Can a malicious add-on access internet history and such in Chrome/Firefox?
How does Chrome/Firefox make sure add-ons are safe? Do they have any protection against a malicious add-on?
How much access can add-ons have? Can they access internet history or maybe even cookies and such and send them to a server? Do I need to worry about this?
I do have Kaspersky and Kaspersky add-ons but I still wonder should I still worry about add-ons? Considering there is nothing I can do to make sure some add-ons are malicious or not even if they still have an OK reputation.
EDIT: bonus question, if an addon says it can read the data on websites you visit, does it mean it can know which websites I visit and technically can send them to a server and basically record my history this way ? (considering many adblockers and such addons have this permission)
web-browser chrome firefox
asked yesterday
Mery TedMery Ted
9115
New contributor
Mery Ted is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
How does Chrome/Firefox make sure add-ons are safe? Do they have any protection against a malicious add-on?
How much access can add-ons have? Can they access internet history or maybe even cookies and such and send them to a server? Do I need to worry about this?
I do have Kaspersky and Kaspersky add-ons but I still wonder should I still worry about add-ons? Considering there is nothing I can do to make sure some add-ons are malicious or not even if they still have an OK reputation.
EDIT: bonus question, if an addon says it can read the data on websites you visit, does it mean it can know which websites I visit and technically can send them to a server and basically record my history this way ? (considering many adblockers and such addons have this permission)
web-browser chrome firefox
asked yesterday
Mery TedMery Ted
9115
New contributor
Mery Ted is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
How does Chrome/Firefox make sure add-ons are safe? Do they have any protection against a malicious add-on?
How much access can add-ons have? Can they access internet history or maybe even cookies and such and send them to a server? Do I need to worry about this?
I do have Kaspersky and Kaspersky add-ons but I still wonder should I still worry about add-ons? Considering there is nothing I can do to make sure some add-ons are malicious or not even if they still have an OK reputation.
EDIT: bonus question, if an addon says it can read the data on websites you visit, does it mean it can know which websites I visit and technically can send them to a server and basically record my history this way ? (considering many adblockers and such addons have this permission)
web-browser chrome firefox
asked yesterday
Mery TedMery Ted
9115
New contributor
Mery Ted is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
How does Chrome/Firefox make sure add-ons are safe? Do they have any protection against a malicious add-on?
How much access can add-ons have? Can they access internet history or maybe even cookies and such and send them to a server? Do I need to worry about this?
I do have Kaspersky and Kaspersky add-ons but I still wonder should I still worry about add-ons? Considering there is nothing I can do to make sure some add-ons are malicious or not even if they still have an OK reputation.
EDIT: bonus question, if an addon says it can read the data on websites you visit, does it mean it can know which websites I visit and technically can send them to a server and basically record my history this way ? (considering many adblockers and such addons have this permission)
web-browser chrome firefox
web-browser chrome firefox
asked yesterday
Mery TedMery Ted
9115
New contributor
Mery Ted is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked yesterday
Mery TedMery Ted
9115
New contributor
Mery Ted is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 5 mins ago
Mery Ted
asked yesterday
Mery TedMery Ted
9115
New contributor
Mery Ted is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked yesterday
Mery TedMery Ted
9115
asked yesterday
Mery TedMery Ted
9115
9115
New contributor
Mery Ted is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Mery Ted is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Mery Ted is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
Modern browser extensions use the WebExtensions API, which enforces a permission model; basically, addons can only have the access that you grant them (you can't reject individual permissions though; if you are uncomfortable with some, you can't install the addon).
Regarding your specific questions:
- The browser history can only be requested if the
historypermission is granted. - The
cookiespermission only works along with ahost permissionwhich will define which cookies can be accessed. Host permissions are required for all of the sensitive actions (such as injecting JavaScript into a page, reading the contents of a page, etc).
Malicious extensions can of course execute arbitrary JavaScript in an isolated context, so something like a malicious cryptominer is certainly feasible.
For access which doesn't require explicit permissions, see my related question: Danger of browser extension without any permissions?.
answered yesterday
timtim
24.3k669102
Thanks for answer, so when you say if permission is granted, do you mean during installation I will be met with a "pop up" that asks me if I'm OK with granting that addon to my history? and if no such popup occurs then it means that addon has no access to history? (I'm asking this because I have never encountered with such popup during installation of my addons)
– Mery Ted
4 hours ago
also a bonus question if you have time to answer: what about sending the visited site url/content to their server immediately after visiting without accessing the history, is this possible for them?
