A Third of All Chrome Extensions Request Access To User Data on Any Site

More than a third of all Google Chrome extensions ask users for permission to access and read all their data on any website, a recent survey conducted by US cyber-security firm Duo Labs of over 120,000 Chrome extensions has revealed. From a report: The same survey also found that roughly 85 percent of the 120,000 Chrome extensions listed on the Chrome Web Store don't have a privacy policy listed, meaning there's no legally-binding document describing how extension developers are committing to handling user data. Additional survey findings include the fact that 77 percent of the tested Chrome extensions didn't list a support site, 32 percent used third-party JavaScript libraries that contained publicly known vulnerabilities, and nine percent could access and read cookie files, some of which are used for authentication operations.

We take your privacy seriously (lol)

[sjbe]

More than a third of all Google Chrome extensions ask users for permission to access and read all their data on any website

But we were assured that Google takes our privacy seriously! Glad to see Google is really on top of this.

a recent survey conducted by US cyber-security firm Duo Labs of over 120,000 Chrome extensions has revealed.

What possible utility could there be in 120,000 different extensions? Who in the name of Thor's ugly sweater is actually using these things? I use about 5 extension on my browser of choice (Firefox for me), all fairly popular and I really cannot see any circumstance where I would use more than 10. There is no sane argument for that many extensions without a huge number of them being malware.

User indifference

[sjbe]

So are these extensions up to something nefarious, or are they being forced to request this "all data / any web site" access because finer grained permissions aren't there?

My guess would be that they ask because they can and because most users will not pay enough attention to choose some other option even if one is provided - which it won't be. Never mind that with 120,000 (!?!) extensions a HUGE number of these have to be malware of some description. There just isn't that much need for that many different extensions.

Re:User indifference

[drinkypoo]

It's not about need. It's about redundancy, and about vanity, but also about convenience. Some extensions are made just so that the author can feel smart, because their name is in the extension store, when the extension could as easily be implemented as a user script. But how many more users can you reach by putting the functionality into an extension which is located in Google's repository of extensions than if you put it on your own site? And then there's all the people reinventing the wheel, of course. There's already an extension that does a thing, but they don't like how it's done. Sometimes they could contribute to an existing project, but sometimes they can't, and other times they don't want to.

Re:In other news

[green1]

It just proves that 2/3 of chrome extensions are pointless.

Seriously, what's the point of an extension that doesn't affect the content of the page?

Re:In other news

[hcs_$reboot]

Extensions code is downloadable / readable easily ; it's in javascript and the Chrome "manifest" does a lot of the "pre-work". Most extensions code is rather small and can be checked for malware. Extensions can also be copied locally and modified, then used in Chrome (in dev mode).

Don't run extensions you don't trust.

[dfm3]

What extensions do you use that wouldn't require access to the whole page?

This. The whole POINT of running the few extensions I do is that I want them to be functional on any site I visit, and thus I have to trust them well enough to have access to all of my browsing data.

- uBlock Origin: absolutely essential for browsing these days, and I trust Raymond Hill. You just have to be careful of the various clones/forks out there, which are often NOT trustworthy.
- Noscript: Just as essential. I don't know much about the developer, but from what I've seen I do know that the community can vouch for them.
- Greasemonkey: Used to load a few scripts that I wrote myself, as well as some scripts from people I know personally, to change the functionality of some very specific pages.
- LastPass: Eh, I'm a bit leery of this one, but it's widespread enough that if there's some major privacy breech, I hope that news would spread quickly.