Can a malicious add-on access internet history and such in Chrome/Firefox?Danger of browser extension without any permissions?How can I assess the trust worthiness of a browser add-on? Are official browser add-ons really safe?Password management in Firefox, Chrome and SafariIs Adblock (Plus) a security risk?are chrome extensions in the Chrome store generally safe?Spoofing random browser information to defend against fingerprintingFirefox password manager and Firefox SyncChrome users and malicious extensionsHow secure is our privacy when using third party addons and extensions?Can malicious Javascript in local HTML -file send files to internet in Firefox/Chrome?

How do I go from 300 unfinished/half written blog posts, to published posts?

Why escape if the_content isnt?

India just shot down a satellite from the ground. At what altitude range is the resulting debris field?

Tiptoe or tiphoof? Adjusting words to better fit fantasy races

How can I kill an app using Terminal?

Is exact Kanji stroke length important?

Purchasing a ticket for someone else in another country?

How to write papers efficiently when English isn't my first language?

How does Loki do this?

How did Doctor Strange see the winning outcome in Avengers: Infinity War?

How easy is it to start Magic from scratch?

Are student evaluations of teaching assistants read by others in the faculty?

How can a function with a hole (removable discontinuity) equal a function with no hole?

Detecting if an element is found inside a container

Unreliable Magic - Is it worth it?

Is `x >> pure y` equivalent to `liftM (const y) x`

What is the intuitive meaning of having a linear relationship between the logs of two variables?

Avoiding estate tax by giving multiple gifts

Do all network devices need to make routing decisions, regardless of communication across networks or within a network?

How to check is there any negative term in a large list?

Anatomically Correct Strange Women In Ponds Distributing Swords

Is this apparent Class Action settlement a spam message?

Is a stroke of luck acceptable after a series of unfavorable events?

How to be diplomatic in refusing to write code that breaches the privacy of our users



Can a malicious add-on access internet history and such in Chrome/Firefox?


Danger of browser extension without any permissions?How can I assess the trust worthiness of a browser add-on? Are official browser add-ons really safe?Password management in Firefox, Chrome and SafariIs Adblock (Plus) a security risk?are chrome extensions in the Chrome store generally safe?Spoofing random browser information to defend against fingerprintingFirefox password manager and Firefox SyncChrome users and malicious extensionsHow secure is our privacy when using third party addons and extensions?Can malicious Javascript in local HTML -file send files to internet in Firefox/Chrome?













18















How does Chrome/Firefox make sure add-ons are safe? Do they have any protection against a malicious add-on?



How much access can add-ons have? Can they access internet history or maybe even cookies and such and send them to a server? Do I need to worry about this?



I do have Kaspersky and Kaspersky add-ons but I still wonder should I still worry about add-ons? Considering there is nothing I can do to make sure some add-ons are malicious or not even if they still have an OK reputation.



EDIT: bonus question, if an addon says it can read the data on websites you visit, does it mean it can know which websites I visit and technically can send them to a server and basically record my history this way ? (considering many adblockers and such addons have this permission)










share|improve this question









New contributor




Mery Ted is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
























    18















    How does Chrome/Firefox make sure add-ons are safe? Do they have any protection against a malicious add-on?



    How much access can add-ons have? Can they access internet history or maybe even cookies and such and send them to a server? Do I need to worry about this?



    I do have Kaspersky and Kaspersky add-ons but I still wonder should I still worry about add-ons? Considering there is nothing I can do to make sure some add-ons are malicious or not even if they still have an OK reputation.



    EDIT: bonus question, if an addon says it can read the data on websites you visit, does it mean it can know which websites I visit and technically can send them to a server and basically record my history this way ? (considering many adblockers and such addons have this permission)










    share|improve this question









    New contributor




    Mery Ted is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.






















      18












      18








      18








      How does Chrome/Firefox make sure add-ons are safe? Do they have any protection against a malicious add-on?



      How much access can add-ons have? Can they access internet history or maybe even cookies and such and send them to a server? Do I need to worry about this?



      I do have Kaspersky and Kaspersky add-ons but I still wonder should I still worry about add-ons? Considering there is nothing I can do to make sure some add-ons are malicious or not even if they still have an OK reputation.



      EDIT: bonus question, if an addon says it can read the data on websites you visit, does it mean it can know which websites I visit and technically can send them to a server and basically record my history this way ? (considering many adblockers and such addons have this permission)










      share|improve this question









      New contributor




      Mery Ted is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.












      How does Chrome/Firefox make sure add-ons are safe? Do they have any protection against a malicious add-on?



      How much access can add-ons have? Can they access internet history or maybe even cookies and such and send them to a server? Do I need to worry about this?



      I do have Kaspersky and Kaspersky add-ons but I still wonder should I still worry about add-ons? Considering there is nothing I can do to make sure some add-ons are malicious or not even if they still have an OK reputation.



