There's a reckoning coming here unless Google gets around to actually getting Extension permissions under control. As currently constructed, there's not much stopping a malicious extension from getting at all sorts of important data stored in your gmail or dropbox tabs - just effort. Whenever I scan the featured extensions on the CWS home page, upwards of 25% of them request the permission to access websites from any origin, which means they can inject script in there and basically do anything they want. Part of this is convenience (it's an enormous pain to add permission requests to your extension after first install) and part of it is bad API design that makes it necessary to bake broad permission grants into an extension for it to do simple things.
At some point the people behind sneaking ads or tracking into extensions are going to pivot into higher-value scams, like harvesting account credentials or important data.
As Chrome is constructed now, there's almost nothing stopping any extension with the 'Read and change all your data on the websites you visit' permission from stealing literally any piece of data that moves through your browser if the person in control of it is determined enough. With the push towards running all your apps in the browser for "sandboxing", the risk this poses keeps going up. Companies use Slack, Gmail, etc to collaborate and all of those things are built to run in a browser tab (even if they have native apps) - and basically any extension a user installs has the potential to silently exfiltrate sensitive information, disguised as regular user traffic. Worse still, if the user signs into their Google account, the malicious extension can be synced to other machines. "Don't install stuff on your work PC" is pretty easy to understand, but "don't sign in to Google" is a bit harder of a policy to enforce, especially with the fuzzy boundary between Google-the-platform, Google-the-website, and Google-the-browser, all of which use the same login flow.
Native and mobile app development spaces have solutions for most of these issues already via sandboxes and permissions (though there remains work to be done), and these threats are non-existent when dealing with regular websites and web apps. Extensions need a lot more scrutiny due to just how much of a threat they pose.
> With the push towards running all your apps in the browser for "sandboxing", the risk this poses keeps going up.
Sandboxing cannot be relied upon a primary security feature; at best it's only an additional roadblock that provides defense in depth. Isolating potentially malicious code in a sandbox is useless if you also run the the rest of your software in that same sandbox.
The browser sandbox was useful for isolating transient Javascript the current page/window. Your primary apps and always-running utilities were protected because they were outside the sandbox.
Yeah, precisely. I guess the core of my point is that we've moved many apps from running natively with user privs (with access to all the user's files, for good and for ill) to sandboxed websites - great! - meanwhile every chrome extension basically has admin privileges over those apps, and we're not really treating that with the caution we should.
One thing they need to watch out for is making it impossible for me (or people I trust) to do whatever I want with my browser. Maybe permissions could apply only to stuff from the Chrome Web Store, but not be applied to my own extensions or extensions I download myself?
At some point the people behind sneaking ads or tracking into extensions are going to pivot into higher-value scams, like harvesting account credentials or important data.
As Chrome is constructed now, there's almost nothing stopping any extension with the 'Read and change all your data on the websites you visit' permission from stealing literally any piece of data that moves through your browser if the person in control of it is determined enough. With the push towards running all your apps in the browser for "sandboxing", the risk this poses keeps going up. Companies use Slack, Gmail, etc to collaborate and all of those things are built to run in a browser tab (even if they have native apps) - and basically any extension a user installs has the potential to silently exfiltrate sensitive information, disguised as regular user traffic. Worse still, if the user signs into their Google account, the malicious extension can be synced to other machines. "Don't install stuff on your work PC" is pretty easy to understand, but "don't sign in to Google" is a bit harder of a policy to enforce, especially with the fuzzy boundary between Google-the-platform, Google-the-website, and Google-the-browser, all of which use the same login flow.
Native and mobile app development spaces have solutions for most of these issues already via sandboxes and permissions (though there remains work to be done), and these threats are non-existent when dealing with regular websites and web apps. Extensions need a lot more scrutiny due to just how much of a threat they pose.