A fun idea, but I am so hesitant to install extensions that have access to any URL. I don't know who this developer is, so how can I know they won't accept $10k to sell their extension to some malware group that will try to exfil all of my banking credentials after updating this extension?
It's worse. Even if you DO know and trust the developer, in a year or two, they're probably going to get an email from a nice man who will want to buy their extension for $10,000, and they've long gotten bored of it, so why not?
I would hope that these days the popular extension devs would know about this type of attack and would guard against it by perhaps selling the extension code but shutting down the original extension page under their control so users have to choose to install the new company's extension. As a matter of fact, why won't Google/Mozilla prevent this by making an extension and a person's account inseparable, and have legal language in the ToS that says they can't sell the extension as-is with the install base to a new company? It would prevent so much.
The offer would be $10k for the extension page, or $10 for just the code.
Google/mozilla don't add legal language because legal language doesn't make something illegal. They can say "we'll remove your extension if we find out you've sold it", but they way they'd find out would be that the extension now serves malware anyway.
That'd be interesting, but imagine how poorly it'd work given how often medium/large companies change hands. Heck, when Google itself became a subsidiary of Alphabet, it didn't require everyone to create new "Alphabet" accounts and replace Google Chrome with Alphabet Chrome.
Although...I'm not necessarily opposed to that. Companies can change names and ownership a little too easily. Making it painful might help some things.
I remember reading somewhere that, in times long past, if a company name was of the form “Johnson and Sons” (for example), it would be considered fraud to sell that company outside of the named family.
I personally think you’re on to something with tying companies to the reputation of specific natural persons, but I don’t think that is where we are going anytime soon.
>why won't Google/Mozilla prevent this by making an extension and a person's account inseparable
This can be gotten around easily by making a separate Google account for the extension. It would require using gmail rather GSuite (without transferring over the entire GSuite domain.)
That would be the right thing but browsers are not interested in adding friction to an ecosystem that already has its own rules. Extensions offer a lot of value to users witjout any effort from the browser companies
An extension like this should be relatively small. Download the source code, read it to make sure nothing bad is happening, then install it from source so it doesn't get automatically updated.
This is a good point and I haven’t read the manifest as I’m in a bit of a rush. Chrome did do a lot of work improving the manifest for conditions like this in v3. I know with webRequest you have to specify urls but not sure if there is a separation of duties here in terms of
1. Permission to operate on any url page loaded locally and being able to modify the html/insert html like the clown image
2. Being able to webRequest http outbound to <any_url> where you could exfiltrate data.
I thought there was a way to insert html into any loaded page without having access to send outbound network requests.
If that is the case that it’s separate if the chrome extension were to be sold and the manifest were changed to allow nefarious behavior you would know.
This is quite the problem with the chrome extension ecosystem. It is rife with malware. How does someone build an extension that can promise better behaviour. There doesn’t seem to be a way to restrict oneself.
