Can a malicious add-on access internet history and such in Chrome/Firefox? Unicorn Meta Zoo #1: Why another podcast? Announcing the arrival of Valued Associate #679: Cesar ManaraDanger of browser extension without any permissions?How to defend myself against potential malicious browser add-ons?How can I assess the trust worthiness of a browser add-on? Are official browser add-ons really safe?Password management in Firefox, Chrome and SafariIs Adblock (Plus) a security risk?are chrome extensions in the Chrome store generally safe?Spoofing random browser information to defend against fingerprintingFirefox password manager and Firefox SyncChrome users and malicious extensionsHow secure is our privacy when using third party addons and extensions?Can malicious Javascript in local HTML -file send files to internet in Firefox/Chrome?

Is Bran literally the world's memory?

Bright yellow or light yellow?

When does Bran Stark remember Jamie pushing him?

Marquee sign letters

Co-worker works way more than he should

What were wait-states, and why was it only an issue for PCs?

What is a 'Key' in computer science?

Retract an already submitted Recommendation Letter (written for an undergrad student)

Can gravitational waves pass through a black hole?

Processing ADC conversion result: DMA vs Processor Registers

Could a cockatrice have parasitic embryos?

What does the black goddess statue do and what is it?

What happened to Viserion in Season 7?

Are there existing rules/lore for MTG planeswalkers?

Protagonist's race is hidden - should I reveal it?

A journey... into the MIND

Getting AggregateResult variables from Execute Anonymous Window

Why is arima in R one time step off?

France's Public Holidays' Puzzle

What is ls Largest Number Formed by only moving two sticks in 508?

Will I lose my paid in full property

What is the numbering system used for the DSN dishes?

false 'Security alert' from Google - every login generates mails from 'no-reply@accounts.google.com'

TV series episode where humans nuke aliens before decrypting their message that states they come in peace



Can a malicious add-on access internet history and such in Chrome/Firefox?



Unicorn Meta Zoo #1: Why another podcast?
Announcing the arrival of Valued Associate #679: Cesar ManaraDanger of browser extension without any permissions?How to defend myself against potential malicious browser add-ons?How can I assess the trust worthiness of a browser add-on? Are official browser add-ons really safe?Password management in Firefox, Chrome and SafariIs Adblock (Plus) a security risk?are chrome extensions in the Chrome store generally safe?Spoofing random browser information to defend against fingerprintingFirefox password manager and Firefox SyncChrome users and malicious extensionsHow secure is our privacy when using third party addons and extensions?Can malicious Javascript in local HTML -file send files to internet in Firefox/Chrome?



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








18















How does Chrome/Firefox make sure add-ons are safe? Do they have any protection against a malicious add-on?



How much access can add-ons have? Can they access internet history or maybe even cookies and such and send them to a server? Do I need to worry about this?



I do have Kaspersky and Kaspersky add-ons but I still wonder should I still worry about add-ons? Considering there is nothing I can do to make sure some add-ons are malicious or not even if they still have an OK reputation.



EDIT: bonus question, if an addon says it can read the data on websites you visit, does it mean it can know which websites I visit and technically can send them to a server and basically record my history this way ? (considering many adblockers and such addons have this permission)










share|improve this question






























    18















    How does Chrome/Firefox make sure add-ons are safe? Do they have any protection against a malicious add-on?



    How much access can add-ons have? Can they access internet history or maybe even cookies and such and send them to a server? Do I need to worry about this?



    I do have Kaspersky and Kaspersky add-ons but I still wonder should I still worry about add-ons? Considering there is nothing I can do to make sure some add-ons are malicious or not even if they still have an OK reputation.



    EDIT: bonus question, if an addon says it can read the data on websites you visit, does it mean it can know which websites I visit and technically can send them to a server and basically record my history this way ? (considering many adblockers and such addons have this permission)










    share|improve this question


























      18












      18








      18








      How does Chrome/Firefox make sure add-ons are safe? Do they have any protection against a malicious add-on?



      How much access can add-ons have? Can they access internet history or maybe even cookies and such and send them to a server? Do I need to worry about this?



      I do have Kaspersky and Kaspersky add-ons but I still wonder should I still worry about add-ons? Considering there is nothing I can do to make sure some add-ons are malicious or not even if they still have an OK reputation.



      EDIT: bonus question, if an addon says it can read the data on websites you visit, does it mean it can know which websites I visit and technically can send them to a server and basically record my history this way ? (considering many adblockers and such addons have this permission)










      share|improve this question
















      How does Chrome/Firefox make sure add-ons are safe? Do they have any protection against a malicious add-on?



