- https://github.com/beaufortfrancois/extensions-update-notifi...
And then you can do whatever you feel is an appropriate amount of research whenever a particularly privileged extension gets updated (check for transfer of ownership, etc.)
- brave://flags/#brave-extension-network-blocking
You can then create custom rules to filter extension traffic under brave://settings/shields/filters
e.g.:
! Obsidian Web
*$domain=edoacekkjanmingkbkgjndndibhkegad
@@||127.0.0.1^$domain=edoacekkjanmingkbkgjndndibhkegad
I’d be ok to do that once per extension, but then I’ve got multiple PCs (m), multiple browser profiles (p), OS-reimages (r), and each extension (e) locally installed doesn’t sync — manually re-installing local extensions m x p x r x e times is too much for me. :-( (And that’s even if I’m only running Chrome, as opposed to multiple browser or Chromium derivatives.)
This could probably be automated though if someone wanted to tackle it. git pull, agentic code review, auto-build from source, install.
> Clone the GitHub repo, do a security audit with Claude Code, build from source, update manually
See also:
- [0-Days \ red.anthropic.com]( https://red.anthropic.com/2026/zero-days/ )
EDIT: The main challenge here is more likely to be the noise, as the LLM is more likely to flag too much than too little, so I'd recommend putting together a prompt that has it group whatever it finds by severity and likelihood of malicious intent.
EDIT 2: Re Anthropic link above – worth pointing out that finding intentionally introduced malware when you have access to the source code and git history is a hell of a lot easier than finding a 0-day. The malware has to exfil data eventually or do ransomware stuff, good luck hiding that without raising the alarm, plus any attempt at aggressive obfuscation will raise the alarm on its own. I'm not saying it's impossible, I am saying that I think it's very very hard.
https://docs.npmjs.com/trusted-publishers#automatic-provenan...
Also if the upstream developer goes malicious there is a good chance at least one of the distro maintainers will notice and both prevent the bad source code being built for the distro & notify others.
Same argument can be applied to all closed source software.
In the end its about who you trust and who needs to be verified and that is relative, subjective, and contextual... always.
So unless you can read the source code and compile yourself on a system you built on an OS you also built from source on a machine built before server management backdoors were built into every server... you are putting your trust somewhere and you cannot really validate it beyond wider public percetptions.
Extensions are local files on disk. After installing it, you can audit it locally.
I don't know about all operating systems but on Linux they are stored as .xpi files which are zip files. You can unzip it.
On my machine they are installed to $HOME/.mozilla/firefox/52xz2p7e.default-release/extensions but I think that string in the middle could be different for everyone.
Diffing it vs what's released in its open source repo would be a quick way to see if anything has been adjusted.
I'm currently in the process of setting that up for the one I'm building, because this transparency is very important to me) and it is a pain in the butt to do so. You have to go through a few verification processes at Google to get the keys approved.
"Dont trust google" imo is the wrong response here. We are at the mercy of our institutions, and if they are failing us we need mechanisms to keep them in check.
Cars are under quite strict laws that software isn't. And there is only a small number of car vendors, while there are several orders of magnitude more extension vendors. Also a car vendor is a big company with many audits and controls, an extension "vendor" could just be some guy in his garage office, who just sold it to scammers, even for popular extensions.
And I still wouldn't trust a modern car using subscriptions and code updated.
Straw man. The argument is that by installing random extensions you trust anonymous developers *because* Google doesn't audit. I'll cite the parent to spare you the effort of reading it again:
> The Chrome Web Store is basically unregulated and Google doesn't care.
Yes, I trust the contents of the medicine I buy at the drug store more than I trust the drug dealer on the corner. That's why they hand out test kits for free at raves.
[0] https://chromewebstore.google.com/detail/aws-colorful-navbar...
How far does your principle extend? To your web browser too? Google Chrome itself is partly but not entirely open source. Your operating system? Only Linux? Mac and Windows include closed source.
On the other hand, it's not that implausible either that someone might be running Google Chrome, Windows, Mac, etc. We know that many HN commenters do. Thus, while the OP may be 100% consistent, "I only run open source extensions that I can actually audit" would not be a consistent principle for those who also use closed source software.
