Jump to content

Search the Community

Showing results for tags 'chrome extensions'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Categories

  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions

Categories

  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Found 7 results

  1. Google will add a "Privacy practices" section on each Chrome extension's Web Store page listing what data they collect from users and what the developer plans to do with it. Google said today it plans to add a new section on the Chrome Web Store where extension developers will be able to disclose what user data they're collecting from users and what they plan to do with the information. The new section is set to go into effect on January 18, 2021, and will appear as a "Privacy practices" button on each extension's Web Store listing. To aid the process, Google has added a new section today in the Web Store dashboard where extension developers will be able to disclose what data they collect from their users and for what purposes. Google's new "data usage" dashboard will ship with a limited set of preset options, which will effectively prohibit Chrome developers from certain data practices, such as: The bulk sale of user data by ensuring the use or transfer of user data is for the primary benefit of the user and in accordance with the stated purpose of the extension. The use or transfer of user data for personalized advertising. The use or transfer of user data for creditworthiness or any form of lending qualification and to data brokers or other information resellers. Google's new "data disclosure" policy is not unique. At the WWDC 2020 developer conference in June this year, Apple announced that all App Store app listings will soon be required to include a "privacy prompt (label)" that will list all the data points apps collect from users and which data points are used to track users across apps. Apple's privacy labels are scheduled to go live on December 8, next month. Google said it plans to show notices to all developers in the Web Store developer dashboards and prompt extension makers to set up a "privacy practices" section. Source
  2. Google removes banner dissuading Edge users from running Chrome extensions Microsoft announced back in December of 2018 that it was building a Chromium-based Edge browser, which then became generally available in January 2020. An advantage of using Chromium is the ability to run Chrome extensions. However, Google had a somewhat dissuasive banner for Edge users recommeding them that the extensions be used on Chrome for them to run “securely”. It looks like with the backlash from users and tech journalists, Google has decided to remove the banner (spotted first by Techdows). It is not clear as to when this change was made. The Chrome Web Store on Edge now shows a banner from the Redmond giant itself that reads “You can now add extensions from the Chrome Web Store to Microsoft Edge – Click on Add to Chrome”. This is a welcome change from Google since the prompt asking users to run Chrome for using the extensions securely was misleading. Any security issues with extensions are likely to affect either of the browsers. Interestingly, even Microsoft has begun using more subtle verbiage on Edge when users head to the Chrome Web Store for the first time. The message asks users to ‘Allow extensions from other stores” to be able to run Chrome extensions. This contrasts with some earlier messages which implied that running “unverified” extensions from other stores might affect performance. With the two companies working together to contribute to Chromium and bring about features from each other’s offerings, refraining from petty tactics to dissuade users from using competing offerings seems like the right thing to do. Source: Google removes banner dissuading Edge users from running Chrome extensions (Neowin)
  3. Back in January, Google announced a proposed change to Chrome’s extensions system, called Manifest V3, that would stop current ad blockers from working efficiently. In a response to the overwhelming negative feedback, Google is standing firm on Chrome’s ad blocking changes, sharing that current ad blocking capabilities will be restricted to enterprise users. Manifest V3 comprises a major change to Chrome’s extensions system, including a revamp to the permissions system and a fundamental change to the way ad blockers operate. In particular, modern ad blockers, like uBlock Origin and Ghostery, use Chrome’s webRequest API to block ads before they’re even downloaded. With the Manifest V3 proposal, Google deprecates the webRequest API’s ability to block a particular request before it’s loaded. As you would expect, power users and extension developers alike criticized Google’s proposal for limiting the user’s ability to browse the web as they see fit. Now, months later, Google has responded to some of the various issues raised by the community, sharing more details on the changes to permissions and more. The most notable aspect of their response, however, is a single sentence buried in the text, clarifying their changes to ad blocking and privacy blocking extensions. "Chrome is deprecating the blocking capabilities of the webRequest API in Manifest V3, not the entire webRequest API (though blocking will still be available to enterprise deployments)." Google is essentially saying that Chrome will still have the capability to block unwanted content, but this will be restricted to only