Can a malicious addon access internet history and such in chrome/firefox?
How does Chrome/Firefox make sure addons are safe? Do they have any protection against a malicious addon?
How much access can addons have? Can they access internet history or maybe even cookies and such? Do I need to worry about this?
I do have Kaspersky and Kaspersky addons but I still wonder should I still worry about addons? Considering there is nothing I can do to make sure some addons are malicious or not even if they still have an OK reputation.
web-browser chrome
New contributor
add a comment |
How does Chrome/Firefox make sure addons are safe? Do they have any protection against a malicious addon?
How much access can addons have? Can they access internet history or maybe even cookies and such? Do I need to worry about this?
I do have Kaspersky and Kaspersky addons but I still wonder should I still worry about addons? Considering there is nothing I can do to make sure some addons are malicious or not even if they still have an OK reputation.
web-browser chrome
New contributor
add a comment |
How does Chrome/Firefox make sure addons are safe? Do they have any protection against a malicious addon?
How much access can addons have? Can they access internet history or maybe even cookies and such? Do I need to worry about this?
I do have Kaspersky and Kaspersky addons but I still wonder should I still worry about addons? Considering there is nothing I can do to make sure some addons are malicious or not even if they still have an OK reputation.
web-browser chrome
New contributor
How does Chrome/Firefox make sure addons are safe? Do they have any protection against a malicious addon?
How much access can addons have? Can they access internet history or maybe even cookies and such? Do I need to worry about this?
I do have Kaspersky and Kaspersky addons but I still wonder should I still worry about addons? Considering there is nothing I can do to make sure some addons are malicious or not even if they still have an OK reputation.
web-browser chrome
web-browser chrome
New contributor
New contributor
edited 10 hours ago
schroeder♦
78k30173209
78k30173209
New contributor
asked 11 hours ago
Mery TedMery Ted
563
563
New contributor
New contributor
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
Modern browser extensions use the WebExtensions API, which enforces a permission model; basically, addons can only have the access that you grant them (you can't reject individual permissions though; if you are uncomfortable with some, you can't install the addon).
Regarding your specific questions:
- The browser history can only be requested if the
history
permission is granted. - The
cookies
permission only works along with ahost permission
which will define which cookies can be accessed. Host permissions are required for all of the sensitive actions (such as injecting JavaScript into a page, reading the contents of a page, etc).
Malicious extensions can of course execute arbitrary JavaScript in an isolated context, so something like a malicious cryptominer is certainly feasible.
For access which doesn't require explicit permissions, see my related question: Danger of browser extension without any permissions?.
It's not clear why you have posted a link to a question which has no answer accepted.
– Pedro Lobito
3 hours ago
add a comment |
how does chrome/firefox make sure addons are safe?
They inspect them before publishing, and ban those found abusing its rights. But this ban can take from days to weeks.
how much access can addons have?
Addons can make anything you can, and more. They can access any server, read any cookie, alter any data, even encrypted by HTTPS, and send any data anywhere. They have to ask your permission when you install, but once you gave permission, for example, to read data on all websites, the addon can read data on all websites you visit.
should I still worry about addons?
Yes, you should. If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty.
What you do? Don't install extensions unless they are from reputable sources, don't need lots and lots of permissions, and are really needed. Installing everything you think is cool will end up compromising your security.
2
You may want to add the caveat that extensions request specific permissions. They don't get full access unless they request that and the user approved it at install.
– Daisetsu
10 hours ago
Good point, I added to my answer.
– ThoriumBR
8 hours ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Mery Ted is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206061%2fcan-a-malicious-addon-access-internet-history-and-such-in-chrome-firefox%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Modern browser extensions use the WebExtensions API, which enforces a permission model; basically, addons can only have the access that you grant them (you can't reject individual permissions though; if you are uncomfortable with some, you can't install the addon).
Regarding your specific questions:
- The browser history can only be requested if the
history
permission is granted. - The
cookies
permission only works along with ahost permission
which will define which cookies can be accessed. Host permissions are required for all of the sensitive actions (such as injecting JavaScript into a page, reading the contents of a page, etc).
Malicious extensions can of course execute arbitrary JavaScript in an isolated context, so something like a malicious cryptominer is certainly feasible.
For access which doesn't require explicit permissions, see my related question: Danger of browser extension without any permissions?.
It's not clear why you have posted a link to a question which has no answer accepted.
– Pedro Lobito
3 hours ago
add a comment |
Modern browser extensions use the WebExtensions API, which enforces a permission model; basically, addons can only have the access that you grant them (you can't reject individual permissions though; if you are uncomfortable with some, you can't install the addon).
Regarding your specific questions:
- The browser history can only be requested if the
history
permission is granted. - The
cookies
permission only works along with ahost permission
which will define which cookies can be accessed. Host permissions are required for all of the sensitive actions (such as injecting JavaScript into a page, reading the contents of a page, etc).
Malicious extensions can of course execute arbitrary JavaScript in an isolated context, so something like a malicious cryptominer is certainly feasible.
For access which doesn't require explicit permissions, see my related question: Danger of browser extension without any permissions?.
It's not clear why you have posted a link to a question which has no answer accepted.
– Pedro Lobito
3 hours ago
add a comment |
Modern browser extensions use the WebExtensions API, which enforces a permission model; basically, addons can only have the access that you grant them (you can't reject individual permissions though; if you are uncomfortable with some, you can't install the addon).
Regarding your specific questions:
- The browser history can only be requested if the
history
permission is granted. - The
cookies
permission only works along with ahost permission
which will define which cookies can be accessed. Host permissions are required for all of the sensitive actions (such as injecting JavaScript into a page, reading the contents of a page, etc).