What's the reasoning behind it, though?
You can arbitrarily apply different policies to different things, but there's no rhyme or reason to that.
If the difference ultimately comes down to trusting certain developers to an extent that you don't need to audit their source, then I'm not sure why that couldn't also be true of certain extension developers.
Because let's get real, no one ever gets a job in tech if they're not an iPhone user right?
https://kaveh.page/snippets/chrome-extensions-source-code
Even a tiny extension like this one I wrote with 2k users gets buyout offers all the time to turn it into malware: https://chromewebstore.google.com/detail/one-click-image-sav...
I'd either go ahead and talk to her and remove extensions altogether and ask her to have a stock/only open source extensions (yes opensource also has supply issues but its infinitely more managable than this) or the second option being to maybe create them yourself . I don't know about how chrome works (I use firefox) but one thing that you can do is if the thing is simple for your daughter, then just vibe code it and use tampermonkey (heck even open source it) and then audit the code written by it yourself if you want better security concerns.
Nowadays I really just end up creating my own extensions with tampermonkey before using any proprietory extension. With tampermonkey, the cycle actually feels really simple (click edit paste etc.) and even a single glance at code can show any security errors for basic stuff and its one of the few use cases of (AI?) in my opinion.
The only extension I trust enough to install on any browser is uBlock Origin.
I'd also note that all this spam is via the public email address you're forced to add to your extension listing by Google. I don't think I've ever had a single legitimate email sent to it. So yeh, thanks Google.
[1] https://chromewebstore.google.com/detail/old-reddit-redirect...
This realization made me distrust any system where it is even possible to sell out. In order for a system to be trustworthy, it must be impossible for this sort of exploitation to ever occur, no matter how much money they put on the table.
Know that you are truly appreciated by many.
Thank you for not doing so.
It's easy to see how many people in less advantaged positions would end up selling out, though.
I used to have tree-style tab, but now firefox has got native support for vertical tabs so I don't need to install anything extra.
Installing new extensions is sometimes appealing, but the risk is just too high.
Unfortunately, the huge conflicts of interest make this unrealistic. Can't trust developers funded by ad money to develop an ad blocker.
Note however that the origin of uBlock Origin is that the developer Raymond Hill transferred control of the original uBlock project to someone who turned out not to be trustworthy, and thus Hill had to fork it later.
"u": "https://www.google.com/search?q=target",
Considering the barriers they build to prevent adblockers, that doesn't shine a good light on them.
Multiple regulators should sue Google for putting users at risk by failing to protect users from malicious code before publishing Chrome extensions and Android apps.
To find the list of decided malicious extensions, I can imagine that a github repository where people can create issues about the lack of safety (like imagine some github repo where this case could've also been uploaded) and people could discuss and then a .txt/json file could be there in the repo which gets updated every time an extension is confirmed to be malicious.
Thoughts?
Edit: (To take initiative?) I have created a git repo with this https://github.com/SerJaimeLannister/unsafe-extensions-list but I would need some bootstrap list of malicious extensions. So I know nothing about this field and the only extension I can add is this one maybe but maybe someone can fork this idea (who is more knowledgable within the extension community space) or perhaps they can add entries into it.
Edit 2: Looks like qcontinuum actually have a github repo and I hadn't read the article while I had written the comment but its not 1 extension but rather 287 extensions and they have mentioned all in their git repo
https://github.com/qcontinuum1/spying-extensions
So they already have a good bootstrapped amount & I feel as if qcontinuum is interested they can maybe implement the idea?
We might to it once. That requires non-trivial engineering effort and resources and we are at the moment short on both of those.
I am curious but wouldn't this effort be more better if more people outside who are interested in investing their own resources for the safety of a better internet could help you out in such endeavour? So essentially they can also help you out in such task essentially creating an open source-ish committee/list which can decide it.
I do feel like if resources are something in short, then actually doing such would be even more beneficial, right? What are your thoughts on it?
