension does before you leave it on your machine.
Some extensions are just fun; this extension is wicked for me as design inspiration but yeah, salty take and hackernews PB+J
I‘ve heard that Firefox will only run signed extensions. Would you trust this process?
Mozilla does not manually review most extensions (only extensions which Mozilla recommended are manually reviewed: https://support.mozilla.org/en-US/kb/add-on-badges).
Chrome's policy is extensions are "reviewed periodically for compliance", but is unclear on how frequent is this periodic review (https://developer.chrome.com/docs/webstore/review-process).
Then you can just target the promise based webextension syntax and as long as you still stick to the calls also available in chrome your extension works with very little effort in both browsers.
Safari is a different story which basically amounts to Apple being Apple and sort of supporting webextensions but in such a roundabout way that it is barely worth it for the majority of extension devs.
btw i had a look at the code and it seems benign. no clue if there's a way to verify the same code is in the chrome extension store.
This could be recreated in a bookmarklet ideally, though it would require saving the button html snippets into a file that you'd have to make downloadable with some Blob weirdness.
If a function gets certified and a decent description it can be published for other developers to further scrutinize and use the same.
With user.script or greasemonkey scripts it is kinda expected to read the script before use. Short scripts are easier to check.
Funny example
https://userscripts-mirror.org/scripts/show/179526
If the potentially dubious part can be isolated the notary, the publisher, the other developer and the user can easily review it. It seems much better than the current installing black boxes?
As an alternative there is LanguageTool which you can install locally. We have it running on a small VM that people can configure their installs to talk to, and block the public service end-point (as sending to that would be a big no-no for us for the same reason as Grammarly). It doesn't have all the features of Grammarly so isn't a complete drop-in replacement, but the self-hosted version works as well as the free features of Grammarly.
I'm surprised that Grammarly hasn't come up with a local service like that, I bet they have a ton of enterprise users that would appreciate it.
Android used to have a network permission but Google removed it.
That's because google is in the ads business and wants apps to always be able to exfiltrate data to google (google analytics, google ads, etc) & display ads without needing additional permissions.
Having a network permission means there is an incentive for apps to not have the network permission which means they can't load ads. And Google wants you to look at their ads.
So... Just like AAA game studios, eh?
Sony? Microsoft? EA? Apple? Exactly which giant megacorporation is beyond shady things?
https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootk...
I mean that's what kids, teenagers, and young adults and non technical people in general are known for: their prudence and good technical decision making.
lets not talk about the other risk vector that Tencent, a chinese company is the one buying most of these game studios that have Kernel access (not exclusively).
Because an extension that finds all button elements on all websites you visit, must necessarily start by reading the content of all websites you visit.
Is your stance that hobbyist developers should not be allowed to develop desktop software or CLI tools? The entire software development ecosystem would collapse in an instant. Or are you just not familiar with Windows & Macs (lack of a) permission system?
1. Most antivirus solutions built into operating systems such as Microsoft defender are unlikely to find suspicious extensions that are exfiltrating your data
2. Extensions autoupdate (and don't require you to re-authenticate their permission set)
3. It is not uncommon for large spyware companies to buy up a bunch of the most popular chrome extensions, and proceed to inject them with malware.
4. Since an extension runs inside your browser, it's much easier to forget that they're essentially always running, whereas once I exit a desktop app it's presumably gone. There's a dangerous level of passivity to browser extensions for an average user who might forget they even have them installed on the browser.
Maybe number 2 has changed in the last 10 years, but it certainly didn't used to be the case.
They can flag antivirus signatures just like everything else, and I've experienced this happening in the past. In the end, extensions are just some javascript/css files in a folder and they get scanned just like everything else.
> Extensions autoupdate
So can any piece of software if it wants to. It's trivial to make an updater start on boot.
> It is not uncommon for large spyware companies to buy up a bunch of the most popular chrome extensions, and proceed to inject them with malware
The same can, and has, happened for "regular" software.
> Since an extension runs inside your browser, it's much easier to forget that they're essentially always running, whereas once I exit a desktop app it's presumably gone
Desktop apps can trivially just not show a window if they want to. They can trivially add themselves to autostart. It depends entirely on what they're doing, just like an extension.
No, instead you're just reading all files on the filesystem, including the browser's cookie store or whatever. The data you are, or can be, handling is just as, if not more, sensitive since it's literally a superset of what the browser has access to.
> The lack of sandboxing in desktop applications is bad
Some sandboxing would be nice, but the Google/Apple approach of needing to beg the vendor for every little permission isn't the way to go, either. I'd rather have software that can actually do things as opposed to only having useless sandboxed "apps".
Sadly, both those things are untrue.
But in any case I think this is missing a distinction between what software developers can install in “developer mode” versus stuff that’s in the store for non-technical people to use. Apps in app stores see widespread use by people who barely know what a computer is, so I think there should be hoops you need to jump through to get distribution to the masses, at least for certain types of apps.
And those apps aren’t useless, they do important but security-sensitive things like banking, things us developers need to do too sometimes.
It’s a different world than hacking around on your Raspberry Pi or an old phone, and I think it should be different. Treating these situations the same muddies the issues.
The original company could be malicious/stupid/both. See https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootk... for the most famous example of “both”.
You don't know what they are doing in there. You don't really know who they are. Even if you do, corporate machinations might mean who has access to the facility to <what-ever-they-want-to-do> on your PC could change at any moment without your knowledge.
Most end-users are blissfully unaware of the potential consequences of these level of access (Games having kernel access, and browser extensions having all-sites/all-contexts access).