      How much access can add-ons have? Can they access internet history or maybe even cookies and such and send them to a server? Do I need to worry about this?



      I do have Kaspersky and Kaspersky add-ons but I still wonder should I still worry about add-ons? Considering there is nothing I can do to make sure some add-ons are malicious or not even if they still have an OK reputation.



      EDIT: bonus question, if an addon says it can read the data on websites you visit, does it mean it can know which websites I visit and technically can send them to a server and basically record my history this way ? (considering many adblockers and such addons have this permission)







      web-browser chrome firefox






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Mar 26 at 18:33







      Mery Ted

















      asked Mar 25 at 15:22









      Mery TedMery Ted

      10016




      10016




















          2 Answers
          2






          active

          oldest

          votes


















          26














          Modern browser extensions use the WebExtensions API, which enforces a permission model; basically, addons can only have the access that you grant them (you can't reject individual permissions though; if you are uncomfortable with some, you can't install the addon).



          Regarding your specific questions:



          • The browser history can only be requested if the history permission is granted.

          • The cookies permission only works along with a host permission which will define which cookies can be accessed. Host permissions are required for all of the sensitive actions (such as injecting JavaScript into a page, reading the contents of a page, etc).

          Malicious extensions can of course execute arbitrary JavaScript in an isolated context, so something like a malicious cryptominer is certainly feasible.



          For access which doesn't require explicit permissions, see my related question: Danger of browser extension without any permissions?.






          share|improve this answer























          • Thanks for answer, so when you say if permission is granted, do you mean during installation I will be met with a "pop up" that asks me if I'm OK with granting that addon to my history? and if no such popup occurs then it means that addon has no access to history? (I'm asking this because I have never encountered with such popup during installation of my addons)

            – Mery Ted
            Mar 26 at 13:40












          • also a bonus question if you have time to answer: what about sending the visited site url/content to their server immediately after visiting without accessing the history, is this possible for them?

            – Mery Ted
            Mar 26 at 13:47












          • @MeryTed Exactly. It should ask during installation. Chrome eg uses a popup which says "Add [extension]? It can: [permissions; eg 'Read and change all your data on the websites you visit']", Firefox says "Add [extension]? It requires permission to: [...]". What browser are you using?

            – tim
            Mar 26 at 14:29











          • @MeryTed If the permission to history and/or "access/read data on websites you visit" or similar isn't granted, extensions should imho have no primary way to see which websites you visit (there may be side-channels which leak this, but this probably wouldn't leak this to just extensions, but any website, see eg here; extensions may have a bit more options, so the possibility of such an issue may be a bit more likely as compared to websites).

            – tim
            Mar 26 at 14:30












          • so if an addon says it can read data on websites I visit it means it knows which sites I visit and it could technically send it to their server and basically record my history this way? (for example Netcraft Extension addon) (I also use chrome mostly)

            – Mery Ted
            Mar 26 at 18:25



















          9















          how does chrome/firefox make sure addons are safe?




          They inspect them before publishing, and ban those found abusing its rights. But this ban can take from days to weeks.




          how much access can addons have?




          Addons can make anything you can, and more. They can access any server, read any cookie, alter any data, even encrypted by HTTPS, and send any data anywhere. They have to ask your permission when you install, but once you gave permission, for example, to read data on all websites, the addon can read data on all websites you visit.




          should I still worry about addons?




          Yes, you should. If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty.



          What you do? Don't install extensions unless they are from reputable sources, don't need lots and lots of permissions, and are really needed. Installing everything you think is cool will end up compromising your security.






          share|improve this answer




















          • 3





            You may want to add the caveat that extensions request specific permissions. They don't get full access unless they request that and the user approved it at install.

            – Daisetsu
            Mar 25 at 17:03











          • Good point, I added to my answer.

            – ThoriumBR
            Mar 25 at 18:52






          • 1





            "If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty." That's a scandalous claim. Do you have any evidence for this? A study showing the proportion of resold addons that have turned "nasty"? The linked article is interesting but is not sufficient evidence that "the chances are pretty high".

            – Lightness Races in Orbit
            Mar 26 at 11:20












          • So basically if during installation I don't encounter any pop up about permissions of that addons then it means it don't have access to history and etc correct? (because I have never encountered such pop up during installation of my addons in chrome/firefox)

            – Mery Ted
            Mar 26 at 13:42












          • I do not know any sold addon, which did not add something nasty, as long as you let adding tracking and adding advertising count as nasty.

            – allo
            Mar 26 at 13:54











          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "162"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          noCode: true, onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206061%2fcan-a-malicious-add-on-access-internet-history-and-such-in-chrome-firefox%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          2 Answers
          2






          active

          oldest

          votes








          2 Answers
          2






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          26














          Modern browser extensions use the WebExtensions API, which enforces a permission model; basically, addons can only have the access that you grant them (you can't reject individual permissions though; if you are uncomfortable with some, you can't install the addon).



          Regarding your specific questions:



          • The browser history can only be requested if the history permission is granted.

          • The cookies permission only works along with a host permission which will define which cookies can be accessed. Host permissions are required for all of the sensitive actions (such as injecting JavaScript into a page, reading the contents of a page, etc).

          Malicious extensions can of course execute arbitrary JavaScript in an isolated context, so something like a malicious cryptominer is certainly feasible.



          For access which doesn't require explicit permissions, see my related question: Danger of browser extension without any permissions?.






          share|improve this answer























          • Thanks for answer, so when you say if permission is granted, do you mean during installation I will be met with a "pop up" that asks me if I'm OK with granting that addon to my history? and if no such popup occurs then it means that addon has no access to history? (I'm asking this because I have never encountered with such popup during installation of my addons)

            – Mery Ted
            Mar 26 at 13:40












          • also a bonus question if you have time to answer: what about sending the visited site url/content to their server immediately after visiting without accessing the history, is this possible for them?

            – Mery Ted
            Mar 26 at 13:47












          • @MeryTed Exactly. It should ask during installation. Chrome eg uses a popup which says "Add [extension]? It can: [permissions; eg 'Read and change all your data on the websites you visit']", Firefox says "Add [extension]? It requires permission to: [...]". What browser are you using?

            – tim
            Mar 26 at 14:29











          • @MeryTed If the permission to history and/or "access/read data on websites you visit" or similar isn't granted, extensions should imho have no primary way to see which websites you visit (there may be side-channels which leak this, but this probably wouldn't leak this to just extensions, but any website, see eg here; extensions may have a bit more options, so the possibility of such an issue may be a bit more likely as compared to websites).

            – tim
            Mar 26 at 14:30












          • so if an addon says it can read data on websites I visit it means it knows which sites I visit and it could technically send it to their server and basically record my history this way? (for example Netcraft Extension addon) (I also use chrome mostly)

            – Mery Ted
            Mar 26 at 18:25
















          26














          Modern browser extensions use the WebExtensions API, which enforces a permission model; basically, addons can only have the access that you grant them (you can't reject individual permissions though; if you are uncomfortable with some, you can't install the addon).



          Regarding your specific questions:



          • The browser history can only be requested if the history permission is granted.

          • The cookies permission only works along with a host permission which will define which cookies can be accessed. Host permissions are required for all of the sensitive actions (such as injecting JavaScript into a page, reading the contents of a page, etc).

          Malicious extensions can of course execute arbitrary JavaScript in an isolated context, so something like a malicious cryptominer is certainly feasible.



          For access which doesn't require explicit permissions, see my related question: Danger of browser extension without any permissions?.






          share|improve this answer























          • Thanks for answer, so when you say if permission is granted, do you mean during installation I will be met with a "pop up" that asks me if I'm OK with granting that addon to my history? and if no such popup occurs then it means that addon has no access to history? (I'm asking this because I have never encountered with such popup during installation of my addons)

            – Mery Ted
            Mar 26 at 13:40












          • also a bonus question if you have time to answer: what about sending the visited site url/content to their server immediately after visiting without accessing the history, is this possible for them?

            – Mery Ted
            Mar 26 at 13:47












          • @MeryTed Exactly. It should ask during installation. Chrome eg uses a popup which says "Add [extension]? It can: [permissions; eg 'Read and change all your data on the websites you visit']", Firefox says "Add [extension]? It requires permission to: [...]". What browser are you using?

            – tim
            Mar 26 at 14:29











          • @MeryTed If the permission to history and/or "access/read data on websites you visit" or similar isn't granted, extensions should imho have no primary way to see which websites you visit (there may be side-channels which leak this, but this probably wouldn't leak this to just extensions, but any website, see eg here; extensions may have a bit more options, so the possibility of such an issue may be a bit more likely as compared to websites).

            – tim
            Mar 26 at 14:30












          • so if an addon says it can read data on websites I visit it means it knows which sites I visit and it could technically send it to their server and basically record my history this way? (for example Netcraft Extension addon) (I also use chrome mostly)

            – Mery Ted
            Mar 26 at 18:25














          26












          26








          26







          Modern browser extensions use the WebExtensions API, which enforces a permission model; basically, addons can only have the access that you grant them (you can't reject individual permissions though; if you are uncomfortable with some, you can't install the addon).



          Regarding your specific questions:



          • The browser history can only be requested if the history permission is granted.

          • The cookies permission only works along with a host permission which will define which cookies can be accessed. Host permissions are required for all of the sensitive actions (such as injecting JavaScript into a page, reading the contents of a page, etc).

          Malicious extensions can of course execute arbitrary JavaScript in an isolated context, so something like a malicious cryptominer is certainly feasible.



          For access which doesn't require explicit permissions, see my related question: Danger of browser extension without any permissions?.






          share|improve this answer













          Modern browser extensions use the WebExtensions API, which enforces a permission model; basically, addons can only have the access that you grant them (you can't reject individual permissions though; if you are uncomfortable with some, you can't install the addon).



          Regarding your specific questions:



          • The browser history can only be requested if the history permission is granted.

          • The cookies permission only works along with a host permission which will define which cookies can be accessed. Host permissions are required for all of the sensitive actions (such as injecting JavaScript into a page, reading the contents of a page, etc).

          Malicious extensions can of course execute arbitrary JavaScript in an isolated context, so something like a malicious cryptominer is certainly feasible.



          For access which doesn't require explicit permissions, see my related question: Danger of browser extension without any permissions?.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Mar 25 at 15:47









          timtim

          24.9k674103




          24.9k674103












          • Thanks for answer, so when you say if permission is granted, do you mean during installation I will be met with a "pop up" that asks me if I'm OK with granting that addon to my history? and if no such popup occurs then it means that addon has no access to history? (I'm asking this because I have never encountered with such popup during installation of my addons)

            – Mery Ted
            Mar 26 at 13:40












          • also a bonus question if you have time to answer: what about sending the visited site url/content to their server immediately after visiting without accessing the history, is this possible for them?

            – Mery Ted
            Mar 26 at 13:47












          • @MeryTed Exactly. It should ask during installation. Chrome eg uses a popup which says "Add [extension]? It can: [permissions; eg 'Read and change all your data on the websites you visit']", Firefox says "Add [extension]? It requires permission to: [...]". What browser are you using?

            – tim
            Mar 26 at 14:29











          • @MeryTed If the permission to history and/or "access/read data on websites you visit" or similar isn't granted, extensions should imho have no primary way to see which websites you visit (there may be side-channels which leak this, but this probably wouldn't leak this to just extensions, but any website, see eg here; extensions may have a bit more options, so the possibility of such an issue may be a bit more likely as compared to websites).

            – tim
            Mar 26 at 14:30












          • so if an addon says it can read data on websites I visit it means it knows which sites I visit and it could technically send it to their server and basically record my history this way? (for example Netcraft Extension addon) (I also use chrome mostly)

            – Mery Ted
            Mar 26 at 18:25


















          • Thanks for answer, so when you say if permission is granted, do you mean during installation I will be met with a "pop up" that asks me if I'm OK with granting that addon to my history? and if no such popup occurs then it means that addon has no access to history? (I'm asking this because I have never encountered with such popup during installation of my addons)

            – Mery Ted
            Mar 26 at 13:40












          • also a bonus question if you have time to answer: what about sending the visited site url/content to their server immediately after visiting without accessing the history, is this possible for them?

            – Mery Ted
            Mar 26 at 13:47












          • @MeryTed Exactly. It should ask during installation. Chrome eg uses a popup which says "Add [extension]? It can: [permissions; eg 'Read and change all your data on the websites you visit']", Firefox says "Add [extension]? It requires permission to: [...]". What browser are you using?

            – tim
            Mar 26 at 14:29











          • @MeryTed If the permission to history and/or "access/read data on websites you visit" or similar isn't granted, extensions should imho have no primary way to see which websites you visit (there may be side-channels which leak this, but this probably wouldn't leak this to just extensions, but any website, see eg here; extensions may have a bit more options, so the possibility of such an issue may be a bit more likely as compared to websites).

            – tim
            Mar 26 at 14:30












          • so if an addon says it can read data on websites I visit it means it knows which sites I visit and it could technically send it to their server and basically record my history this way? (for example Netcraft Extension addon) (I also use chrome mostly)

            – Mery Ted
            Mar 26 at 18:25

















          Thanks for answer, so when you say if permission is granted, do you mean during installation I will be met with a "pop up" that asks me if I'm OK with granting that addon to my history? and if no such popup occurs then it means that addon has no access to history? (I'm asking this because I have never encountered with such popup during installation of my addons)

          – Mery Ted
          Mar 26 at 13:40






          Thanks for answer, so when you say if permission is granted, do you mean during installation I will be met with a "pop up" that asks me if I'm OK with granting that addon to my history? and if no such popup occurs then it means that addon has no access to history? (I'm asking this because I have never encountered with such popup during installation of my addons)

          – Mery Ted
          Mar 26 at 13:40














          also a bonus question if you have time to answer: what about sending the visited site url/content to their server immediately after visiting without accessing the history, is this possible for them?

          – Mery Ted
          Mar 26 at 13:47






          also a bonus question if you have time to answer: what about sending the visited site url/content to their server immediately after visiting without accessing the history, is this possible for them?

          – Mery Ted
          Mar 26 at 13:47














          @MeryTed Exactly. It should ask during installation. Chrome eg uses a popup which says "Add [extension]? It can: [permissions; eg 'Read and change all your data on the websites you visit']", Firefox says "Add [extension]? It requires permission to: [...]". What browser are you using?

          – tim
          Mar 26 at 14:29





          @MeryTed Exactly. It should ask during installation. Chrome eg uses a popup which says "Add [extension]? It can: [permissions; eg 'Read and change all your data on the websites you visit']", Firefox says "Add [extension]? It requires permission to: [...]". What browser are you using?

          – tim
          Mar 26 at 14:29













          @MeryTed If the permission to history and/or "access/read data on websites you visit" or similar isn't granted, extensions should imho have no primary way to see which websites you visit (there may be side-channels which leak this, but this probably wouldn't leak this to just extensions, but any website, see eg here; extensions may have a bit more options, so the possibility of such an issue may be a bit more likely as compared to websites).

          – tim
          Mar 26 at 14:30






          @MeryTed If the permission to history and/or "access/read data on websites you visit" or similar isn't granted, extensions should imho have no primary way to see which websites you visit (there may be side-channels which leak this, but this probably wouldn't leak this to just extensions, but any website, see eg here; extensions may have a bit more options, so the possibility of such an issue may be a bit more likely as compared to websites).

          – tim
          Mar 26 at 14:30














          so if an addon says it can read data on websites I visit it means it knows which sites I visit and it could technically send it to their server and basically record my history this way? (for example Netcraft Extension addon) (I also use chrome mostly)

          – Mery Ted
          Mar 26 at 18:25






          so if an addon says it can read data on websites I visit it means it knows which sites I visit and it could technically send it to their server and basically record my history this way? (for example Netcraft Extension addon) (I also use chrome mostly)

          – Mery Ted
          Mar 26 at 18:25














          9















          how does chrome/firefox make sure addons are safe?




          They inspect them before publishing, and ban those found abusing its rights. But this ban can take from days to weeks.




          how much access can addons have?




          Addons can make anything you can, and more. They can access any server, read any cookie, alter any data, even encrypted by HTTPS, and send any data anywhere. They have to ask your permission when you install, but once you gave permission, for example, to read data on all websites, the addon can read data on all websites you visit.




          should I still worry about addons?




          Yes, you should. If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty.



          What you do? Don't install extensions unless they are from reputable sources, don't need lots and lots of permissions, and are really needed. Installing everything you think is cool will end up compromising your security.






          share|improve this answer




















          • 3





            You may want to add the caveat that extensions request specific permissions. They don't get full access unless they request that and the user approved it at install.

            – Daisetsu
            Mar 25 at 17:03











          • Good point, I added to my answer.

            – ThoriumBR
            Mar 25 at 18:52






          • 1





            "If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty." That's a scandalous claim. Do you have any evidence for this? A study showing the proportion of resold addons that have turned "nasty"? The linked article is interesting but is not sufficient evidence that "the chances are pretty high".

            – Lightness Races in Orbit
            Mar 26 at 11:20












          • So basically if during installation I don't encounter any pop up about permissions of that addons then it means it don't have access to history and etc correct? (because I have never encountered such pop up during installation of my addons in chrome/firefox)

            – Mery Ted
            Mar 26 at 13:42












          • I do not know any sold addon, which did not add something nasty, as long as you let adding tracking and adding advertising count as nasty.

            – allo
            Mar 26 at 13:54















          9















          how does chrome/firefox make sure addons are safe?




          They inspect them before publishing, and ban those found abusing its rights. But this ban can take from days to weeks.




          how much access can addons have?




          Addons can make anything you can, and more. They can access any server, read any cookie, alter any data, even encrypted by HTTPS, and send any data anywhere. They have to ask your permission when you install, but once you gave permission, for example, to read data on all websites, the addon can read data on all websites you visit.




          should I still worry about addons?




          Yes, you should. If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty.



          What you do? Don't install extensions unless they are from reputable sources, don't need lots and lots of permissions, and are really needed. Installing everything you think is cool will end up compromising your security.






          share|improve this answer




















          • 3





            You may want to add the caveat that extensions request specific permissions. They don't get full access unless they request that and the user approved it at install.

            – Daisetsu
            Mar 25 at 17:03











          • Good point, I added to my answer.

            – ThoriumBR
            Mar 25 at 18:52






          • 1





            "If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty." That's a scandalous claim. Do you have any evidence for this? A study showing the proportion of resold addons that have turned "nasty"? The linked article is interesting but is not sufficient evidence that "the chances are pretty high".

            – Lightness Races in Orbit
            Mar 26 at 11:20












          • So basically if during installation I don't encounter any pop up about permissions of that addons then it means it don't have access to history and etc correct? (because I have never encountered such pop up during installation of my addons in chrome/firefox)

            – Mery Ted
            Mar 26 at 13:42












          • I do not know any sold addon, which did not add something nasty, as long as you let adding tracking and adding advertising count as nasty.

            – allo
            Mar 26 at 13:54













          9












          9








          9








          how does chrome/firefox make sure addons are safe?




          They inspect them before publishing, and ban those found abusing its rights. But this ban can take from days to weeks.




          how much access can addons have?




          Addons can make anything you can, and more. They can access any server, read any cookie, alter any data, even encrypted by HTTPS, and send any data anywhere. They have to ask your permission when you install, but once you gave permission, for example, to read data on all websites, the addon can read data on all websites you visit.




          should I still worry about addons?




          Yes, you should. If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty.



          What you do? Don't install extensions unless they are from reputable sources, don't need lots and lots of permissions, and are really needed. Installing everything you think is cool will end up compromising your security.






          share|improve this answer
















          how does chrome/firefox make sure addons are safe?




          They inspect them before publishing, and ban those found abusing its rights. But this ban can take from days to weeks.




          how much access can addons have?




          Addons can make anything you can, and more. They can access any server, read any cookie, alter any data, even encrypted by HTTPS, and send any data anywhere. They have to ask your permission when you install, but once you gave permission, for example, to read data on all websites, the addon can read data on all websites you visit.




          should I still worry about addons?




          Yes, you should. If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty.



          What you do? Don't install extensions unless they are from reputable sources, don't need lots and lots of permissions, and are really needed. Installing everything you think is cool will end up compromising your security.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Mar 25 at 18:52

























          answered Mar 25 at 15:35









          ThoriumBRThoriumBR

          24.8k85875




          24.8k85875







          • 3





            You may want to add the caveat that extensions request specific permissions. They don't get full access unless they request that and the user approved it at install.

            – Daisetsu
            Mar 25 at 17:03











          • Good point, I added to my answer.

            – ThoriumBR
            Mar 25 at 18:52






          • 1





            "If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty." That's a scandalous claim. Do you have any evidence for this? A study showing the proportion of resold addons that have turned "nasty"? The linked article is interesting but is not sufficient evidence that "the chances are pretty high".

            – Lightness Races in Orbit
            Mar 26 at 11:20












          • So basically if during installation I don't encounter any pop up about permissions of that addons then it means it don't have access to history and etc correct? (because I have never encountered such pop up during installation of my addons in chrome/firefox)

            – Mery Ted
            Mar 26 at 13:42












          • I do not know any sold addon, which did not add something nasty, as long as you let adding tracking and adding advertising count as nasty.

            – allo
            Mar 26 at 13:54












          • 3





            You may want to add the caveat that extensions request specific permissions. They don't get full access unless they request that and the user approved it at install.

            – Daisetsu
            Mar 25 at 17:03











          • Good point, I added to my answer.

            – ThoriumBR
            Mar 25 at 18:52






          • 1





            "If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty." That's a scandalous claim. Do you have any evidence for this? A study showing the proportion of resold addons that have turned "nasty"? The linked article is interesting but is not sufficient evidence that "the chances are pretty high".

            – Lightness Races in Orbit
            Mar 26 at 11:20












          • So basically if during installation I don't encounter any pop up about permissions of that addons then it means it don't have access to history and etc correct? (because I have never encountered such pop up during installation of my addons in chrome/firefox)

            – Mery Ted
            Mar 26 at 13:42












          • I do not know any sold addon, which did not add something nasty, as long as you let adding tracking and adding advertising count as nasty.

            – allo
            Mar 26 at 13:54







          3




          3





          You may want to add the caveat that extensions request specific permissions. They don't get full access unless they request that and the user approved it at install.