(Tangent if you actually do this: This might become a cat and mouse game if the person with malicious extension say reads the github repo and if they see their extension in it before people can conclude its malicious, making the cat and mouse game but I am imagining a github action which can calculate the hash and download link and everything (essentially archiving) a state of extension and then people can get freed from the game and everything as well. So this might help a lot in future if you actually implement it)
Any tool that would be open sourced or community driven for extension scanning will be with enough time used by bad actors to evade the scans. That is also why we don't share the code for this research as it would only speed up this process.
But I feel like then the (bottleneck?) [which I don't mean in a bad way] would be the team where the attackers might still be infinitely more which can exhaust your resources which you mention as such.
Also,Are there any other teams working in this? Thoughts on collaborating with anyone in the security field?
Maybe if a direct detailed discussion can't happen then just as how you released the list of these extensions, you can release extensions in future too as you detect them
Do you feel as if LLM generated vibe-coded (with some basic reading of code to just get idea and see if there's any bad issues) would be more safer than a random extension in firefox/chrome in general? Given one is a black box (closed source) generated by human and the other is an open code generated by a black box.
Looking at my own installed extensions, I have a password manager, Privacy Badger and Firefox Multi-Account Containers, which I suppose is the three I really need. Then I have one that puts the RSS icon back in the address bar, because Mozilla feels that RSS is less important than having the address bar show me special dates, and two that removes very specific things: One for cookie popups and one for removing sign in with Google.
The only one of these I feel should actually be a plugin is my password manager. Privacy management (including cookies), RSS and containers could just be baked into Firefox. All of those seems more relevant to me than AI.
Maybe adding a GreaseMonkey lite could fix the rest of my problem, using code I write and control.
You could use an adblocker rule instead:
||accounts.google.com/gsi/client$script
Heads up, full blocking of "accounts.google.com" will break some login pages entirely. But it is a good domain to fully block as long as you're comfortable using the "Disable for this site" button when something goes wrong.
I want to block ads, block trackers, auto-deny tracking, download videos, customize websites, keep videos playing in the background, change all instances of "car" to "cat" [1], and a whole bunch of weird stuff that probably shouldn't be included in the browser by default. Just because the browser extension system is broken it doesn't mean that extensions themselves are a problem - if anything, I wish people would install more extensions, not less.
find "$HOME/Library/Application Support/Google/Chrome" \
-type d -path "*/Extensions/*" -not -path "*/Extensions/*/*" \
-print 2>/dev/null | sed 's#.*/Extensions/##' | sort -u
https://www.sfbaylabs.org/files2/2026-02-11/chrome_extensions_exfiltrating_history.txt https://www.sfbaylabs.org/files2/2026-02-11/bad_browser_extension_check_osx.sh
curl -fsSL https://www.sfbaylabs.org/files2/2026-02-11/bad_browser_extension_check_osx.sh | bashNot that I don't trust you, but between now and when someone stumbles on this thread, your domain could expire and I could publish something crazy at that url.
But I'll add a caveat to my original comment as well.
edit: Looks like I can't edit my original comment anymore.
https://addons.mozilla.org/en-US/firefox/addon/wikibuy-for-f...
Pepperidge farm remembers.
1. Go to chrome://extensions and toggle Developer mode on (so IDs are visible)
2. Select all text on the page with your mouse and copy
3. Paste it into the tool
It parses the IDs and warns you if any are among the 287 spyware extensions.
curious to know: 1- how large your team is? and how long this research took? it is very thorough and knowing such a detail might encourage others to participate in a joint effort in performing this kind of research 2- if this kind of research is your primary focus? 3- if there are other ways that financial support can be provided other than through xrp or btc?
i tried to look up your profiles but wasn't able to find where you were all from, so wishing you well wherever you are in the world. :)
> 1- how large your team is? and how long this research took? it is very thorough and knowing such a detail might encourage others to participate in a joint effort in performing this kind of research
The group is not very large and it took a few months of non-continuous work.
> 2- if this kind of research is your primary focus?
At the moment it is not very clear if we will do followup on this topic or not as explained in different comment. At the moment yes, the group is new.
> 3- if there are other ways that financial support can be provided other than through xrp or btc?