– Mery Ted
4 hours ago
@MeryTed Exactly. It should ask during installation. Chrome eg uses a popup which says "Add [extension]? It can: [permissions; eg 'Read and change all your data on the websites you visit']", Firefox says "Add [extension]? It requires permission to: [...]". What browser are you using?
– tim
4 hours ago
@MeryTed If the permission to history and/or "access/read data on websites you visit" or similar isn't granted, extensions should imho have no primary way to see which websites you visit (there may be side-channels which leak this, but this probably wouldn't leak this to just extensions, but any website, see eg here; extensions may have a bit more options, so the possibility of such an issue may be a bit more likely as compared to websites).
– tim
4 hours ago
so if an addon says it can read data on websites I visit it means it knows which sites I visit and it could technically send it to their server and basically record my history this way? (for example Netcraft Extension addon) (I also use chrome mostly)
– Mery Ted
13 mins ago
add a comment |
how does chrome/firefox make sure addons are safe?
They inspect them before publishing, and ban those found abusing its rights. But this ban can take from days to weeks.
how much access can addons have?
Addons can make anything you can, and more. They can access any server, read any cookie, alter any data, even encrypted by HTTPS, and send any data anywhere. They have to ask your permission when you install, but once you gave permission, for example, to read data on all websites, the addon can read data on all websites you visit.
should I still worry about addons?
Yes, you should. If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty.
What you do? Don't install extensions unless they are from reputable sources, don't need lots and lots of permissions, and are really needed. Installing everything you think is cool will end up compromising your security.
answered yesterday
ThoriumBRThoriumBR
24k75873
3
You may want to add the caveat that extensions request specific permissions. They don't get full access unless they request that and the user approved it at install.
– Daisetsu
yesterday
Good point, I added to my answer.
– ThoriumBR
23 hours ago
1
"If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty." That's a scandalous claim. Do you have any evidence for this? A study showing the proportion of resold addons that have turned "nasty"? The linked article is interesting but is not sufficient evidence that "the chances are pretty high".
– Lightness Races in Orbit
7 hours ago
So basically if during installation I don't encounter any pop up about permissions of that addons then it means it don't have access to history and etc correct? (because I have never encountered such pop up during installation of my addons in chrome/firefox)
– Mery Ted
4 hours ago
I do not know any sold addon, which did not add something nasty, as long as you let adding tracking and adding advertising count as nasty.
– allo
4 hours ago
|
show 1 more comment
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Mery Ted is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206061%2fcan-a-malicious-add-on-access-internet-history-and-such-in-chrome-firefox%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Modern browser extensions use the WebExtensions API, which enforces a permission model; basically, addons can only have the access that you grant them (you can't reject individual permissions though; if you are uncomfortable with some, you can't install the addon).
Regarding your specific questions:
- The browser history can only be requested if the
historypermission is granted. - The
cookiespermission only works along with ahost permissionwhich will define which cookies can be accessed. Host permissions are required for all of the sensitive actions (such as injecting JavaScript into a page, reading the contents of a page, etc).
Malicious extensions can of course execute arbitrary JavaScript in an isolated context, so something like a malicious cryptominer is certainly feasible.
For access which doesn't require explicit permissions, see my related question: Danger of browser extension without any permissions?.
answered yesterday
timtim
24.3k669102
Thanks for answer, so when you say if permission is granted, do you mean during installation I will be met with a "pop up" that asks me if I'm OK with granting that addon to my history? and if no such popup occurs then it means that addon has no access to history? (I'm asking this because I have never encountered with such popup during installation of my addons)
– Mery Ted
4 hours ago
also a bonus question if you have time to answer: what about sending the visited site url/content to their server immediately after visiting without accessing the history, is this possible for them?
– Mery Ted
4 hours ago
@MeryTed Exactly. It should ask during installation. Chrome eg uses a popup which says "Add [extension]? It can: [permissions; eg 'Read and change all your data on the websites you visit']", Firefox says "Add [extension]? It requires permission to: [...]". What browser are you using?
– tim
4 hours ago
@MeryTed If the permission to history and/or "access/read data on websites you visit" or similar isn't granted, extensions should imho have no primary way to see which websites you visit (there may be side-channels which leak this, but this probably wouldn't leak this to just extensions, but any website, see eg here; extensions may have a bit more options, so the possibility of such an issue may be a bit more likely as compared to websites).
– tim
4 hours ago
so if an addon says it can read data on websites I visit it means it knows which sites I visit and it could technically send it to their server and basically record my history this way? (for example Netcraft Extension addon) (I also use chrome mostly)
– Mery Ted
13 mins ago
add a comment |
Modern browser extensions use the WebExtensions API, which enforces a permission model; basically, addons can only have the access that you grant them (you can't reject individual permissions though; if you are uncomfortable with some, you can't install the addon).
Regarding your specific questions:
- The browser history can only be requested if the
historypermission is granted. - The
cookiespermission only works along with ahost permissionwhich will define which cookies can be accessed. Host permissions are required for all of the sensitive actions (such as injecting JavaScript into a page, reading the contents of a page, etc).
Malicious extensions can of course execute arbitrary JavaScript in an isolated context, so something like a malicious cryptominer is certainly feasible.
For access which doesn't require explicit permissions, see my related question: Danger of browser extension without any permissions?.
answered yesterday
timtim
24.3k669102
Thanks for answer, so when you say if permission is granted, do you mean during installation I will be met with a "pop up" that asks me if I'm OK with granting that addon to my history? and if no such popup occurs then it means that addon has no access to history? (I'm asking this because I have never encountered with such popup during installation of my addons)
– Mery Ted
4 hours ago
also a bonus question if you have time to answer: what about sending the visited site url/content to their server immediately after visiting without accessing the history, is this possible for them?
– Mery Ted
4 hours ago
@MeryTed Exactly. It should ask during installation. Chrome eg uses a popup which says "Add [extension]? It can: [permissions; eg 'Read and change all your data on the websites you visit']", Firefox says "Add [extension]? It requires permission to: [...]". What browser are you using?
– tim
4 hours ago
@MeryTed If the permission to history and/or "access/read data on websites you visit" or similar isn't granted, extensions should imho have no primary way to see which websites you visit (there may be side-channels which leak this, but this probably wouldn't leak this to just extensions, but any website, see eg here; extensions may have a bit more options, so the possibility of such an issue may be a bit more likely as compared to websites).
– tim
4 hours ago
so if an addon says it can read data on websites I visit it means it knows which sites I visit and it could technically send it to their server and basically record my history this way? (for example Netcraft Extension addon) (I also use chrome mostly)
– Mery Ted
13 mins ago
add a comment |
Modern browser extensions use the WebExtensions API, which enforces a permission model; basically, addons can only have the access that you grant them (you can't reject individual permissions though; if you are uncomfortable with some, you can't install the addon).
Regarding your specific questions:
- The browser history can only be requested if the
historypermission is granted. - The
cookiespermission only works along with ahost permissionwhich will define which cookies can be accessed. Host permissions are required for all of the sensitive actions (such as injecting JavaScript into a page, reading the contents of a page, etc).
Malicious extensions can of course execute arbitrary JavaScript in an isolated context, so something like a malicious cryptominer is certainly feasible.
For access which doesn't require explicit permissions, see my related question: Danger of browser extension without any permissions?.
answered yesterday
timtim
24.3k669102
Modern browser extensions use the WebExtensions API, which enforces a permission model; basically, addons can only have the access that you grant them (you can't reject individual permissions though; if you are uncomfortable with some, you can't install the addon).
Regarding your specific questions:
- The browser history can only be requested if the
historypermission is granted. - The
cookiespermission only works along with ahost permissionwhich will define which cookies can be accessed. Host permissions are required for all of the sensitive actions (such as injecting JavaScript into a page, reading the contents of a page, etc).
Malicious extensions can of course execute arbitrary JavaScript in an isolated context, so something like a malicious cryptominer is certainly feasible.
For access which doesn't require explicit permissions, see my related question: Danger of browser extension without any permissions?.
answered yesterday
timtim
24.3k669102
answered yesterday
timtim
24.3k669102
answered yesterday
timtim
24.3k669102
answered yesterday
timtim
24.3k669102
24.3k669102
Thanks for answer, so when you say if permission is granted, do you mean during installation I will be met with a "pop up" that asks me if I'm OK with granting that addon to my history? and if no such popup occurs then it means that addon has no access to history? (I'm asking this because I have never encountered with such popup during installation of my addons)
– Mery Ted
4 hours ago
also a bonus question if you have time to answer: what about sending the visited site url/content to their server immediately after visiting without accessing the history, is this possible for them?
– Mery Ted
4 hours ago
@MeryTed Exactly. It should ask during installation. Chrome eg uses a popup which says "Add [extension]? It can: [permissions; eg 'Read and change all your data on the websites you visit']", Firefox says "Add [extension]? It requires permission to: [...]". What browser are you using?
– tim
4 hours ago
@MeryTed If the permission to history and/or "access/read data on websites you visit" or similar isn't granted, extensions should imho have no primary way to see which websites you visit (there may be side-channels which leak this, but this probably wouldn't leak this to just extensions, but any website, see eg here; extensions may have a bit more options, so the possibility of such an issue may be a bit more likely as compared to websites).
– tim
4 hours ago
so if an addon says it can read data on websites I visit it means it knows which sites I visit and it could technically send it to their server and basically record my history this way? (for example Netcraft Extension addon) (I also use chrome mostly)
– Mery Ted
13 mins ago
add a comment |
Thanks for answer, so when you say if permission is granted, do you mean during installation I will be met with a "pop up" that asks me if I'm OK with granting that addon to my history? and if no such popup occurs then it means that addon has no access to history? (I'm asking this because I have never encountered with such popup during installation of my addons)
– Mery Ted
4 hours ago
also a bonus question if you have time to answer: what about sending the visited site url/content to their server immediately after visiting without accessing the history, is this possible for them?
– Mery Ted
4 hours ago
@MeryTed Exactly. It should ask during installation. Chrome eg uses a popup which says "Add [extension]? It can: [permissions; eg 'Read and change all your data on the websites you visit']", Firefox says "Add [extension]? It requires permission to: [...]". What browser are you using?
– tim
4 hours ago
@MeryTed If the permission to history and/or "access/read data on websites you visit" or similar isn't granted, extensions should imho have no primary way to see which websites you visit (there may be side-channels which leak this, but this probably wouldn't leak this to just extensions, but any website, see eg here; extensions may have a bit more options, so the possibility of such an issue may be a bit more likely as compared to websites).
– tim
4 hours ago
so if an addon says it can read data on websites I visit it means it knows which sites I visit and it could technically send it to their server and basically record my history this way? (for example Netcraft Extension addon) (I also use chrome mostly)
– Mery Ted
13 mins ago
Thanks for answer, so when you say if permission is granted, do you mean during installation I will be met with a "pop up" that asks me if I'm OK with granting that addon to my history? and if no such popup occurs then it means that addon has no access to history? (I'm asking this because I have never encountered with such popup during installation of my addons)
– Mery Ted
4 hours ago
Thanks for answer, so when you say if permission is granted, do you mean during installation I will be met with a "pop up" that asks me if I'm OK with granting that addon to my history? and if no such popup occurs then it means that addon has no access to history? (I'm asking this because I have never encountered with such popup during installation of my addons)
– Mery Ted
4 hours ago
also a bonus question if you have time to answer: what about sending the visited site url/content to their server immediately after visiting without accessing the history, is this possible for them?
– Mery Ted
4 hours ago
also a bonus question if you have time to answer: what about sending the visited site url/content to their server immediately after visiting without accessing the history, is this possible for them?
– Mery Ted
4 hours ago
@MeryTed Exactly. It should ask during installation. Chrome eg uses a popup which says "Add [extension]? It can: [permissions; eg 'Read and change all your data on the websites you visit']", Firefox says "Add [extension]? It requires permission to: [...]". What browser are you using?
– tim
4 hours ago
@MeryTed Exactly. It should ask during installation. Chrome eg uses a popup which says "Add [extension]? It can: [permissions; eg 'Read and change all your data on the websites you visit']", Firefox says "Add [extension]? It requires permission to: [...]". What browser are you using?
– tim
4 hours ago
@MeryTed If the permission to history and/or "access/read data on websites you visit" or similar isn't granted, extensions should imho have no primary way to see which websites you visit (there may be side-channels which leak this, but this probably wouldn't leak this to just extensions, but any website, see eg here; extensions may have a bit more options, so the possibility of such an issue may be a bit more likely as compared to websites).
– tim
4 hours ago
@MeryTed If the permission to history and/or "access/read data on websites you visit" or similar isn't granted, extensions should imho have no primary way to see which websites you visit (there may be side-channels which leak this, but this probably wouldn't leak this to just extensions, but any website, see eg here; extensions may have a bit more options, so the possibility of such an issue may be a bit more likely as compared to websites).
– tim
4 hours ago
so if an addon says it can read data on websites I visit it means it knows which sites I visit and it could technically send it to their server and basically record my history this way? (for example Netcraft Extension addon) (I also use chrome mostly)
– Mery Ted
13 mins ago
so if an addon says it can read data on websites I visit it means it knows which sites I visit and it could technically send it to their server and basically record my history this way? (for example Netcraft Extension addon) (I also use chrome mostly)
– Mery Ted
13 mins ago
add a comment |
how does chrome/firefox make sure addons are safe?
They inspect them before publishing, and ban those found abusing its rights. But this ban can take from days to weeks.
how much access can addons have?
Addons can make anything you can, and more. They can access any server, read any cookie, alter any data, even encrypted by HTTPS, and send any data anywhere. They have to ask your permission when you install, but once you gave permission, for example, to read data on all websites, the addon can read data on all websites you visit.
should I still worry about addons?
Yes, you should. If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty.
What you do? Don't install extensions unless they are from reputable sources, don't need lots and lots of permissions, and are really needed. Installing everything you think is cool will end up compromising your security.
answered yesterday
ThoriumBRThoriumBR
24k75873
3
You may want to add the caveat that extensions request specific permissions. They don't get full access unless they request that and the user approved it at install.
– Daisetsu
yesterday
Good point, I added to my answer.
– ThoriumBR
23 hours ago
1
"If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty." That's a scandalous claim. Do you have any evidence for this? A study showing the proportion of resold addons that have turned "nasty"? The linked article is interesting but is not sufficient evidence that "the chances are pretty high".
– Lightness Races in Orbit
7 hours ago
So basically if during installation I don't encounter any pop up about permissions of that addons then it means it don't have access to history and etc correct? (because I have never encountered such pop up during installation of my addons in chrome/firefox)
– Mery Ted
4 hours ago
I do not know any sold addon, which did not add something nasty, as long as you let adding tracking and adding advertising count as nasty.
– allo
4 hours ago
|
show 1 more comment
how does chrome/firefox make sure addons are safe?
They inspect them before publishing, and ban those found abusing its rights. But this ban can take from days to weeks.
how much access can addons have?
Addons can make anything you can, and more. They can access any server, read any cookie, alter any data, even encrypted by HTTPS, and send any data anywhere. They have to ask your permission when you install, but once you gave permission, for example, to read data on all websites, the addon can read data on all websites you visit.
should I still worry about addons?
Yes, you should. If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty.
What you do? Don't install extensions unless they are from reputable sources, don't need lots and lots of permissions, and are really needed. Installing everything you think is cool will end up compromising your security.
answered yesterday
ThoriumBRThoriumBR
24k75873
3
You may want to add the caveat that extensions request specific permissions. They don't get full access unless they request that and the user approved it at install.
– Daisetsu
yesterday
Good point, I added to my answer.
– ThoriumBR
23 hours ago
1
"If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty." That's a scandalous claim. Do you have any evidence for this? A study showing the proportion of resold addons that have turned "nasty"? The linked article is interesting but is not sufficient evidence that "the chances are pretty high".
– Lightness Races in Orbit
7 hours ago
So basically if during installation I don't encounter any pop up about permissions of that addons then it means it don't have access to history and etc correct? (because I have never encountered such pop up during installation of my addons in chrome/firefox)
– Mery Ted
4 hours ago
I do not know any sold addon, which did not add something nasty, as long as you let adding tracking and adding advertising count as nasty.
– allo
4 hours ago
|
show 1 more comment
how does chrome/firefox make sure addons are safe?
They inspect them before publishing, and ban those found abusing its rights. But this ban can take from days to weeks.
how much access can addons have?
Addons can make anything you can, and more. They can access any server, read any cookie, alter any data, even encrypted by HTTPS, and send any data anywhere. They have to ask your permission when you install, but once you gave permission, for example, to read data on all websites, the addon can read data on all websites you visit.
should I still worry about addons?
Yes, you should. If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty.
What you do? Don't install extensions unless they are from reputable sources, don't need lots and lots of permissions, and are really needed. Installing everything you think is cool will end up compromising your security.
answered yesterday
ThoriumBRThoriumBR
24k75873
how does chrome/firefox make sure addons are safe?
They inspect them before publishing, and ban those found abusing its rights. But this ban can take from days to weeks.
how much access can addons have?