          – Daisetsu
          Mar 25 at 17:03





          You may want to add the caveat that extensions request specific permissions. They don't get full access unless they request that and the user approved it at install.

          – Daisetsu
          Mar 25 at 17:03













          Good point, I added to my answer.

          – ThoriumBR
          Mar 25 at 18:52





          Good point, I added to my answer.

          – ThoriumBR
          Mar 25 at 18:52




          1




          1





          "If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty." That's a scandalous claim. Do you have any evidence for this? A study showing the proportion of resold addons that have turned "nasty"? The linked article is interesting but is not sufficient evidence that "the chances are pretty high".

          – Lightness Races in Orbit
          Mar 26 at 11:20






          "If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty." That's a scandalous claim. Do you have any evidence for this? A study showing the proportion of resold addons that have turned "nasty"? The linked article is interesting but is not sufficient evidence that "the chances are pretty high".

          – Lightness Races in Orbit
          Mar 26 at 11:20














          So basically if during installation I don't encounter any pop up about permissions of that addons then it means it don't have access to history and etc correct? (because I have never encountered such pop up during installation of my addons in chrome/firefox)

          – Mery Ted
          Mar 26 at 13:42






          So basically if during installation I don't encounter any pop up about permissions of that addons then it means it don't have access to history and etc correct? (because I have never encountered such pop up during installation of my addons in chrome/firefox)

          – Mery Ted
          Mar 26 at 13:42














          I do not know any sold addon, which did not add something nasty, as long as you let adding tracking and adding advertising count as nasty.

          – allo
          Mar 26 at 13:54





          I do not know any sold addon, which did not add something nasty, as long as you let adding tracking and adding advertising count as nasty.

          – allo
          Mar 26 at 13:54

















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Information Security Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206061%2fcan-a-malicious-add-on-access-internet-history-and-such-in-chrome-firefox%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Bruad Bilen | Luke uk diar | NawigatsjuunCommonskategorii: BruadCommonskategorii: RunstükenWikiquote: Bruad

          What is the offset in a seaplane's hull?

