Over 15 years ago now, I had a popular chrome extension that did a very specific thing. I sold it for a few thousand bucks and moved on. It seemed a bit strange at the time, and I was very cautious in the sale, but sold it and moved on.
It's abundantly obvious to me now that bad actors are purchasing legitimate chrome extensions to add this functionality and earn money off the user's data (or even worse). I have seen multiple reports of this pattern.
For over 10 years that I maintain a reasonably popular cross-browser extension, I've been collecting various monetization offers. They simply don't stop coming: https://github.com/extesy/hoverzoom/discussions/670
It's worth reminding people that Firefox extensions that are part of Mozilla's "recommended extensions" program have been manually vetted.
> Firefox is committed to helping protect you against third-party software that may inadvertently compromise your data – or worse – breach your privacy with malicious intent. Before an extension receives Recommended status, it undergoes rigorous technical review by staff security experts.
It is a classic supply-chain attack. The same modality is used by gamers to sell off their high-level characters, and social media accounts do "switcheroos" on posts, Pages, and Groups all the time.
You know, a lot of consumer cybersecurity focuses on malware, browser security, LAN services, but I propose that the new frontier of breaches involves browser extensions, "cloud integrations", and "app access" granted from accounts.
If I gave permission for Joe Random Developer's app to read, write, and delete everything in Gmail and Google Drive, that just set me up for ransomware or worse. Without a trace on any local OS. A virus scanner will never catch such attacks. The "Security Checkup" processes are slow and arduous. I often find myself laboriously revoking access and signing out obsolete sessions, one by one by one. There has got to be a better way.
If you buy someone's old gaming account (Steam for example) with many years of activity, you can appear more legitimate when trading, therefore making it easier for people to trust you and fall victim to your scam(s)
I think he was just saying that it is similar business to that. Just drawing comparison that there are a market like selling video games accounts. Also usually people who cheats in games will buy high level accounts because they will be banned much faster if they start playing with new accounts for cheats. This happens in some of the games I play all the time.
Companies spend a fortune on endpoint security and then let employees install random Chrome extensions with full page access. I've seen AWS console sessions running in browsers with a dozen extensions nobody's ever audited. The extension store is basically a supply chain attack marketplace at this point
15 years ago was probably this type of business in its very early stage. There is little that can be done about "selling" extensions. Chrome Web Store should have tighter checks and scans to minimize this type of data exfiltration.
It's a moronic industry, waiting for the catastrophic data-theft disaster to happen before they do anything... Google is doing it, Apple did it, Zuck did it (the only hindrance Cambridge Analytica had to go over seemed to be the apps developer agreement that devs had to click to promise you won't do anything bad with the personal information of all those Facebook users...).
Which is all the more incredible, considering Blackberry (the phone company that was big before the age of iPhones or YouTube) had a permission model that allowed users to deny 3rd-party apps access to contacts, calendar, etc, etc. The app would get a PermissionDeniedException if it can't access something. I remember the Google Maps app for Blackberry, which solution to that was "Please give this app all permissions or you can't use it"...
How were they supposed to know that was going to happen? You think they walked up and said, “Hi. I’m here to buy your software and hurt people with it”?
If a stranger walks up to the chef in a restaurant and offers to pay them to put some mystery stuff in the food, or someone walks up in during a surgery and asks if they can make some incisions and inject some mystery stuff, would you (as a customer of the restaurant or hospital) expect this to be allowed?
That isn’t remotely comparable. You’re asking someone to quietly alter someone else’s product, not selling the product to them. They didn’t pay him to change the extension, they bought it.
They bought the permission to make changes to customer machines that had been granted to the seller by the customer. If it's just a sale of the source code, there's no problem. But what is bought is usually the pre-existing update channel (the installed base), precisely to be able to alter the product for existing users without explicitly informing them or asking for consent.
While assuming absolutely zero bad will on your part, I would nevertheless find it fair if you were legally on the hook for whatever happened after the sale, unless you could prove that you provided reasonable means for the users of your extension to perform their due diligence on the new owner of the extension.
This is of course easy to say in hindsight, and is absolutely a requirement that should be enforced by the extension appstore, not by individual contributors such as yourself.
I wouldn't find that fair at all. Bad actors should be legally responsible for their bad action. If I sell you a taxi business, and then all of a sudden you decide to start robbing the customers - it's not my fault is it? And just to be clear, I had no idea if my extension was used for nefarious purposes, but in hindsight it probably was.
Customers were sold[1] a lifetime subscription to Honest Guy's taxis, and then Honest Guy does a secret deed to sell his taxi joint to Bad Guy[2] without telling any customer about it. Then customers start getting ripped of in all manner of ways, that some of them would have known to avoid if they knew their taxis were being run by Bad Guy.
[1] Of course, the issue here is that no contracts were signed.
[2] In the specific case I was replying to, there was no malice or intent to hide from you as seller. Yet, a better outcome could have been achieved by advertising the sale to those impacted.
I don't think there is any legal support for what I describe above, but in principle whenever a user signs up for Good Thing, and then gets baitswitched to Evil Thing, the main victim is the user, and it is fair to hold responsible everyone involved in the bait-and-switch maneuver.
Replace Honest Guy with local hospital or care home and bad guy with vulture capital, and you will find that this happens all too often; any time there's an established and captive audience, you will find vultures circling all around it.
What is fair and what is legal are very different concepts. I agree in principle with what you're saying but there is no legal basis for it - as you recognise.
No, how it should work is each extension is associated with a private key that is registered with a specific individual or legal entity and implies some kind of liability for anything signed with that key - and if/when the key changes (or the associated credentials), users will be explicitely alerted and need to re-authenticate the plugin.
If the old owner gives their key to the new owner, then they should be on the hook for it.
I was thinking of this yesterday, as I think this is also how domains should work.
How does this safe guards against having the extension under a company and selling that company off. Still the same entity, different owners, different "incentives".
It's abundantly obvious to me now that bad actors are purchasing legitimate chrome extensions to add this functionality and earn money off the user's data (or even worse). I have seen multiple reports of this pattern.