Browser Extensions Are Undermining Privacy

pizzutz writes: Chrome's popular Web Developer plugin was briefly hijacked on Wednesday when an attacker gained control of the author's Google account and released a new version (0.49) which injected ads into web pages of more than a million users who downloaded the update. The version was quickly replaced with an uncompromised version (0.5) and all users are urged to update immediately.
Lauren Weinstein has a broader warning: While the browser firms work extensively to build top-notch security and privacy controls into the browsers themselves, the unfortunate fact is that these can be undermined by add-ons, some of which are downright crooked, many more of which are sloppily written and poorly maintained. Ironically, some of these add-on extensions and apps claim to be providing more security, while actually undermining the intrinsic security of the browsers themselves. Others (and this is an extremely common scenario) claim to be providing additional search or shopping functionalities, while actually only existing to silently collect and sell user browsing activity data of all sorts.
Lauren also warns about sites that "push users very hard to install these privacy-invasive, data sucking extensions" -- and believes requests for permissions aren't a sufficient safeguard for most users. "Expecting them to really understand what these permissions mean is ludicrous. We're the software engineers and computer scientists -- most users aren't either of these. They have busy lives -- they expect our stuff to just work, and not to screw them over."

Anti-extension Narrative Ramping Up?

[Kunedog]

While the browser firms work extensively to build top-notch security and privacy controls into the browsers themselves, the unfortunate fact is that these can be undermined by add-ons

Not false, but it's also true that ad-blocking (ublock) and script-blocking (flashblock, noscript) extension have done more for user privacy and security than most any other software, sometimes by working against the aims of the browser makers. I fear this story may be part of an anti-extension (and anti-user-control in general) narrative.

not properly restricted

[Gravis+Zero]

Part of the problem is that extensions are not properly restricted because they can get/send data to/from anywhere regardless of the permissions you give it. What they really need to do is restrict arbitrary URL requests. If the domain name isn't part of the [content of] requested page then it should require explicit permissions to access it.

Cant disable extension update in Chrome

[citizenr]

Chrome forces extension updates from the mothership. No way of disabling it. Even editing out update server address in extension .xml doesnt do it. = its all Googles fault in the end.

Re:Sounds more like a Chrome issue

[Teun]

Same here, when you use Chrome you know you share your browsing habits with Google.
Aside from the memory footprint an important reason to avoid that browser.
I sometimes use Chromiium for some multi media sites that just won't work in FF and assume it has better privacy than Chrome but would love to see an expert's view on this.