Can a malicious addon access internet history and such in chrome/firefox?












11















How does Chrome/Firefox make sure addons are safe? Do they have any protection against a malicious addon?



How much access can addons have? Can they access internet history or maybe even cookies and such? Do I need to worry about this?



I do have Kaspersky and Kaspersky addons but I still wonder should I still worry about addons? Considering there is nothing I can do to make sure some addons are malicious or not even if they still have an OK reputation.










share|improve this question









New contributor




Mery Ted is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

























    11















    How does Chrome/Firefox make sure addons are safe? Do they have any protection against a malicious addon?



    How much access can addons have? Can they access internet history or maybe even cookies and such? Do I need to worry about this?



    I do have Kaspersky and Kaspersky addons but I still wonder should I still worry about addons? Considering there is nothing I can do to make sure some addons are malicious or not even if they still have an OK reputation.










    share|improve this question









    New contributor




    Mery Ted is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.























      11












      11








      11








      How does Chrome/Firefox make sure addons are safe? Do they have any protection against a malicious addon?



      How much access can addons have? Can they access internet history or maybe even cookies and such? Do I need to worry about this?



      I do have Kaspersky and Kaspersky addons but I still wonder should I still worry about addons? Considering there is nothing I can do to make sure some addons are malicious or not even if they still have an OK reputation.










      share|improve this question









      New contributor




      Mery Ted is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.












      How does Chrome/Firefox make sure addons are safe? Do they have any protection against a malicious addon?



      How much access can addons have? Can they access internet history or maybe even cookies and such? Do I need to worry about this?



      I do have Kaspersky and Kaspersky addons but I still wonder should I still worry about addons? Considering there is nothing I can do to make sure some addons are malicious or not even if they still have an OK reputation.







      web-browser chrome






      share|improve this question









      New contributor




      Mery Ted is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question









      New contributor




      Mery Ted is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question








      edited 10 hours ago









      schroeder

      78k30173209




      78k30173209






      New contributor




      Mery Ted is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 11 hours ago









      Mery TedMery Ted

      563




      563




      New contributor




      Mery Ted is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      Mery Ted is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      Mery Ted is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






















          2 Answers
          2






          active

          oldest

          votes


















          13














          Modern browser extensions use the WebExtensions API, which enforces a permission model; basically, addons can only have the access that you grant them (you can't reject individual permissions though; if you are uncomfortable with some, you can't install the addon).



          Regarding your specific questions:




          • The browser history can only be requested if the history permission is granted.

          • The cookies permission only works along with a host permission which will define which cookies can be accessed. Host permissions are required for all of the sensitive actions (such as injecting JavaScript into a page, reading the contents of a page, etc).


          Malicious extensions can of course execute arbitrary JavaScript in an isolated context, so something like a malicious cryptominer is certainly feasible.



          For access which doesn't require explicit permissions, see my related question: Danger of browser extension without any permissions?.






          share|improve this answer
























          • It's not clear why you have posted a link to a question which has no answer accepted.

            – Pedro Lobito
            3 hours ago





















          4















          how does chrome/firefox make sure addons are safe?




          They inspect them before publishing, and ban those found abusing its rights. But this ban can take from days to weeks.




          how much access can addons have?




          Addons can make anything you can, and more. They can access any server, read any cookie, alter any data, even encrypted by HTTPS, and send any data anywhere. They have to ask your permission when you install, but once you gave permission, for example, to read data on all websites, the addon can read data on all websites you visit.




          should I still worry about addons?




          Yes, you should. If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty.



          What you do? Don't install extensions unless they are from reputable sources, don't need lots and lots of permissions, and are really needed. Installing everything you think is cool will end up compromising your security.






          share|improve this answer





















          • 2





            You may want to add the caveat that extensions request specific permissions. They don't get full access unless they request that and the user approved it at install.

            – Daisetsu
            10 hours ago











          • Good point, I added to my answer.

            – ThoriumBR
            8 hours ago











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "162"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          noCode: true, onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });






          Mery Ted is a new contributor. Be nice, and check out our Code of Conduct.










          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206061%2fcan-a-malicious-addon-access-internet-history-and-such-in-chrome-firefox%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          2 Answers
          2






          active

          oldest

          votes








          2 Answers
          2






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          13














          Modern browser extensions use the WebExtensions API, which enforces a permission model; basically, addons can only have the access that you grant them (you can't reject individual permissions though; if you are uncomfortable with some, you can't install the addon).



          Regarding your specific questions:




          • The browser history can only be requested if the history permission is granted.

          • The cookies permission only works along with a host permission which will define which cookies can be accessed. Host permissions are required for all of the sensitive actions (such as injecting JavaScript into a page, reading the contents of a page, etc).


          Malicious extensions can of course execute arbitrary JavaScript in an isolated context, so something like a malicious cryptominer is certainly feasible.



          For access which doesn't require explicit permissions, see my related question: Danger of browser extension without any permissions?.






          share|improve this answer
























          • It's not clear why you have posted a link to a question which has no answer accepted.

            – Pedro Lobito
            3 hours ago


















          13














          Modern browser extensions use the WebExtensions API, which enforces a permission model; basically, addons can only have the access that you grant them (you can't reject individual permissions though; if you are uncomfortable with some, you can't install the addon).



          Regarding your specific questions:




          • The browser history can only be requested if the history permission is granted.

          • The cookies permission only works along with a host permission which will define which cookies can be accessed. Host permissions are required for all of the sensitive actions (such as injecting JavaScript into a page, reading the contents of a page, etc).


          Malicious extensions can of course execute arbitrary JavaScript in an isolated context, so something like a malicious cryptominer is certainly feasible.



          For access which doesn't require explicit permissions, see my related question: Danger of browser extension without any permissions?.






          share|improve this answer
























          • It's not clear why you have posted a link to a question which has no answer accepted.

            – Pedro Lobito
            3 hours ago
















          13












          13








          13







          Modern browser extensions use the WebExtensions API, which enforces a permission model; basically, addons can only have the access that you grant them (you can't reject individual permissions though; if you are uncomfortable with some, you can't install the addon).



          Regarding your specific questions:




          • The browser history can only be requested if the history permission is granted.

          • The cookies permission only works along with a host permission which will define which cookies can be accessed. Host permissions are required for all of the sensitive actions (such as injecting JavaScript into a page, reading the contents of a page, etc).


          Malicious extensions can of course execute arbitrary JavaScript in an isolated context, so something like a malicious cryptominer is certainly feasible.



          For access which doesn't require explicit permissions, see my related question: Danger of browser extension without any permissions?.






          share|improve this answer













          Modern browser extensions use the WebExtensions API, which enforces a permission model; basically, addons can only have the access that you grant them (you can't reject individual permissions though; if you are uncomfortable with some, you can't install the addon).



          Regarding your specific questions:




          • The browser history can only be requested if the history permission is granted.

          • The cookies permission only works along with a host permission which will define which cookies can be accessed. Host permissions are required for all of the sensitive actions (such as injecting JavaScript into a page, reading the contents of a page, etc).


          Malicious extensions can of course execute arbitrary JavaScript in an isolated context, so something like a malicious cryptominer is certainly feasible.



          For access which doesn't require explicit permissions, see my related question: Danger of browser extension without any permissions?.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered 11 hours ago









          timtim

          24.2k668102




          24.2k668102













          • It's not clear why you have posted a link to a question which has no answer accepted.

            – Pedro Lobito
            3 hours ago





















          • It's not clear why you have posted a link to a question which has no answer accepted.

            – Pedro Lobito
            3 hours ago



















          It's not clear why you have posted a link to a question which has no answer accepted.

          – Pedro Lobito
          3 hours ago







          It's not clear why you have posted a link to a question which has no answer accepted.

          – Pedro Lobito
          3 hours ago















          4















          how does chrome/firefox make sure addons are safe?




          They inspect them before publishing, and ban those found abusing its rights. But this ban can take from days to weeks.




          how much access can addons have?




          Addons can make anything you can, and more. They can access any server, read any cookie, alter any data, even encrypted by HTTPS, and send any data anywhere. They have to ask your permission when you install, but once you gave permission, for example, to read data on all websites, the addon can read data on all websites you visit.




          should I still worry about addons?




          Yes, you should. If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty.