paid, enterprise users of Chrome. This is likely to allow enterprise customers to develop in-house Chrome extensions, not for ad blocking usage. For the rest of us, Google hasn’t budged on their changes to content blockers, meaning that ad blockers will need to switch to a less effective, rules-based system. This system is how blockers like AdBlock Plus currently work. One of the original concerns of switching to this system was the fact that Chrome currently imposes a limit of 30,000 rules, while popular ad blocking rules lists like EasyList use upwards of 75,000 rules. In the response, Google claims that they’re looking to increase this number, depending on performance tests, but couldn’t commit to anything specific. "We are planning to raise these values but we won’t have updated numbers until we can run performance tests to find a good upper bound that will work across all supported devices." The lead developer of uBlock Origin, Raymond Hill, has commented on the situation, both to The Register and on uBlock Origin’s GitHub, pointing out that allowing ad blockers goes completely against Google’s business model. "Google’s primary business is incompatible with unimpeded content blocking. Now that Google Chrome product has achieve high market share, the content blocking concerns as stated in its 10K filing are being tackled." Google themselves have even admitted as such in a recent SEC Form 10-K filing by Alphabet, uncovered by Hill, in which ad blocking extensions are labeled as a “risk factor” to Google’s revenues. "New and existing technologies could affect our ability to customize ads and/or could block ads online, which would harm our business. Technologies have been developed to make customizable ads more difficult or to block the display of ads altogether and some providers of online services have integrated technologies that could potentially impair the core functionality of third-party digital advertising. Most of our Google revenues are derived from fees paid to us in connection with the display of ads online. As a result, such technologies and tools could adversely affect our operating results." With that in mind, the change makes a great deal of sense, when you think of Chrome as a way for Google to better deliver ads to your devices. By allowing in-depth ad blockers to continue to function, they’re allowing for a direct, negative impact on their largest revenue stream. Chrome’s enterprise users get an exception because they’re a separate revenue stream. 9to5Google’s Take Firefox is available on all platforms (including Chrome OS via the Android or Linux app) and, unlike Chrome, supports browser extensions on Android, including uBlock Origin and other privacy extensions. Just remember to unblock sites you wish to support financially. Source
  4. Last week we learned about DataSpii, a report by independent researcher Sam Jadali about the “catastrophic data leak” wrought by a collection of browser extensions that surreptitiously extracted their users’ browsing history (and in some cases portions of visited web pages). Over four million users may have had sensitive information leaked to data brokers, including tax returns, travel itineraries, medical records, and corporate secrets. While DataSpii included extensions in both the Chrome and Firefox extension marketplaces, the majority of those affected used Chrome. Naturally, this led reporters to ask Google for comment. In response to questions about DataSpii from Ars Technica, Google officials pointed out that they have “announced technical changes to how extensions work that will mitigate or prevent this behavior.” Here, Google is referring to its controversial set of proposed changes to curtail extension capabilities, known as Manifest V3. As both security experts and the developers of extensions that will be greatly harmed by Manifest V3, we’re here to tell you: Google’s statement just isn’t true. Manifest V3 is a blunt instrument that will do little to improve security while severely limiting future innovation. To understand why, we have to dive into the technical details of what Manifest V3 will and won’t do, and what Google should do instead. The Truth About Manifest V3 To start with, the Manifest V3 proposal won't do much about evil extensions extracting people’s browsing histories and sending them off to questionable data aggregators. That’s because Manifest V3 doesn’t change the observational APIs available to extensions. (For extension developers, that means Manifest V3 isn’t changing the observational parts of chrome.webRequest.) In other words, Manifest V3 will still allow extensions to observe the same data as before, including what URLs users visit and the contents of pages users visit. (Privacy Badger and other extensions rely on these observational APIs.) Additionally, Manifest V3 won’t change anything about how “content scripts” work. Content scripts are pieces of Javascript that allow extensions to interact with the contents of web pages, both an important capability to allow extensions to deliver useful functionality and yet another way to extract user browsing data. One change in Manifest V3 that may or may not help security is how extensions get permission to interact with websites. Under Manifest V3, users will be able to choose when they’re visiting a website whether or not they want to give the extension access to the data on that website. Of course it’s not practical to have to allow an ad- or tracker-blocker or accessibility-focused