Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Third of All Chrome Extensions Request Access To User Data on Any Site

Posted by msmash on from the upon-further-inspection dept.

More than a third of all Google Chrome extensions ask users for permission to access and read all their data on any website, a recent survey conducted by US cyber-security firm Duo Labs of over 120,000 Chrome extensions has revealed. From a report: The same survey also found that roughly 85 percent of the 120,000 Chrome extensions listed on the Chrome Web Store don't have a privacy policy listed, meaning there's no legally-binding document describing how extension developers are committing to handling user data. Additional survey findings include the fact that 77 percent of the tested Chrome extensions didn't list a support site, 32 percent used third-party JavaScript libraries that contained publicly known vulnerabilities, and nine percent could access and read cookie files, some of which are used for authentication operations.

25 of 60 comments (clear)

  1. Which is it? by Anonymous Coward · · Score: 1

    So are these extensions up to something nefarious, or are they being forced to request this "all data / any web site" access because finer grained permissions aren't there?

    1. Re:Which is it? by nitehawk214 · · Score: 1

      Yes. You are correct, sir.

      --
      I'm a good cook. I'm a fantastic eater. - Steven Brust
  2. In other news by thegarbz · · Score: 1, Informative

    1/3rd of Chrome extensions request a required permission for the extension to actually do what it says.

    Seriously... 1/3rd? I'm surprised it's that low.

    1. Re:In other news by green1 · · Score: 2

      It just proves that 2/3 of chrome extensions are pointless.

      Seriously, what's the point of an extension that doesn't affect the content of the page?

    2. Re:In other news by hcs_$reboot · · Score: 2

      Extensions code is downloadable / readable easily ; it's in javascript and the Chrome "manifest" does a lot of the "pre-work". Most extensions code is rather small and can be checked for malware. Extensions can also be copied locally and modified, then used in Chrome (in dev mode).

      --
      Slashdot, fix the reply notifications... You won't get away with it...
  3. We take your privacy seriously (lol) by sjbe · · Score: 4, Interesting

    More than a third of all Google Chrome extensions ask users for permission to access and read all their data on any website

    But we were assured that Google takes our privacy seriously! Glad to see Google is really on top of this.

    a recent survey conducted by US cyber-security firm Duo Labs of over 120,000 Chrome extensions has revealed.

    What possible utility could there be in 120,000 different extensions? Who in the name of Thor's ugly sweater is actually using these things? I use about 5 extension on my browser of choice (Firefox for me), all fairly popular and I really cannot see any circumstance where I would use more than 10. There is no sane argument for that many extensions without a huge number of them being malware.

    1. Re:We take your privacy seriously (lol) by JackieBrown · · Score: 1

      What extensions do you use that wouldn't require access to the whole page?

      I agree that there is a ridiculous number of extensions but I'm not forced to install them. I actually like that there is a lot of choices or overlap for ad blockers, javascript blockers, etc.

      I'd think that the only ones that wouldn't need access to the whole page are web apps and notification tickers. (I'm sure there are a few more but I can't think of any right now)

  4. Don't use them by aglider · · Score: 1

    Until devs become clearer on privacy.

    --
    Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
  5. User indifference by sjbe · · Score: 3, Interesting

    So are these extensions up to something nefarious, or are they being forced to request this "all data / any web site" access because finer grained permissions aren't there?

    My guess would be that they ask because they can and because most users will not pay enough attention to choose some other option even if one is provided - which it won't be. Never mind that with 120,000 (!?!) extensions a HUGE number of these have to be malware of some description. There just isn't that much need for that many different extensions.

    1. Re:User indifference by drinkypoo · · Score: 2

      It's not about need. It's about redundancy, and about vanity, but also about convenience. Some extensions are made just so that the author can feel smart, because their name is in the extension store, when the extension could as easily be implemented as a user script. But how many more users can you reach by putting the functionality into an extension which is located in Google's repository of extensions than if you put it on your own site? And then there's all the people reinventing the wheel, of course. There's already an extension that does a thing, but they don't like how it's done. Sometimes they could contribute to an existing project, but sometimes they can't, and other times they don't want to.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re: User indifference by astrofurter · · Score: 1

      "Never mind that with 120,000 (!?!) extensions a HUGE number of these have to be malware of some description."

      Browse the Chrome extension store, or the Android Play Store, for a couple minutes. I estimate they're both about 98% malware. Yet somehow these things are all Google-approved and allowed to remain in the "stores".

      Big Brother Google takes our privacy, seriously.

  6. Ad blocking by reanjr · · Score: 1

    Isn't most of it just legit ad blocking? You have to scan the page to remove ads and it seems like 75% of the extensions are somehow related to ad blocking or content manipulation or password management. They all need those permissions.

