browser extensions are genuinely terrifying from a security perspective lol
-
browser extensions are genuinely terrifying from a security perspective lol
-
im not allowed to install them at work (besides a whitelist) and it’s extremely frustrating but i also entirely get it
-
browser extensions:
- routinely given terrifying levels of permissions over the browser due to poor permission siloing and design of the extension api. tons of useful extensions have legitimate need for permissions like “view all browsing and be able to run arbitrary js on every page in that page’s js context” so users are used to granting those permissions without a second thought
- are distributed via extension stores that have effectively no oversight whatsoever. chrome is the absolute worst here, its extension store is full of dreck and namesquatting and outright obvious malware and it’s pulling teeth to get the chrome web store to take action even on known and publicized malware. guess what the most popular browser is, and what extension store most of the recent indie browsers piggyback off of
- are extremely hard to monetize in legitimate ways, which leads to them being monetized in illegitimate ways
(cont.)
-
- useful and extremely popular extensions are quite often from random developers you’ve never heard of, so you can’t effectively filter them based on knowing who developed them. also extension stores are full of namesquatted or typosquatted developer accounts pretending to be some other organization
- extensions are very frequently and routinely updated. users do not consider extension updates a risk
- there is zero business relationship between the extension store and the developer beyond an effectively pseudonymous developer account, so extensions can trivially change hands invisibly
(cont.)
-
- because of all this, malware extensions are extremely widespread and, even worse, the authors of every single legitimate extension with even a modicum of popularity are constantly inundated with buyout offers from malware distributors (tho that’s not what they would call themselves). this phenomenon has been documented for years. whether it be desperation (a lot of these developers are individuals) or willingness to exploit their users for a kickback without concern for their reputation (a lot of these developers are small companies), a scary number of extensions end up saying yes. any browser extension at any time could change hands, turn into malware, get auto updated, and use its existing permissions or ask for more with a prompt we are nearly all used to clicking thru unthinkingly to do whatever it wants in your browser.
-
-
This post is deleted!