extension every time you visit a new site, so Chrome will still allow users to give extensions permission to run on all sites. As a result, extensions that are designed to run on every website—like several of those involved in DataSpii—will still be able to access and leak data. The only part of Manifest V3 that goes directly to the heart of stopping DataSpii-like abuses is banning remotely hosted code. You can’t ensure extensions are what they appear to be if you give them the ability to download new instructions after they’re installed. But you don't need the rest of Google’s proposed API changes to stop this narrow form of bad extension behavior. Manifest V3 Crushes Innovation What Manifest V3 does do is stifle innovation. Google keeps claiming that the proposed changes are not meant to “[prevent] the development of ad blockers.” Perhaps not, but what they will do in their present form is effectively destroy powerful privacy and security tools such as uMatrix and NoScript. That’s because a central part of Manifest V3 is the removal of a set of powerful capabilities that uMatrix, NoScript, and other extensions rely on to protect users (for developers, we’re talking about request modification using chrome.webRequest). Currently, an extension with the right permissions can review each request before it goes out, examine and modify the request however it wants, and then decide to complete the request or block it altogether. This enables a whole range of creative, innovative, and highly customizable extensions that give users nearly complete control over the requests that their browser makes. Manifest V3 replaces these capabilities with a narrowly-defined API (declarativeNetRequest) that will limit developers to a preset number of ways of modifying web requests. Extensions won’t be able to modify most headers or make decisions about whether to block or redirect based on contextual data. This new API appears to be based on a simplified version of Adblock Plus. If your extension doesn’t work just like Adblock Plus, you will find yourself trying to fit a square peg into a round hole. If you think of a cool feature in the future that doesn’t fit into the Adblock Plus model, you won’t be able to make an extension using your idea unless you can get Google to implement it first. Good luck! Google doesn’t have an encouraging track record of implementing functionality that developers want, nor is it at the top of Google’s own priority list. Legitimate use cases will never get a chance in Chrome for any number of reasons. Whether due to lack of resources or plain apathy, the end result will be the same—removing these capabilities means less security and privacy protection for Chrome’s users. For developers of ad- and tracker-blocking extensions, flexible APIs aren’t just nice to have, they are a requirement. When particular privacy protections gain popularity, ads and trackers evolve to evade them. As a result, the blocking extensions need to evolve too, or risk becoming irrelevant. We’ve already seen trackers adapt in response to privacy features like Apple’s Intelligent Tracking Prevention and Firefox’s built-in content blocking; in turn, pro-privacy browsers and extensions have had to develop innovative new countermeasures. If Google decides that privacy extensions can only work in one specific way, it will be permanently tipping the scales in favor of ads and trackers. The Real Solution? Enforce Existing Policies In order to truly protect users, Google needs to start properly enforcing existing Chrome Web Store policies. Not only did it take an independent researcher to identify this particular set of abusive extensions, but the abusive nature of some of the extensions in the report has been publicly known for years. For example, HoverZoom was called out at least six years ago on Reddit. Unfortunately, the collection of extensions uncovered by DataSpii is just the latest example of an ongoing pattern of abuse in Chrome Web Store. Extensions are bought out (or sometimes outright hijacked), and then updated to steal users’ browsing histories and/or commit advertising fraud. Users complain, but nothing seems to happen. Often the extension is still available months later. The “Report Abuse” link doesn't seem to produce results, obfuscated code doesn't seem to trigger red flags, and no one responds to user reviews. “SHINE for reddit” stayed up for several years while widely known to be an advertising referrals hijacker that fetched and executed remote code. A study from 2015 demonstrated various real-world obfuscation and remote code execution techniques. A study from 2017 analyzed the volume of outgoing traffic to detect history leakage. The common thread here is that the Chrome Web Store does not appear to have the oversight to reject suspicious extensions. The extensions swept up by DataSpii are not obscure by any measure. According to the DataSpii report, some of the extensions had anywhere from 800,000 to 1.4+ million users. Is it too much to ask a company that makes billions in profit every year to prioritize reviewing all popular extensions? Had Google systematically started reviewing when the scope of Chrome Web Store abuse first became clear years ago, Google would have been in place to catch malicious extensions before they ever went live. Ultimately, users need to have the autonomy to install the extensions of their choice to shape their browsing experience, and the ability to make informed decisions about