  7. Well ... by cascadingstylesheet · · Score: 1

    ... are finer grained permissions available? Or for many extensions, even logically possible?

    If the extension is going to filter for ads, or change the colors, or inject user CSS, or tell you if products on the page are cheaper at Amazon, or whatever - it kind of needs to access the webpage data. Right?

    1. Re:Well ... by Fly+Swatter · · Score: 1

      We should be shocked that an extension for a web browser needs access to the web you are browsing! Now if it needed access to my left shoe's firmware I might start to worry...

  8. Fake news by DontBeAMoran · · Score: 1

    I'm using Google [Cute cat GIF!!!] Chrome right now and I've [~~~ BUY XBOX ONE TODAY! ~~~] never had problems with [~~~You won't believe which celebrities use teeth whitener! ~~~] any of the 124 extensions I installed.

    --
    #DeleteFacebook
    1. Re:Fake news by grumpy-cowboy · · Score: 1

      DontBeAMoran : *** You're computer is at risk *** click here to download our new AI based security protector that will protect you from past, present and FUTURE security issues (thanks to AI)!

      --
      Will $CURRENT_YEAR be the year of the Linux Desktop?
  9. Typo by DontBeAMoran · · Score: 1

    "We take your privacy seriously."

    Sorry, our motto is missing a period. It should read:

    "We take your privacy. Seriously."

    --
    #DeleteFacebook
  10. They've got this backwards by Miles_O'Toole · · Score: 1

    Let's not forget these apps are flourishing in a Google-built ecosystem.

    The surprising thing is that two thirds of them DON'T spend their time harvesting every bit of information they can from devices owned by you, your family, your friends, your workmates and probably every person you have had a random encounter with over the last six months.

    --
    Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.
    1. Re: They've got this backwards by mino31 · · Score: 1

      Most extensions code is rather small and can be checked for malware. Extensions https://xender.pro/ https://discord.software/ https://omegle.onl/ can also be copied locally and modified, then used in Chrome (in dev mode).

    2. Re: They've got this backwards by mino31 · · Score: 1

      Please read the small print. * For details on how much it cost to call our team visit virginmedia.com/callcosts". My god I have cre https://xender.pro/ https://discord.software/ https://omegle.onl/

  11. Don't run extensions you don't trust. by dfm3 · · Score: 2

    What extensions do you use that wouldn't require access to the whole page?

    This. The whole POINT of running the few extensions I do is that I want them to be functional on any site I visit, and thus I have to trust them well enough to have access to all of my browsing data.

    - uBlock Origin: absolutely essential for browsing these days, and I trust Raymond Hill. You just have to be careful of the various clones/forks out there, which are often NOT trustworthy.
    - Noscript: Just as essential. I don't know much about the developer, but from what I've seen I do know that the community can vouch for them.
    - Greasemonkey: Used to load a few scripts that I wrote myself, as well as some scripts from people I know personally, to change the functionality of some very specific pages.
    - LastPass: Eh, I'm a bit leery of this one, but it's widespread enough that if there's some major privacy breech, I hope that news would spread quickly.

  12. Permissions and choice by sjbe · · Score: 1

    What extensions do you use that wouldn't require access to the whole page?

    Permissions are more than just access to the whole page. Host permissions, API permissions, permissions per tab, clipboard access, storage access, cookie access, etc. Relatively few extensions need access to all of these and few bother to ask.

    I actually like that there is a lot of choices or overlap for ad blockers, javascript blockers, etc.

    Sure but 120,000 choices? Let's keep it real. That's not choices, that's spam.

    I agree that there is a ridiculous number of extensions but I'm not forced to install them.

    Not the point. The point is that there is no reason for most of these to even exist unless a LOT of them are malware of one form or another.

    1. Re:Permissions and choice by JackieBrown · · Score: 1

      Relatively few extensions need access to all of these and few bother to ask.

      An extension not asking for that access is a different story of course.

      Sure but 120,000 choices? Let's keep it real. That's not choices, that's spam.

      I usually don't have a say in accepting or view spam. I have never seen 120,000 extensions

      Not the point. The point is that there is no reason for most of these to even exist unless a LOT of them are malware of one form or another.

      It really is the point. Every wannabe or up and coming programmer can create an extension and share it. If people see a value, they can install it. That is a feature not a bug

    2. Re: Permissions and choice by astrofurter · · Score: 1

      Big Brother Google has set itself up as gatekeeper for their app stores, but has no apparent interest in keeping malware out.

      It's like a bouncer at a party who let's all sorts of thugs and armed hoodlums through the door. But then violently bounces your nerdy friend with strong political opinions.

  13. Re: People are weird by astrofurter · · Score: 1

    Mass media propaganda conditions people to love the taste of bootleather.