Addons can make anything you can, and more. They can access any server, read any cookie, alter any data, even encrypted by HTTPS, and send any data anywhere. They have to ask your permission when you install, but once you gave permission, for example, to read data on all websites, the addon can read data on all websites you visit.
should I still worry about addons?
Yes, you should. If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty.
What you do? Don't install extensions unless they are from reputable sources, don't need lots and lots of permissions, and are really needed. Installing everything you think is cool will end up compromising your security.
answered yesterday
ThoriumBRThoriumBR
24k75873
edited 23 hours ago
answered yesterday
ThoriumBRThoriumBR
24k75873
answered yesterday
ThoriumBRThoriumBR
24k75873
answered yesterday
ThoriumBRThoriumBR
24k75873
24k75873
3
You may want to add the caveat that extensions request specific permissions. They don't get full access unless they request that and the user approved it at install.
– Daisetsu
yesterday
Good point, I added to my answer.
– ThoriumBR
23 hours ago
1
"If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty." That's a scandalous claim. Do you have any evidence for this? A study showing the proportion of resold addons that have turned "nasty"? The linked article is interesting but is not sufficient evidence that "the chances are pretty high".
– Lightness Races in Orbit
7 hours ago
So basically if during installation I don't encounter any pop up about permissions of that addons then it means it don't have access to history and etc correct? (because I have never encountered such pop up during installation of my addons in chrome/firefox)
– Mery Ted
4 hours ago
I do not know any sold addon, which did not add something nasty, as long as you let adding tracking and adding advertising count as nasty.
– allo
4 hours ago
|
show 1 more comment
3
You may want to add the caveat that extensions request specific permissions. They don't get full access unless they request that and the user approved it at install.
– Daisetsu
yesterday
Good point, I added to my answer.
– ThoriumBR
23 hours ago
1
"If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty." That's a scandalous claim. Do you have any evidence for this? A study showing the proportion of resold addons that have turned "nasty"? The linked article is interesting but is not sufficient evidence that "the chances are pretty high".
– Lightness Races in Orbit
7 hours ago
So basically if during installation I don't encounter any pop up about permissions of that addons then it means it don't have access to history and etc correct? (because I have never encountered such pop up during installation of my addons in chrome/firefox)
– Mery Ted
4 hours ago
I do not know any sold addon, which did not add something nasty, as long as you let adding tracking and adding advertising count as nasty.
– allo
4 hours ago
3
3
You may want to add the caveat that extensions request specific permissions. They don't get full access unless they request that and the user approved it at install.
– Daisetsu
yesterday
You may want to add the caveat that extensions request specific permissions. They don't get full access unless they request that and the user approved it at install.
– Daisetsu
yesterday
Good point, I added to my answer.
– ThoriumBR
23 hours ago
Good point, I added to my answer.
– ThoriumBR
23 hours ago
1
1
"If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty." That's a scandalous claim. Do you have any evidence for this? A study showing the proportion of resold addons that have turned "nasty"? The linked article is interesting but is not sufficient evidence that "the chances are pretty high".
– Lightness Races in Orbit
7 hours ago
"If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty." That's a scandalous claim. Do you have any evidence for this? A study showing the proportion of resold addons that have turned "nasty"? The linked article is interesting but is not sufficient evidence that "the chances are pretty high".
– Lightness Races in Orbit
7 hours ago
So basically if during installation I don't encounter any pop up about permissions of that addons then it means it don't have access to history and etc correct? (because I have never encountered such pop up during installation of my addons in chrome/firefox)
– Mery Ted
4 hours ago
So basically if during installation I don't encounter any pop up about permissions of that addons then it means it don't have access to history and etc correct? (because I have never encountered such pop up during installation of my addons in chrome/firefox)
– Mery Ted
4 hours ago
I do not know any sold addon, which did not add something nasty, as long as you let adding tracking and adding advertising count as nasty.
– allo
4 hours ago
I do not know any sold addon, which did not add something nasty, as long as you let adding tracking and adding advertising count as nasty.
– allo
4 hours ago
|
show 1 more comment
Mery Ted is a new contributor. Be nice, and check out our Code of Conduct.
Mery Ted is a new contributor. Be nice, and check out our Code of Conduct.
Mery Ted is a new contributor. Be nice, and check out our Code of Conduct.
Mery Ted is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206061%2fcan-a-malicious-add-on-access-internet-history-and-such-in-chrome-firefox%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