Malicious extensions can of course execute arbitrary JavaScript in an isolated context, so something like a malicious cryptominer is certainly feasible.
For access which doesn't require explicit permissions, see my related question: Danger of browser extension without any permissions?.
Modern browser extensions use the WebExtensions API, which enforces a permission model; basically, addons can only have the access that you grant them (you can't reject individual permissions though; if you are uncomfortable with some, you can't install the addon).
Regarding your specific questions:
- The browser history can only be requested if the
history
permission is granted. - The
cookies
permission only works along with ahost permission
which will define which cookies can be accessed. Host permissions are required for all of the sensitive actions (such as injecting JavaScript into a page, reading the contents of a page, etc).
Malicious extensions can of course execute arbitrary JavaScript in an isolated context, so something like a malicious cryptominer is certainly feasible.
For access which doesn't require explicit permissions, see my related question: Danger of browser extension without any permissions?.
answered 11 hours ago
timtim
24.2k668102
24.2k668102
It's not clear why you have posted a link to a question which has no answer accepted.
– Pedro Lobito
3 hours ago
add a comment |
It's not clear why you have posted a link to a question which has no answer accepted.
– Pedro Lobito
3 hours ago
It's not clear why you have posted a link to a question which has no answer accepted.
– Pedro Lobito
3 hours ago
It's not clear why you have posted a link to a question which has no answer accepted.
– Pedro Lobito
3 hours ago
add a comment |
how does chrome/firefox make sure addons are safe?
They inspect them before publishing, and ban those found abusing its rights. But this ban can take from days to weeks.
how much access can addons have?
Addons can make anything you can, and more. They can access any server, read any cookie, alter any data, even encrypted by HTTPS, and send any data anywhere. They have to ask your permission when you install, but once you gave permission, for example, to read data on all websites, the addon can read data on all websites you visit.
should I still worry about addons?
Yes, you should. If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty.
What you do? Don't install extensions unless they are from reputable sources, don't need lots and lots of permissions, and are really needed. Installing everything you think is cool will end up compromising your security.
2
You may want to add the caveat that extensions request specific permissions. They don't get full access unless they request that and the user approved it at install.
– Daisetsu
10 hours ago
Good point, I added to my answer.
– ThoriumBR
8 hours ago
add a comment |
how does chrome/firefox make sure addons are safe?
They inspect them before publishing, and ban those found abusing its rights. But this ban can take from days to weeks.
how much access can addons have?
Addons can make anything you can, and more. They can access any server, read any cookie, alter any data, even encrypted by HTTPS, and send any data anywhere. They have to ask your permission when you install, but once you gave permission, for example, to read data on all websites, the addon can read data on all websites you visit.
should I still worry about addons?
Yes, you should. If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty.
What you do? Don't install extensions unless they are from reputable sources, don't need lots and lots of permissions, and are really needed. Installing everything you think is cool will end up compromising your security.
2
You may want to add the caveat that extensions request specific permissions. They don't get full access unless they request that and the user approved it at install.
– Daisetsu
10 hours ago
Good point, I added to my answer.
– ThoriumBR
8 hours ago
add a comment |
how does chrome/firefox make sure addons are safe?
They inspect them before publishing, and ban those found abusing its rights. But this ban can take from days to weeks.
how much access can addons have?
Addons can make anything you can, and more. They can access any server, read any cookie, alter any data, even encrypted by HTTPS, and send any data anywhere. They have to ask your permission when you install, but once you gave permission, for example, to read data on all websites, the addon can read data on all websites you visit.
should I still worry about addons?
Yes, you should. If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty.
What you do? Don't install extensions unless they are from reputable sources, don't need lots and lots of permissions, and are really needed. Installing everything you think is cool will end up compromising your security.
how does chrome/firefox make sure addons are safe?
They inspect them before publishing, and ban those found abusing its rights. But this ban can take from days to weeks.
how much access can addons have?
Addons can make anything you can, and more. They can access any server, read any cookie, alter any data, even encrypted by HTTPS, and send any data anywhere. They have to ask your permission when you install, but once you gave permission, for example, to read data on all websites, the addon can read data on all websites you visit.
should I still worry about addons?
Yes, you should. If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty.
What you do? Don't install extensions unless they are from reputable sources, don't need lots and lots of permissions, and are really needed. Installing everything you think is cool will end up compromising your security.
edited 8 hours ago
answered 11 hours ago
ThoriumBRThoriumBR
23.9k75773
23.9k75773
2
You may want to add the caveat that extensions request specific permissions. They don't get full access unless they request that and the user approved it at install.
– Daisetsu
10 hours ago
Good point, I added to my answer.
– ThoriumBR
8 hours ago
add a comment |
2
You may want to add the caveat that extensions request specific permissions. They don't get full access unless they request that and the user approved it at install.
– Daisetsu
10 hours ago
Good point, I added to my answer.
– ThoriumBR
8 hours ago
2
2
You may want to add the caveat that extensions request specific permissions. They don't get full access unless they request that and the user approved it at install.
– Daisetsu
10 hours ago
You may want to add the caveat that extensions request specific permissions. They don't get full access unless they request that and the user approved it at install.
– Daisetsu
10 hours ago
Good point, I added to my answer.
– ThoriumBR
8 hours ago
Good point, I added to my answer.
– ThoriumBR
8 hours ago
add a comment |
Mery Ted is a new contributor. Be nice, and check out our Code of Conduct.
Mery Ted is a new contributor. Be nice, and check out our Code of Conduct.
Mery Ted is a new contributor. Be nice, and check out our Code of Conduct.
Mery Ted is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206061%2fcan-a-malicious-addon-access-internet-history-and-such-in-chrome-firefox%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown