I just can't even fathom. Like, every email I've typed. Every interaction with any site. Credit card numbers.
How is this not entirely illegal?
And it certainly shows an incredible flaw in Chrome extensions. This extension didn't do this when I installed it. A silent auto-update though basically turned it into the worst malware I've ever had installed on my computer. How can any Chrome extension ever be trusted?
Furthermore, I spend a lot of time in Chrome Dev Tools, and the Network tab and I are no stranger. I would easily have noticed if my keystrokes were being sent back to a server and it was shown in there. So not only can an extension be silently updated, but it's capable of using a network connection that doesn't appear in the Chrome Network tab, that only Wireshark can reveal? That seems almost as ridiculous as what the extension author did.
A chrome extension can make network connections that you won't (normally) see in Dev Tools using a background page. You'll see the connections if you inspect the background page directly but most users won't.
Unfortunately this is simply a byproduct of the web's (and browsers') botched security model; there is no way to allow extensions to modify pages without them being able to read the pages, and if they can read the pages they naturally can catch events, including keystrokes.
This is why you should think - hard - whenever allowing any extension with that permission. It could autoupdate at any time to include malware.
There are a lot of bad extensions out there. I've encountered quite a few. It's a wide-open vector for exploitation and it happens all the time. Just last month I came across a game extension (super mario clone) that contained jQuery. Upon further inspection, it turned out it had been re-minified (making diffs difficult) and had a few lines deep inside that hijacked ads and replaced them with the author's ad network. Silent, effective, and this extension was on the 'top lists' for months. It might even still be there.
Be very aware of the permissions an extension asks for.
Depending on where you live, this might very well be illegal. Unauthorized access and recording of private information of an IT-System is covered in some hacking parapgraphs, in the US and the EU (in the EU maybe as part of the cyber attack tools, as the keylogger would have recorded passwords).
That, my friend, sounds exactly as ridiculous as you are! If you know your JavaScript you can look at the source code and see that the extension is doing none of that. If not, you can try wireshark for yourself and see that there is no keystroke sent anywhere. The guy that made the claim is a complete A-hole that wanted to see the extension being remove from the webstore at any cost, including committing perjury.
How is this not entirely illegal?
And it certainly shows an incredible flaw in Chrome extensions. This extension didn't do this when I installed it. A silent auto-update though basically turned it into the worst malware I've ever had installed on my computer. How can any Chrome extension ever be trusted?
Furthermore, I spend a lot of time in Chrome Dev Tools, and the Network tab and I are no stranger. I would easily have noticed if my keystrokes were being sent back to a server and it was shown in there. So not only can an extension be silently updated, but it's capable of using a network connection that doesn't appear in the Chrome Network tab, that only Wireshark can reveal? That seems almost as ridiculous as what the extension author did.