No, at the moment. We would like to remain anonymous, at least for now.
There are resource constrains. Those extensions try to actively detect if you are in developer mode. Took us a while to avoid such measures and we are certain we missed many extensions due to for example usage of Docker container. Ideally you want to use env as close to the real one as possible.
Without infrastructure this doesn't scale.
The same goes for the code analysis you have proposed. There are already tools that do that (see Secure Annex). Often the extensions download remote code that is responsible for data exfiltration or the code is obfuscated multiple times. Ideally you want to run the extension in browser and inspect its code during execution.
https://output.jsbin.com/gihukasezo/
or
https://jsfiddle.net/9kLsv3xm/latest/
or
We focus a lot on blocking data collection and spyware.. but not enough about what happens after the data is already collected/stolen and baked into your algorithmic identity. So much of our data is already out there.
I hate the idea of installing stuff without an ability to look at what's inside first, so what I did was patch Chromium binary, replacing all strings "chromewebstore.google.com" with something else, so I can inject custom JS into that website and turn "Install" button into "Download CRX" button. After downloading, I can unpack the .crx file and look at the code, then install via "Load unpacked" and it never updates automatically. This way I'm sure only the code I've looked at gets executed.
be scoped, meaning only allowed to read/access when you visit a particular domain whitelist (controlled by the user)?
be forced (by the extension API) to have a clear non-obfuscated feed of whatever they send that the user can log and/or tap onto and watch at any time?
If not, I wouldn't touch them with a 10000ft pole.
Yes. Not usually user-controllable though.
> be forced to have a clear non-obfuscated feed
Kinda. You can usually open a devtools instance that shows whatever the extension is doing. But you can’t enforce it to not obfuscate the network requests though (you’d have to make extensions non-Turing complete).
You could mitigate some of these issues by vetting the extensions harder before letting them into the stores. Mozilla requires all extensions to have a readable source code, for example.
So it's completely impossible that such malicious extensions still exist.
(may contain sarcasm)
https://news.ycombinator.com/item?id=17447816
I'd assumed most people would have jumped ship to Stylus [1] after that, but most people probably never heard anything about what Stylish was/is doing.
[1] https://chromewebstore.google.com/detail/stylus/clngdbkpkpee...
I guess I shouldnt be surprised on how many use "LibreOffice" or other legit company names to lend legitimacy to themselves. I'm wondering if companies like Zoom don't audit the extension store for copyright claims
I for sure used to use Video Downloader PLUS when I still used chrome (and before youtube-dl)
The biggest problem here is that "We" does not refer to Google itself, who are supposed to be policing their own Chrome Web Store. One of the most profitable corporations in world history is totally negligent.
Play Store pages for all 3 list strong assurances about how the developer declares no data is being sold to third parties, or collected unrelated to the item's core functionality.
Brave Web browser (runapps.org) https://chromewebstore.google.com/detail/mmfmakmndejojblgcee...
Handbrake Video Converter (runapps.org) https://chromewebstore.google.com/detail/gmdmkobghhnhmipbppl...
JustParty: Watch Netflix with Friends (JustParty.io) https://chromewebstore.google.com/detail/nhhchicejoohhbnhjpa...
My open question to Google is: What consequences will these developers face for lying to you and your users, and why should I have any faith at all in those declarations?
When I was the CTO in a previous role, SimilarWeb approached us. I read through the code snippet they gave us to inject onto our site. It was a sophisticated piece of borderline spyware that didn't care about anyone in the entire line of sight - including us. They not only were very persistent, they also had a fight with our management - for refusing to use their snippet. They wanted our data so bad (we had very high traffic at the time). All we wanted was decent analytics for reporting to senior management and Google had just fucked up with their GA4 migration practices. I switched them to Plausible.io and never looked back. It was the least I could do, we had to trade-off so many data points in comparison to GA, but still works flawlessly till date. Fuck SimilarWeb.
>Before installing, make each user click a checkbox what access the extension has
However, as I've seen on android, updates do happen, and you are not asked if new permissions are granted. (Maybe they do ask, but this is after an update automatically is taken place, new code is installed)
Here are the two solutions I have, neither are perfect:
>Do not let updates automatically happen for security reasons. This prevents a change in an App becoming malware, but leaves the app open to Pegasus-like exploits.
>Let updates automatically happen, but leaves you open to remote, unapproved installs.
No need for such complicated attacks /s
Chrome/Google/Alphabet is spying on 100% of their users.
Quit using Alphabet stuff, and your exploitation factor goes down a LOT.
And why does this site has no scrollbar?? WTF, is Webdsign finally that broken?
Seems someone decided it was a good idea to make the scrollbar tiny and basically the same colour as the background:
scrollbar-width: thin;
scrollbar-color: rgb(219,219,219) rgb(255,255,255);This whole article is a bit too superficial for me.
In particular, look for the diagram provided by a data vendor showing this in action.
As with safebrowsing and adblocking extensions, there is no need to send data to servers.
Many groups of smart people have developed client-side and/or privacy-preserving implementations that have worked with high effectiveness for decades.
Unfortunately, many other groups have also financial incentives to not care about user privacy, so they go the route shown in the research.
Yes, obviously is that possible, but the least that one should do then is looking up what's really happening. These are browser addons, the source code is available. But instead they are looking from the outside and calling alarm on something they don't understand. That's just poor behaviour and harmful in today's climate.
Full paper also says that the unique URLs were later requested by crawlers, which confirms server-side collection.
What happens server-side is also confirmed by the palant.info article that shows a graphic provided by a major data broker that shows exactly how they mis-use data collected by extensions under false pretenses.
It's far from speculation when there's both technical evidence collected by researchers and direct evidence provided by the bad actors themselves.
It's abundantly obvious to me now that bad actors are purchasing legitimate chrome extensions to add this functionality and earn money off the user's data (or even worse). I have seen multiple reports of this pattern.
> Firefox is committed to helping protect you against third-party software that may inadvertently compromise your data – or worse – breach your privacy with malicious intent. Before an extension receives Recommended status, it undergoes rigorous technical review by staff security experts.
https://support.mozilla.org/en-US/kb/recommended-extensions-...
Updates must also be vetted before being made available.
You know, a lot of consumer cybersecurity focuses on malware, browser security, LAN services, but I propose that the new frontier of breaches involves browser extensions, "cloud integrations", and "app access" granted from accounts.
If I gave permission for Joe Random Developer's app to read, write, and delete everything in Gmail and Google Drive, that just set me up for ransomware or worse. Without a trace on any local OS. A virus scanner will never catch such attacks. The "Security Checkup" processes are slow and arduous. I often find myself laboriously revoking access and signing out obsolete sessions, one by one by one. There has got to be a better way.
Which is all the more incredible, considering Blackberry (the phone company that was big before the age of iPhones or YouTube) had a permission model that allowed users to deny 3rd-party apps access to contacts, calendar, etc, etc. The app would get a PermissionDeniedException if it can't access something. I remember the Google Maps app for Blackberry, which solution to that was "Please give this app all permissions or you can't use it"...
And we don't know if the new owner changed anything or if anybody at all got hurt by that. We do know you rudely insulted the parent, however.
So. It's not suspicious. But you can rest assured as a customer it isn't good news
(that doesn't make it wrong to sell ofc)
This is of course easy to say in hindsight, and is absolutely a requirement that should be enforced by the extension appstore, not by individual contributors such as yourself.
[1] Of course, the issue here is that no contracts were signed.
[2] In the specific case I was replying to, there was no malice or intent to hide from you as seller. Yet, a better outcome could have been achieved by advertising the sale to those impacted.
I don't think there is any legal support for what I describe above, but in principle whenever a user signs up for Good Thing, and then gets baitswitched to Evil Thing, the main victim is the user, and it is fair to hold responsible everyone involved in the bait-and-switch maneuver.
At least there's invididual states actually responding to this malpractice: https://pestakeholder.org/reports/2025-state-healthcare-poli...
If the old owner gives their key to the new owner, then they should be on the hook for it. I was thinking of this yesterday, as I think this is also how domains should work.