      EDIT: bonus question, if an addon says it can read the data on websites you visit, does it mean it can know which websites I visit and technically can send them to a server and basically record my history this way ? (considering many adblockers and such addons have this permission)







      web-browser chrome firefox






      share|improve this question









      New contributor




      Mery Ted is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question









      New contributor




      Mery Ted is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question








      edited yesterday







      Mery Ted













      New contributor




      Mery Ted is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 2 days ago









      Mery TedMery Ted

      9115




      9115




      New contributor




      Mery Ted is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      Mery Ted is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      Mery Ted is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.




















          2 Answers
          2






          active

          oldest

          votes


















          26














          Modern browser extensions use the WebExtensions API, which enforces a permission model; basically, addons can only have the access that you grant them (you can't reject individual permissions though; if you are uncomfortable with some, you can't install the addon).



          Regarding your specific questions:



          • The browser history can only be requested if the history permission is granted.

          • The cookies permission only works along with a host permission which will define which cookies can be accessed. Host permissions are required for all of the sensitive actions (such as injecting JavaScript into a page, reading the contents of a page, etc).

          Malicious extensions can of course execute arbitrary JavaScript in an isolated context, so something like a malicious cryptominer is certainly feasible.



          For access which doesn't require explicit permissions, see my related question: Danger of browser extension without any permissions?.






          share|improve this answer























          • Thanks for answer, so when you say if permission is granted, do you mean during installation I will be met with a "pop up" that asks me if I'm OK with granting that addon to my history? and if no such popup occurs then it means that addon has no access to history? (I'm asking this because I have never encountered with such popup during installation of my addons)

            – Mery Ted
            yesterday












          • also a bonus question if you have time to answer: what about sending the visited site url/content to their server immediately after visiting without accessing the history, is this possible for them?

            – Mery Ted
            yesterday












          • @MeryTed Exactly. It should ask during installation. Chrome eg uses a popup which says "Add [extension]? It can: [permissions; eg 'Read and change all your data on the websites you visit']", Firefox says "Add [extension]? It requires permission to: [...]". What browser are you using?

            – tim
            yesterday











          • @MeryTed If the permission to history and/or "access/read data on websites you visit" or similar isn't granted, extensions should imho have no primary way to see which websites you visit (there may be side-channels which leak this, but this probably wouldn't leak this to just extensions, but any website, see eg here; extensions may have a bit more options, so the possibility of such an issue may be a bit more likely as compared to websites).

            – tim
            yesterday












          • so if an addon says it can read data on websites I visit it means it knows which sites I visit and it could technically send it to their server and basically record my history this way? (for example Netcraft Extension addon) (I also use chrome mostly)

            – Mery Ted
            yesterday



















          9















          how does chrome/firefox make sure addons are safe?




          They inspect them before publishing, and ban those found abusing its rights. But this ban can take from days to weeks.




          how much access can addons have?




          Addons can make anything you can, and more. They can access any server, read any cookie, alter any data, even encrypted by HTTPS, and send any data anywhere. They have to ask your permission when you install, but once you gave permission, for example, to read data on all websites, the addon can read data on all websites you visit.




          should I still worry about addons?




          Yes, you should. If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty.



          What you do? Don't install extensions unless they are from reputable sources, don't need lots and lots of permissions, and are really needed. Installing everything you think is cool will end up compromising your security.






          share|improve this answer




















          • 3





            You may want to add the caveat that extensions request specific permissions. They don't get full access unless they request that and the user approved it at install.

            – Daisetsu
            2 days ago











          • Good point, I added to my answer.

            – ThoriumBR
            2 days ago






          • 1





            "If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty." That's a scandalous claim. Do you have any evidence for this? A study showing the proportion of resold addons that have turned "nasty"? The linked article is interesting but is not sufficient evidence that "the chances are pretty high".

            – Lightness Races in Orbit
            yesterday












          • So basically if during installation I don't encounter any pop up about permissions of that addons then it means it don't have access to history and etc correct? (because I have never encountered such pop up during installation of my addons in chrome/firefox)

            – Mery Ted
            yesterday












          • I do not know any sold addon, which did not add something nasty, as long as you let adding tracking and adding advertising count as nasty.

            – allo
            yesterday










          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "162"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          noCode: true, onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );






          Mery Ted is a new contributor. Be nice, and check out our Code of Conduct.









          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206061%2fcan-a-malicious-add-on-access-internet-history-and-such-in-chrome-firefox%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          2 Answers
          2






          active

          oldest

          votes








          2 Answers
          2






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          26














          Modern browser extensions use the WebExtensions API, which enforces a permission model; basically, addons can only have the access that you grant them (you can't reject individual permissions though; if you are uncomfortable with some, you can't install the addon).



          Regarding your specific questions:



          • The browser history can only be requested if the history permission is granted.

          • The cookies permission only works along with a host permission which will define which cookies can be accessed. Host permissions are required for all of the sensitive actions (such as injecting JavaScript into a page, reading the contents of a page, etc).

          Malicious extensions can of course execute arbitrary JavaScript in an isolated context, so something like a malicious cryptominer is certainly feasible.



          For access which doesn't require explicit permissions, see my related question: Danger of browser extension without any permissions?.






          share|improve this answer























          • Thanks for answer, so when you say if permission is granted, do you mean during installation I will be met with a "pop up" that asks me if I'm OK with granting that addon to my history? and if no such popup occurs then it means that addon has no access to history? (I'm asking this because I have never encountered with such popup during installation of my addons)

            – Mery Ted
            yesterday












          • also a bonus question if you have time to answer: what about sending the visited site url/content to their server immediately after visiting without accessing the history, is this possible for them?

            – Mery Ted
            yesterday












          • @MeryTed Exactly. It should ask during installation. Chrome eg uses a popup which says "Add [extension]? It can: [permissions; eg 'Read and change all your data on the websites you visit']", Firefox says "Add [extension]? It requires permission to: [...]". What browser are you using?

            – tim
            yesterday











          • @MeryTed If the permission to history and/or "access/read data on websites you visit" or similar isn't granted, extensions should imho have no primary way to see which websites you visit (there may be side-channels which leak this, but this probably wouldn't leak this to just extensions, but any website, see eg here; extensions may have a bit more options, so the possibility of such an issue may be a bit more likely as compared to websites).

            – tim
            yesterday












          • so if an addon says it can read data on websites I visit it means it knows which sites I visit and it could technically send it to their server and basically record my history this way? (for example Netcraft Extension addon) (I also use chrome mostly)

            – Mery Ted
            yesterday
















          26














          Modern browser extensions use the WebExtensions API, which enforces a permission model; basically, addons can only have the access that you grant them (you can't reject individual permissions though; if you are uncomfortable with some, you can't install the addon).



          Regarding your specific questions:



          • The browser history can only be requested if the history permission is granted.

          • The cookies permission only works along with a host permission which will define which cookies can be accessed. Host permissions are required for all of the sensitive actions (such as injecting JavaScript into a page, reading the contents of a page, etc).

          Malicious extensions can of course execute arbitrary JavaScript in an isolated context, so something like a malicious cryptominer is certainly feasible.



          For access which doesn't require explicit permissions, see my related question: Danger of browser extension without any permissions?.






          share|improve this answer























          • Thanks for answer, so when you say if permission is granted, do you mean during installation I will be met with a "pop up" that asks me if I'm OK with granting that addon to my history? and if no such popup occurs then it means that addon has no access to history? (I'm asking this because I have never encountered with such popup during installation of my addons)

            – Mery Ted
            yesterday












          • also a bonus question if you have time to answer: what about sending the visited site url/content to their server immediately after visiting without accessing the history, is this possible for them?

            – Mery Ted
            yesterday












          • @MeryTed Exactly. It should ask during installation. Chrome eg uses a popup which says "Add [extension]? It can: [permissions; eg 'Read and change all your data on the websites you visit']", Firefox says "Add [extension]? It requires permission to: [...]". What browser are you using?

            – tim
            yesterday











          • @MeryTed If the permission to history and/or "access/read data on websites you visit" or similar isn't granted, extensions should imho have no primary way to see which websites you visit (there may be side-channels which leak this, but this probably wouldn't leak this to just extensions, but any website, see eg here; extensions may have a bit more options, so the possibility of such an issue may be a bit more likely as compared to websites).

            – tim
            yesterday












          • so if an addon says it can read data on websites I visit it means it knows which sites I visit and it could technically send it to their server and basically record my history this way? (for example Netcraft Extension addon) (I also use chrome mostly)

            – Mery Ted
            yesterday














          26












          26








          26







          Modern browser extensions use the WebExtensions API, which enforces a permission model; basically, addons can only have the access that you grant them (you can't reject individual permissions though; if you are uncomfortable with some, you can't install the addon).



          Regarding your specific questions:



          • The browser history can only be requested if the history permission is granted.

          • The cookies permission only works along with a host permission which will define which cookies can be accessed. Host permissions are required for all of the sensitive actions (such as injecting JavaScript into a page, reading the contents of a page, etc).

          Malicious extensions can of course execute arbitrary JavaScript in an isolated context, so something like a malicious cryptominer is certainly feasible.



          For access which doesn't require explicit permissions, see my related question: Danger of browser extension without any permissions?.






          share|improve this answer













          Modern browser extensions use the WebExtensions API, which enforces a permission model; basically, addons can only have the access that you grant them (you can't reject individual permissions though; if you are uncomfortable with some, you can't install the addon).



          Regarding your specific questions:



          • The browser history can only be requested if the history permission is granted.

          • The cookies permission only works along with a host permission which will define which cookies can be accessed. Host permissions are required for all of the sensitive actions (such as injecting JavaScript into a page, reading the contents of a page, etc).

          Malicious extensions can of course execute arbitrary JavaScript in an isolated context, so something like a malicious cryptominer is certainly feasible.



          For access which doesn't require explicit permissions, see my related question: Danger of browser extension without any permissions?.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered 2 days ago









          timtim

          24.3k669102




          24.3k669102












          • Thanks for answer, so when you say if permission is granted, do you mean during installation I will be met with a "pop up" that asks me if I'm OK with granting that addon to my history? and if no such popup occurs then it means that addon has no access to history? (I'm asking this because I have never encountered with such popup during installation of my addons)

            – