Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Chrome Privacy The Internet

A Third of All Chrome Extensions Request Access To User Data on Any Site 60

Posted by msmash from the upon-further-inspection dept.
More than a third of all Google Chrome extensions ask users for permission to access and read all their data on any website, a recent survey conducted by US cyber-security firm Duo Labs of over 120,000 Chrome extensions has revealed. From a report: The same survey also found that roughly 85 percent of the 120,000 Chrome extensions listed on the Chrome Web Store don't have a privacy policy listed, meaning there's no legally-binding document describing how extension developers are committing to handling user data. Additional survey findings include the fact that 77 percent of the tested Chrome extensions didn't list a support site, 32 percent used third-party JavaScript libraries that contained publicly known vulnerabilities, and nine percent could access and read cookie files, some of which are used for authentication operations.
This discussion has been archived. No new comments can be posted.

A Third of All Chrome Extensions Request Access To User Data on Any Site More

A Third of All Chrome Extensions Request Access To User Data on Any Site

Comments Filter:

  • Which is it? (Score:1)

    by Anonymous Coward

    So are these extensions up to something nefarious, or are they being forced to request this "all data / any web site" access because finer grained permissions aren't there?

    • User indifference (Score:4, Interesting)

      by sjbe ( 173966 ) on Friday February 22, 2019 @11:09AM (#58163658)

      So are these extensions up to something nefarious, or are they being forced to request this "all data / any web site" access because finer grained permissions aren't there?

      My guess would be that they ask because they can and because most users will not pay enough attention to choose some other option even if one is provided - which it won't be. Never mind that with 120,000 (!?!) extensions a HUGE number of these have to be malware of some description. There just isn't that much need for that many different extensions.

      • It's not about need. It's about redundancy, and about vanity, but also about convenience. Some extensions are made just so that the author can feel smart, because their name is in the extension store, when the extension could as easily be implemented as a user script. But how many more users can you reach by putting the functionality into an extension which is located in Google's repository of extensions than if you put it on your own site? And then there's all the people reinventing the wheel, of course. T

      • "Never mind that with 120,000 (!?!) extensions a HUGE number of these have to be malware of some description."

        Browse the Chrome extension store, or the Android Play Store, for a couple minutes. I estimate they're both about 98% malware. Yet somehow these things are all Google-approved and allowed to remain in the "stores".

        Big Brother Google takes our privacy, seriously.

    • Yes. You are correct, sir.

  • In other news (Score:2, Informative)

    by thegarbz ( 1787294 )

    1/3rd of Chrome extensions request a required permission for the extension to actually do what it says.

    Seriously... 1/3rd? I'm surprised it's that low.

    • Re: (Score:3)

      by green1 ( 322787 )
      It just proves that 2/3 of chrome extensions are pointless.

      Seriously, what's the point of an extension that doesn't affect the content of the page?
    • Extensions code is downloadable / readable easily ; it's in javascript and the Chrome "manifest" does a lot of the "pre-work". Most extensions code is rather small and can be checked for malware. Extensions can also be copied locally and modified, then used in Chrome (in dev mode).

  • We take your privacy seriously (lol) (Score:5, Interesting)

    by sjbe ( 173966 ) on Friday February 22, 2019 @11:05AM (#58163646)

    More than a third of all Google Chrome extensions ask users for permission to access and read all their data on any website

    But we were assured that Google takes our privacy seriously [slashdot.org]! Glad to see Google is really on top of this.

    a recent survey conducted by US cyber-security firm Duo Labs of over 120,000 Chrome extensions has revealed.

    What possible utility could there be in 120,000 different extensions? Who in the name of Thor's ugly sweater is actually using these things? I use about 5 extension on my browser of choice (Firefox for me), all fairly popular and I really cannot see any circumstance where I would use more than 10. There is no sane argument for that many extensions without a huge number of them being malware.

    • What extensions do you use that wouldn't require access to the whole page?

      I agree that there is a ridiculous number of extensions but I'm not forced to install them. I actually like that there is a lot of choices or overlap for ad blockers, javascript blockers, etc.

      I'd think that the only ones that wouldn't need access to the whole page are web apps and notification tickers. (I'm sure there are a few more but I can't think of any right now)

      • What extensions do you use that wouldn't require access to the whole page?

        This. The whole POINT of running the few extensions I do is that I want them to be functional on any site I visit, and thus I have to trust them well enough to have access to all of my browsing data.

        - uBlock Origin: absolutely essential for browsing these days, and I trust Raymond Hill. You just have to be careful of the various clones/forks out there, which are often NOT trustworthy.
        - Noscript: Just as essential. I don't know much about the developer, but from what I've seen I do know that the community

      • What extensions do you use that wouldn't require access to the whole page?

        Permissions are more than just access to the whole page. Host permissions, API permissions, permissions per tab, clipboard access, storage access, cookie access, etc. Relatively few extensions need access to all of these and few bother to ask.

        I actually like that there is a lot of choices or overlap for ad blockers, javascript blockers, etc.

        Sure but 120,000 choices? Let's keep it real. That's not choices, that's spam.

        I agree that there is a ridiculous number of extensions but I'm not forced to install them.

        Not the point. The point is that there is no reason for most of these to even exist unless a LOT of them are malware of one form or another.

        • Relatively few extensions need access to all of these and few bother to ask.

          An extension not asking for that access is a different story of course.

          Sure but 120,000 choices? Let's keep it real. That's not choices, that's spam.

          I usually don't have a say in accepting or view spam. I have never seen 120,000 extensions

          Not the point. The point is that there is no reason for most of these to even exist unless a LOT of them are malware of one form or another.

          It really is the point. Every wannabe or up and coming programmer can create an extension and share it. If people see a value, they can install it. That is a feature not a bug

          • Big Brother Google has set itself up as gatekeeper for their app stores, but has no apparent interest in keeping malware out.

            It's like a bouncer at a party who let's all sorts of thugs and armed hoodlums through the door. But then violently bounces your nerdy friend with strong political opinions.

    • "We take your privacy seriously."

      Sorry, our motto is missing a period. It should read:

      "We take your privacy. Seriously."

  • Until devs become clearer on privacy.

  • Isn't most of it just legit ad blocking? You have to scan the page to remove ads and it seems like 75% of the extensions are somehow related to ad blocking or content manipulation or password management. They all need those permissions.

  • ... are finer grained permissions available? Or for many extensions, even logically possible?

    If the extension is going to filter for ads, or change the colors, or inject user CSS, or tell you if products on the page are cheaper at Amazon, or whatever - it kind of needs to access the webpage data. Right?

    • We should be shocked that an extension for a web browser needs access to the web you are browsing! Now if it needed access to my left shoe's firmware I might start to worry...

  • I'm using Google [Cute cat GIF!!! [gfycat.com]] Chrome right now and I've [~~~ BUY XBOX ONE TODAY! ~~~] never had problems with [~~~You won't believe which celebrities use teeth whitener! ~~~] any of the 124 extensions I installed.

    • DontBeAMoran : *** You're computer is at risk *** click here to download our new AI based security protector that will protect you from past, present and FUTURE security issues (thanks to AI)!

  • Let's not forget these apps are flourishing in a Google-built ecosystem.

    The surprising thing is that two thirds of them DON'T spend their time harvesting every bit of information they can from devices owned by you, your family, your friends, your workmates and probably every person you have had a random encounter with over the last six months.

Slashdot Top Deals

"If it ain't broke, don't fix it." - Bert Lantz

Close