Browser extensions spy on you, even if its developers don't (vitonsky.net)
from vitonsky@programming.dev to technology@lemmy.world on 02 Sep 2023 14:00
https://programming.dev/post/2470559

#technology

threaded - newest

redditReallySucks@lemmy.dbzer0.com on 02 Sep 2023 14:23 next collapse

Or maybe only install extensions from trusted sources developers.

2Xtreme21@lemmy.world on 02 Sep 2023 15:19 next collapse

I think the point is that even if an extension comes from a trusted source, the developer could fairly easily push out an update that turns the extension into malware. Check the GitHub link in another comment below where the developer posts the solicitation emails he gets on a regular basis offering to monetize his extension. He isn’t selling out, but maybe not every dev is as willing as he is to forgo a potentially lucrative offer.

RdVortex@lemmy.world on 02 Sep 2023 16:35 collapse

And there are cases where this has already happened: bleepingcomputer.com/…/-particle-chrome-extension… There are probably more recent cases too, but this was the first one I could find.

TheEntity@kbin.social on 02 Sep 2023 17:50 collapse

To be specific: from trusted developers. Installing them only from the official repository (is it still possible to reasonably install them any other way?) won't help if a dev sells such an addon. On the other hand I cannot imagine someone like Raymond Hill (the uBlock Origin dev) doing it, considering his track record.

redditReallySucks@lemmy.dbzer0.com on 02 Sep 2023 19:38 collapse

Yeah, that’s what I meant.

[deleted] on 02 Sep 2023 15:08 next collapse

.

djsaskdja@reddthat.com on 02 Sep 2023 15:45 next collapse

Exactly why most enterprise organizations disable them. You should too if you’re doing anything sensitive data.

munderzi@feddit.ch on 02 Sep 2023 19:17 collapse

That’s why on my work PC I use a completely vanilla Firefox, gotta live with the ads. But I’m not risking giving full access to website content to any extension

[deleted] on 02 Sep 2023 20:24 collapse

.

kindenough@kbin.social on 02 Sep 2023 16:17 next collapse

Firefox will disable extensions in private mode if you want to

Dariusmiles2123@sh.itjust.works on 02 Sep 2023 18:06 next collapse

It’s interesting to read as I never thought about the vulnerability these extensions are.

I guess you should limit the number of extensions you have.

[deleted] on 02 Sep 2023 19:50 next collapse

.

Franzia@lemmy.blahaj.zone on 02 Sep 2023 21:18 next collapse

I thought my ISP already had this data and is selling it. Should I go make sure all my extensions are 100% kosher?

beaubbe@lemmy.world on 03 Sep 2023 02:59 collapse

Your ISP cannot read https data in transit. Extensions can because the page is now rendered on your local browser.

Franzia@lemmy.blahaj.zone on 03 Sep 2023 04:12 collapse

Thank you!

NullaFacies@sh.itjust.works on 02 Sep 2023 23:21 collapse

To add to the blog post, if you use user scripts, utilize your manager’s blacklist and learn REGEX.

If needed, use Group Policy, Regedit or .plists on macOS to blacklist domains to prevent an extension from running on them. As an example, I use Shutup.css to block comments online, but on something like Lemmy, I want to see comments as that’s primarily how content is created and adding it to my extension domain blacklist prevents the extension from running on the website or any lemmy domains.