Browser Extensions Are Undermining Privacy

pizzutz writes: Chrome's popular Web Developer plugin was briefly hijacked on Wednesday when an attacker gained control of the author's Google account and released a new version (0.49) which injected ads into web pages of more than a million users who downloaded the update. The version was quickly replaced with an uncompromised version (0.5) and all users are urged to update immediately.
Lauren Weinstein has a broader warning: While the browser firms work extensively to build top-notch security and privacy controls into the browsers themselves, the unfortunate fact is that these can be undermined by add-ons, some of which are downright crooked, many more of which are sloppily written and poorly maintained. Ironically, some of these add-on extensions and apps claim to be providing more security, while actually undermining the intrinsic security of the browsers themselves. Others (and this is an extremely common scenario) claim to be providing additional search or shopping functionalities, while actually only existing to silently collect and sell user browsing activity data of all sorts.
Lauren also warns about sites that "push users very hard to install these privacy-invasive, data sucking extensions" -- and believes requests for permissions aren't a sufficient safeguard for most users. "Expecting them to really understand what these permissions mean is ludicrous. We're the software engineers and computer scientists -- most users aren't either of these. They have busy lives -- they expect our stuff to just work, and not to screw them over."

Anti-extension Narrative Ramping Up?

[Kunedog]

While the browser firms work extensively to build top-notch security and privacy controls into the browsers themselves, the unfortunate fact is that these can be undermined by add-ons

Not false, but it's also true that ad-blocking (ublock) and script-blocking (flashblock, noscript) extension have done more for user privacy and security than most any other software, sometimes by working against the aims of the browser makers. I fear this story may be part of an anti-extension (and anti-user-control in general) narrative.

Re: Anti-extension Narrative Ramping Up?

Yup. Google wants browser users to have "privacy", so long as Google can still snoop everything they do.

Re: Anti-extension Narrative Ramping Up?

[Antique+Geekmeister]

This is _exactly_ right. The data is much more valuable to any one vendor of they have it and their competitors do not, especially if it can be used for monopoly control or even fraud.

Re:Anti-extension Narrative Ramping Up?

[MrMr]

You almost remember correctly. Do you happen to work for an advertising company? https://addons.mozilla.org/en-...

Re:Anti-extension Narrative Ramping Up?

You just don't remember correctly at all. Here's the developer discussing it with other people it made uncomfortable: https://forums.informaction.com/viewtopic.php?f=7&t=4743

I think NoScript is great, but I also think that kind of background network behavior is a very poor design feature in a privacy/security product.

not properly restricted

[Gravis+Zero]

Part of the problem is that extensions are not properly restricted because they can get/send data to/from anywhere regardless of the permissions you give it. What they really need to do is restrict arbitrary URL requests. If the domain name isn't part of the [content of] requested page then it should require explicit permissions to access it.

Cant disable extension update in Chrome

[citizenr]

Chrome forces extension updates from the mothership. No way of disabling it. Even editing out update server address in extension .xml doesnt do it. = its all Googles fault in the end.

Re:Cant disable extension update in Chrome

[The+MAZZTer]

Being able to change the update server would just open the door for malware to infect your machine by issuing updates for all your extensions through their own server. Don't blame Google for a developer who fails to use provided security mechanisms like two factor authentication (at least, I don't see how the author's account could have been compromised so easily if he was using it, and using it properly).

Re:What about the privacy-undermining browser itse

[AHuxley]

Thats why Firefox is good.
The ads stop with a nice selection of quality add ons.
The next step is to ensure the add ons are correct in what they offer and do.

Sounds more like a Chrome issue

[TheOuterLinux]

The title is misleading or there are more idiots out there than I thought. "Why do my privacy add-ons not work right?" Maybe it's because Google, a search engine company, made the browser? You know that web browser, Tor...something or other I think it is, that's based off of Chrome? *sarcasm. Me neither. -_- It would be interesting to see a security comparison between Chrome and Chromium for these privacy add-ons. I'm sure there are plenty convinced a derivative = same, but if that were true, then I guess all us Linux users are nut-cases. Don't answer that. Chrome needs to be renamed to Chrime.

Re:Sounds more like a Chrome issue

[Teun]

Same here, when you use Chrome you know you share your browsing habits with Google.
Aside from the memory footprint an important reason to avoid that browser.
I sometimes use Chromiium for some multi media sites that just won't work in FF and assume it has better privacy than Chrome but would love to see an expert's view on this.