          Slayer Innehåll Historia | Stil, komposition och lyrik | Bandets betydelse och framgångar | Sidoprojekt och samarbeten | Kontroverser | Medlemmar | Utmärkelser och nomineringar | Turnéer och festivaler | Diskografi | Referenser | Externa länkar | Navigeringsmenywww.slayer.net”Metal Massacre vol. 1””Metal Massacre vol. 3””Metal Massacre Volume III””Show No Mercy””Haunting the Chapel””Live Undead””Hell Awaits””Reign in Blood””Reign in Blood””Gold & Platinum – Reign in Blood””Golden Gods Awards Winners”originalet”Kerrang! Hall Of Fame””Slayer Looks Back On 37-Year Career In New Video Series: Part Two””South of Heaven””Gold & Platinum – South of Heaven””Seasons in the Abyss””Gold & Platinum - Seasons in the Abyss””Divine Intervention””Divine Intervention - Release group by Slayer””Gold & Platinum - Divine Intervention””Live Intrusion””Undisputed Attitude””Abolish Government/Superficial Love””Release “Slatanic Slaughter: A Tribute to Slayer” by Various Artists””Diabolus in Musica””Soundtrack to the Apocalypse””God Hates Us All””Systematic - Relationships””War at the Warfield””Gold & Platinum - War at the Warfield””Soundtrack to the Apocalypse””Gold & Platinum - Still Reigning””Metallica, Slayer, Iron Mauden Among Winners At Metal Hammer Awards””Eternal Pyre””Eternal Pyre - Slayer release group””Eternal Pyre””Metal Storm Awards 2006””Kerrang! Hall Of Fame””Slayer Wins 'Best Metal' Grammy Award””Slayer Guitarist Jeff Hanneman Dies””Bullet-For My Valentine booed at Metal Hammer Golden Gods Awards””Unholy Aliance””The End Of Slayer?””Slayer: We Could Thrash Out Two More Albums If We're Fast Enough...””'The Unholy Alliance: Chapter III' UK Dates Added”originalet”Megadeth And Slayer To Co-Headline 'Canadian Carnage' Trek”originalet”World Painted Blood””Release “World Painted Blood” by Slayer””Metallica Heading To Cinemas””Slayer, Megadeth To Join Forces For 'European Carnage' Tour - Dec. 18, 2010”originalet”Slayer's Hanneman Contracts Acute Infection; Band To Bring In Guest Guitarist””Cannibal Corpse's Pat O'Brien Will Step In As Slayer's Guest Guitarist”originalet”Slayer’s Jeff Hanneman Dead at 49””Dave Lombardo Says He Made Only $67,000 In 2011 While Touring With Slayer””Slayer: We Do Not Agree With Dave Lombardo's Substance Or Timeline Of Events””Slayer Welcomes Drummer Paul Bostaph Back To The Fold””Slayer Hope to Unveil Never-Before-Heard Jeff Hanneman Material on Next Album””Slayer Debut New Song 'Implode' During Surprise Golden Gods Appearance””Release group Repentless by Slayer””Repentless - Slayer - Credits””Slayer””Metal Storm Awards 2015””Slayer - to release comic book "Repentless #1"””Slayer To Release 'Repentless' 6.66" Vinyl Box Set””BREAKING NEWS: Slayer Announce Farewell Tour””Slayer Recruit Lamb of God, Anthrax, Behemoth + Testament for Final Tour””Slayer lägger ner efter 37 år””Slayer Announces Second North American Leg Of 'Final' Tour””Final World Tour””Slayer Announces Final European Tour With Lamb of God, Anthrax And Obituary””Slayer To Tour Europe With Lamb of God, Anthrax And Obituary””Slayer To Play 'Last French Show Ever' At Next Year's Hellfst””Slayer's Final World Tour Will Extend Into 2019””Death Angel's Rob Cavestany On Slayer's 'Farewell' Tour: 'Some Of Us Could See This Coming'””Testament Has No Plans To Retire Anytime Soon, Says Chuck Billy””Anthrax's Scott Ian On Slayer's 'Farewell' Tour Plans: 'I Was Surprised And I Wasn't Surprised'””Slayer””Slayer's Morbid Schlock””Review/Rock; For Slayer, the Mania Is the Message””Slayer - Biography””Slayer - Reign In Blood”originalet”Dave Lombardo””An exclusive oral history of Slayer”originalet”Exclusive! Interview With Slayer Guitarist Jeff Hanneman”originalet”Thinking Out Loud: Slayer's Kerry King on hair metal, Satan and being polite””Slayer Lyrics””Slayer - Biography””Most influential artists for extreme metal music””Slayer - Reign in Blood””Slayer guitarist Jeff Hanneman dies aged 49””Slatanic Slaughter: A Tribute to Slayer””Gateway to Hell: A Tribute to Slayer””Covered In Blood””Slayer: The Origins of Thrash in San Francisco, CA.””Why They Rule - #6 Slayer”originalet”Guitar World's 100 Greatest Heavy Metal Guitarists Of All Time”originalet”The fans have spoken: Slayer comes out on top in readers' polls”originalet”Tribute to Jeff Hanneman (1964-2013)””Lamb Of God Frontman: We Sound Like A Slayer Rip-Off””BEHEMOTH Frontman Pays Tribute To SLAYER's JEFF HANNEMAN””Slayer, Hatebreed Doing Double Duty On This Year's Ozzfest””System of a Down””Lacuna Coil’s Andrea Ferro Talks Influences, Skateboarding, Band Origins + More””Slayer - Reign in Blood””Into The Lungs of Hell””Slayer rules - en utställning om fans””Slayer and Their Fans Slashed Through a No-Holds-Barred Night at Gas Monkey””Home””Slayer””Gold & Platinum - The Big 4 Live from Sofia, Bulgaria””Exclusive! Interview With Slayer Guitarist Kerry King””2008-02-23: Wiltern, Los Angeles, CA, USA””Slayer's Kerry King To Perform With Megadeth Tonight! - Oct. 21, 2010”originalet”Dave Lombardo - Biography”Slayer Case DismissedArkiveradUltimate Classic Rock: Slayer guitarist Jeff Hanneman dead at 49.”Slayer: "We could never do any thing like Some Kind Of Monster..."””Cannibal Corpse'S Pat O'Brien Will Step In As Slayer'S Guest Guitarist | The Official Slayer Site”originalet”Slayer Wins 'Best Metal' Grammy Award””Slayer Guitarist Jeff Hanneman Dies””Kerrang! Awards 2006 Blog: Kerrang! Hall Of Fame””Kerrang! Awards 2013: Kerrang! Legend”originalet”Metallica, Slayer, Iron Maien Among Winners At Metal Hammer Awards””Metal Hammer Golden Gods Awards””Bullet For My Valentine Booed At Metal Hammer Golden Gods Awards””Metal Storm Awards 2006””Metal Storm Awards 2015””Slayer's Concert History””Slayer - Relationships””Slayer - Releases”Slayers officiella webbplatsSlayer på MusicBrainzOfficiell webbplatsSlayerSlayerr1373445760000 0001 1540 47353068615-5086262726cb13906545x(data)6033143kn20030215029