Chrome extension users are suffering Warning Fatigue.
The user can review some information about access permissions but so many extensions make the same plea: "i know that my extension is using lots of permissions, but it's totally safe".
Much like Windows and Android, the endless alerts about permissions and confirmations, while perhaps holding real information, end up becoming little more than noise.
Combine that with a free-fire zone where apparently little moderation or pruning occurs... it's bad news waiting to happen.
(edit: I'm a Chrome user in addition to FF and I use a lot of extensions... they are super useful, but I have serious concerns about this)
There's a lot more we have planned though. Personally, I would like to eventually get to a world where many extensions - in particular the ones that novice users usually see - require no warnings at all. I think that can be done by putting access to most elevated privileges behind explicit user gestures (like clicking a button or invoking a keyboard shortcut).
In general, balancing utility and security in a browser extension system turns out to be a very, um, interesting design problem. But I think we have some good, new ideas coming. Now, just need to implement them.
Thanks for commenting on this. Glad to hear you are tackling what is definitely a hard problem without turning it into a completely walled garden.
Do you discuss this problem space with the Android Market/Play team? It seems to have not only a lot of overlap in terms of problem domain, but likely a lot of overlap in terms of actual users.
A better behavior would be selective approval. Extension asks for permissions for X, Y, and Z. You allow X and Z but deny Y. Any features affected fall back to an alternate state or are disabled. User is given clear access to control the permission states and clear feedback as to which permissions affect which features. Information about feature dependencies is available prior to install, particularly if they are arbitrary dependencies like "send us all your personal info or the software does nothing."
Is this going to happen? Probably not. Application-level firewalls help somewhat, in some cases, for expert users. Sometimes "use different software" helps, but there are many cases where that's not viable.
I think an even better policy is to let the browser prompt if the permissions that the extension demands are grossly above those required for its purported purpose.
It may seem like a hard machine learning problem, but it seems to me that one could catch the most blatant offenders easily-- changing background colors at \.facebook.com should not require the ability to communicate with malwarehost.com or the ability to read data across all websites.
Combine this with the fact that most extensions people install are not* malicious, and you already have a decent training corpus (to treat this as a one-class classifier)
I'd be happy just seeing prominent and clear icons for major threat types, e.g. access to personal data, elevated device access, and so forth. Make them large and suitably threatening. It wouldn't completely solve the problem, but it could take back a lot of ground.
I made a chrome extension just to try it out and I agree, you can basically see everything on the page and make calls out to your own server. Including keylogging and such. Since these extensions are all javascript it would be nice if the code for the extension was published along side where you get the extensions. Then people could inpsect the code and see if it's doing anything malicious. You wouldn't expect everyone to do this but it would only take one or two people flagging it to effectively weed it out. Users could flag it if it's bad and someone at Google could verify the bad behavior and block the extension if necessary, or contact the extension maker. Just an idea...
The possibility of what malicious extensions could gain access to (credit card #s, passwords, bank accounts, email accounts), combined with the ease of installing and lack of suspicion users have with these extensions really scares me.
Does anyone know how actively moderated the Chrome Extensions store is?
I know recently Google made all developers use a credit card to verify names better, but this seems more of a reactive safety measure, i.e. after lots of people get hacked, Google can provide prosecutors with information.
It is definitely not moderated, I've had multiple plugins inject ads into my web browsing. One was a Facebook app to enlarge photos and it started adding these banners to the sides of facebook. I though it was Facebook using a new form of ads until I realized otherwise. I had another do it on yelp...
The article does a good job of showing what can go wrong with Chrome, but I have a gripe with the article itself. Notice, it uses very subtle fear mongering in the way they printed the JavaScript code. At first glance, I thought it was going to be a screenshot of a Windows BSOD. I'm not sure what the author is trying to accomplish (code = evil?) but at the very least the screenshots are ugly and garish.
Pardon my ignorance, but the last time I saw DOS was around the time I was six years old. Thank you for providing some insight on this subject. DOS text editors are before my time.
The user can review some information about access permissions but so many extensions make the same plea: "i know that my extension is using lots of permissions, but it's totally safe".
Much like Windows and Android, the endless alerts about permissions and confirmations, while perhaps holding real information, end up becoming little more than noise.
Combine that with a free-fire zone where apparently little moderation or pruning occurs... it's bad news waiting to happen.
(edit: I'm a Chrome user in addition to FF and I use a lot of extensions... they are super useful, but I have serious concerns about this)