the risks of using a particular extension. Better review of extensions in Chrome Web Store would promote informed choice far better than limiting the capabilities of powerful, legitimate extensions. Google could have banned remote code execution a long time ago. It could have started responding promptly to extension abuse reports. It could have invested in automated and manual extension review. Instead, after years of missed opportunities, Google has given us Manifest V3: a nineteen-page document with just one paragraph regarding remote code execution—the actual extension capabilities oversight that continues to allow malicious extensions to exfiltrate your browsing history. The next time Google claims that Manifest V3 will be better for user privacy and security, don’t believe their hype. Manifest V3 will do little to prevent the sort of data leaks involved in DataSpii. But Manifest V3 will curtail innovation and hurt the privacy and security of Chrome users. Source: EFF
  5. How to determine if a Google Chrome extension is safe When it comes to online security, you can never be too careful; this guide isn't about antivirus programs, firewalls or VPNs though, as it is about Chrome extensions. Just because an extension is on the Chrome web store doesn't mean it is safe to use. There have been many cases of malicious add-ons which have been taken down in the past after they were installed by millions of Chrome users in some cases. Note: The guide provides additional information on checking whether Chrome extensions are (likely) safe to use. You can check out Martin's guide on verifying Chrome extensions, and there especially the part on looking at the source. How to determine if a Google Chrome extension is safe We will focus on steps that you may undertake before installing extensions. It is often easier to determine if an extension is shady or outright malicious if you have installed it as it may be the cause for visible unwanted changes or activity such as hijacking search engines, displaying advertisement or popups, or showing other behavior that was not mentioned in the extension's description. Users who known JavaScript may also check the source of the extension. Check out Martin's guide linked above for information on how to do that. Web Store page Analyze the extension's listing and see if it rings some alarm bells. Broken grammar or English may be seen as warning signs but since developers from all over the world publish extensions on the Store, some may be written by non-English natives. Bad grammar or spelling mistakes may not be used as an indicator. Irrelevant screenshots or very odd descriptions, on the other hand are all tell-tale signs of a malicious extension. These are quite rare though. Logos Malware developers resort to all sorts of tricks to infect users, and one of these is to use the logo (icon) of popular brands or applications. Sometimes, people get fooled by these and think it's from the company which makes the actual software. Pay attention to the developer name and click on it to see their other extensions. Developer's Website and Contact Does the extension have its own web page? Visit it to learn more about it and maybe something about the developer. We recommend using a content blocker when visiting these sites to avoid issues if the site is specifically prepared to attack decvices. Not all extensions have a web page, but most do, at least for support requests/FAQs. Is there a contact option on the Chrome web store page which lets you email the developer? If there is one it's a good sign, but an absence of one doesn't mean it's a fake extension. Privacy Policy This is perhaps the most overlooked one? Who reads the privacy policy? You should, because unlike website registrations or software agreements, you're not shown the privacy policy for an extension when you install it. But it may exist as a loophole for the developer to get out of a legal dispute, should one arise. You accept the policy the second you install the extension. Use Control + F and search for words like data, collect, track, personal, etc, in privacy policies. Your browser should highlight the sentences which contain the word and you should read what it says. If the policy is upfront about the data they collect, think about if it's worth using the extension at the cost of privacy. I'll give you a hint: It's never acceptable. Obviously, developers and companies with ill-intent may add whatever they like to the privacy policy. Permissions When you click the install button, read the pop-up which lists the permissions the extension requires. Permissions may give important clues; an add-on for a visual enhancement (like a theme) shouldn't require permissions like "Communicate with cooperating websites". That means it could be sending data, your personal data, to some server. Reviews These are big red flags if you know how to identify legit ones. Does an extension have reviews? Are they all 5-star reviews? That's suspicious. Look at the publishing date of each review. If you find that they were all posted on the same day it may be fishy. Look at the text as well, if they look more or less the same, or if the usernames only contain random characters, alarm bells should go off and you should look deeper. Take a look at the screenshot here. What do you see? Did the reviewers copy/pasted the comment? It's possible, but it wasn't in this case. The extension had multiple reviews which used the same comments over and over. In fact, there was more than one review left by the same user. Is it possible the extension has hijacked the user to post these reviews? Or were they paid for? Regardless of this, I'd recommend avoiding such extensions to be on the safe side. It may be a good idea to check whether the developer has commented on any of the user reviews. Go over the next few pages. Search for similar extensions, watch out for the clones The screenshot which you saw above is actually not from the original extension. I bet you weren't expecting that? It was from a clone of another extension which had a similar name, same features, slightly different description, an identical privacy policy. It was alarming. The worst part was that the original add-on was about 2.15 MB in size while the clone was about 4.26 MB. If it was a clone, what's the extra size for? That is scary. So search the web store using similar keywords (or the name of the extension), check out the results. Look at the add-on's published date, the older one is obviously the original. Again, if you known JavaScript, you could analyze the code to find out why the clone has a size that is nearly double the size of the original. It could be something as simple as an uncompressed image that is used as a logo or additional code that may be used for malicious or invasive practices. Open Source If the extension is open source, it is likely that it could be safe. But I wouldn't take it for granted. You should go to the page where the source code is published to see if it actually exists. You should also check when the last commit was made on the source code page. If the extension was updated recently, but the source code wasn't, the extension may no longer be open source and possibly open to privacy and security issues. Search across Social networks You could try Googling for the extension's name to see whether any issues, recommendations or reviews were posted by users on social networks. This gives you an idea of real-world usage of the extension. If you do come across suspicious extensions, do yourself and everyone a favor, and report it to Google. Some tips I mentioned here aren't necessarily restricted to Chrome extensions, they apply to extensions for other browsers such as Firefox as well. Source: How to determine if a Google Chrome extension is safe (gHacks)
  6. The Project Strobe rules will go into effect this fall. Google announced new rules that will restrict access to user data for third-party add-ons in Chrome and Drive. From now on, Chrome extension developers must request the least amount of user data their app requires to function. Apps that connect with Google Drive -- such as Pixlr and many popular document signing apps -- will be barred from accessing the entirety of the user's files. The changes are a result of Project Strobe, an audit Google launched in October to study how third-party services handle user data. Notably, Google will require browser extensions that handle user-provided content and personal communications to post a privacy policy. In the past, Google only required a small number of Chrome plug-ins -- those that handle sensitive user data -- to actually post a privacy policy. While this rules change will add more apps to that list, it doesn't apply to all of the 180,000 options in the Chrome Web Store. Roughly 85 percent of Chrome extensions don't have a privacy policy listed, according to a recent survey of developers. Given that you can't violate a privacy policy without having a privacy policy, this relieves a great number of third-party Chrome developers of liability. Google Drive apps are being asked to move to a "per-file" user consent model. In short, apps will have to ask for permission each time they need access to an individual file. While the new privacy rules are promising, they'll take some time to go into effect. Google is making developers aware of the updated policy today, but the rules won't be enforced until this fall. For Google Drive developers, enforcement won't start until early next year. More At [ Google ] Source
  7. Google is shutting down paid Chrome extensions The changes will take place over the coming months Illustration by Alex Castro / The Verge Google is shutting down paid Chrome extensions offered on the Chrome Web Store, the company announced today. That means that developers who are trying to monetize their extensions will have to do so with other payment-handling systems. As of Monday, developers can no longer make new paid extensions, according to Google — though that’s cementing a policy that has already been in place since March. And that policy follows a temporary suspension of publishing paid extensions in January after Google noticed an uptick in fraudulent transactions that “aim[ed] to exploit users.” Google will gradually phase out other functionality over the coming months, and on February 1st, Google says that existing extensions can no longer charge customers using the Chrome Web Store’s payments system. Here’s the full timeline: Image: Google These aren’t the only notable changes to extensions that Google has made this year. The company rolled out a number of policy updates in April intended to reduce spammy extensions, including banning multiple extensions that do the same thing, not allowing developers to manipulate reviews to try to get better placement for their extension, and forbidding extensions that abuse notifications. Google is shutting down paid Chrome extensions
×
×
  • Create New...