          What you do? Don't install extensions unless they are from reputable sources, don't need lots and lots of permissions, and are really needed. Installing everything you think is cool will end up compromising your security.






          share|improve this answer





















          • 2





            You may want to add the caveat that extensions request specific permissions. They don't get full access unless they request that and the user approved it at install.

            – Daisetsu
            10 hours ago











          • Good point, I added to my answer.

            – ThoriumBR
            8 hours ago
















          4















          how does chrome/firefox make sure addons are safe?




          They inspect them before publishing, and ban those found abusing its rights. But this ban can take from days to weeks.




          how much access can addons have?




          Addons can make anything you can, and more. They can access any server, read any cookie, alter any data, even encrypted by HTTPS, and send any data anywhere. They have to ask your permission when you install, but once you gave permission, for example, to read data on all websites, the addon can read data on all websites you visit.




          should I still worry about addons?




          Yes, you should. If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty.



          What you do? Don't install extensions unless they are from reputable sources, don't need lots and lots of permissions, and are really needed. Installing everything you think is cool will end up compromising your security.






          share|improve this answer





















          • 2





            You may want to add the caveat that extensions request specific permissions. They don't get full access unless they request that and the user approved it at install.

            – Daisetsu
            10 hours ago











          • Good point, I added to my answer.

            – ThoriumBR
            8 hours ago














          4












          4








          4








          how does chrome/firefox make sure addons are safe?




          They inspect them before publishing, and ban those found abusing its rights. But this ban can take from days to weeks.




          how much access can addons have?




          Addons can make anything you can, and more. They can access any server, read any cookie, alter any data, even encrypted by HTTPS, and send any data anywhere. They have to ask your permission when you install, but once you gave permission, for example, to read data on all websites, the addon can read data on all websites you visit.




          should I still worry about addons?




          Yes, you should. If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty.



          What you do? Don't install extensions unless they are from reputable sources, don't need lots and lots of permissions, and are really needed. Installing everything you think is cool will end up compromising your security.






          share|improve this answer
















          how does chrome/firefox make sure addons are safe?




          They inspect them before publishing, and ban those found abusing its rights. But this ban can take from days to weeks.




          how much access can addons have?




          Addons can make anything you can, and more. They can access any server, read any cookie, alter any data, even encrypted by HTTPS, and send any data anywhere. They have to ask your permission when you install, but once you gave permission, for example, to read data on all websites, the addon can read data on all websites you visit.




          should I still worry about addons?




          Yes, you should. If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty.



          What you do? Don't install extensions unless they are from reputable sources, don't need lots and lots of permissions, and are really needed. Installing everything you think is cool will end up compromising your security.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited 8 hours ago

























          answered 11 hours ago









          ThoriumBRThoriumBR

          23.9k75773




          23.9k75773








          • 2





            You may want to add the caveat that extensions request specific permissions. They don't get full access unless they request that and the user approved it at install.

            – Daisetsu
            10 hours ago











          • Good point, I added to my answer.

            – ThoriumBR
            8 hours ago














          • 2





            You may want to add the caveat that extensions request specific permissions. They don't get full access unless they request that and the user approved it at install.

            – Daisetsu
            10 hours ago











          • Good point, I added to my answer.

            – ThoriumBR
            8 hours ago








          2




          2





          You may want to add the caveat that extensions request specific permissions. They don't get full access unless they request that and the user approved it at install.

          – Daisetsu
          10 hours ago





          You may want to add the caveat that extensions request specific permissions. They don't get full access unless they request that and the user approved it at install.

          – Daisetsu
          10 hours ago













          Good point, I added to my answer.

          – ThoriumBR
          8 hours ago





          Good point, I added to my answer.

          – ThoriumBR
          8 hours ago










          Mery Ted is a new contributor. Be nice, and check out our Code of Conduct.










          draft saved

          draft discarded


















          Mery Ted is a new contributor. Be nice, and check out our Code of Conduct.













          Mery Ted is a new contributor. Be nice, and check out our Code of Conduct.












          Mery Ted is a new contributor. Be nice, and check out our Code of Conduct.
















          Thanks for contributing an answer to Information Security Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206061%2fcan-a-malicious-addon-access-internet-history-and-such-in-chrome-firefox%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          How to make a Squid Proxy server?

          Is this a new Fibonacci Identity?

          19世紀