Hacker Read top | best | new | newcomments | leaders | about | bookmarklet login

To be fair for me the extensions that get that are uBO, Privacy Badger, and Tampermonkey.

I trust gorhill and the EFF to not fuck me over on my data, and Tampermonkey kinda needs those sorts of permissions to work. My password manager has read access to every website but I'm already trusting it with all of my passwords so...



view as:

Seems like a very juicy target.

These extensions should not store any data without a master password that you input every time.

What if someone stole the signing key, and submitted an update to Chrome store, even for a little? Oh wait that is only for Chrome Apps. For extensions, they can literally update themselves anytime. Someone would just have to steal the certificate.

If an extension that reads all data uses a CDN (like CloudFlare) that CDN can execute a MITM attack against it and download new code, that would he catastrophic even if it was caught 1 day later.


>Oh wait that is only for Chrome Apps. For extensions, they can literally update themselves anytime. Someone would just have to steal the certificate.

Mozilla reviews signed extension updates. Something tells me uBO is one of the most scrutinized given how very many users it has.

>If an extension that reads all data uses a CDN (like CloudFlare) that CDN can execute a MITM attack against it and download new code, that would he catastrophic even if it was caught 1 day later.

My threat model doesn't include state actors targeting me specifically. Not sure much of anything works against that threat model besides maybe iOS in Lockdown Mode as your only device.


Extensions can simply download and update their own code, eg by loading new stuff from localStorage.

I have seen Metamask update itself randomly, and it has access to read every website


Crypto wallets in web browser extensions seems like an absolutely terrible idea compared to any of my example.

Legal | privacy