Researcher uncovers dozens of sketchy Chrome extensions with 4 million installs

Note that all these extensions are meant to “protect” your privacy against trackers and whatnot. Another reason why you shouldn’t download random extensions with excessive permissions.

As for Google featuring these extensions on the web store? That’s really lazy and shameful behavior on their end.

You shouldn’t download any extensions unless they’re by gorhill.

5 Likes

If they acknowledge it then it’s a problem for them. Unless malware is negatively affecting the bottom line, they won’t even look at it.

Surely there are also other responsible browser extension devs? Is that a real blanket statement or are you just stating a point that not all extension devs are responsible and privacy/security respecting?

1 Like

I think the point may not be about the responsibility of other extension devs, but it’s the fact that other extensions may increase fingerprintablility even more, and there are usually workarounds to them.

For example, one could use a password manager or VPN app rather than an extension.

Additionally, even if other extension devs may be trustworthy, giving programs less permissions and allowing for less attack surface contributes to security hygiene.

Still, I see the legitimate use of certain extensions, and wish for browsers in the future to natively have the functionality those extensions would. (Automatic Invidious and Redlib redirect for Ladybird or Servo would make me jump for joy)

and if these turn out malicious your entire machine (not just that browser profile) is now compromised. Extensions are safer.

afaik only a problem if the extension messes with the page content. a ‘VPN’ extension shouldn’t be fingerprintable

yes, let’s add even more features to the already massive monsters that are modern web browsers.. A content blocker, sure, but a redirector probably is not something that should be implemented in the browser

Interesting points!
Brave already does have a redirect feature with old.reddit.com, but I guess search engines should have that job. Maybe something like Multi-Account Containers could be a better fit to be native in the browser.
PG says that extensions could weaken site isolation, would VPN extensions be among those that do?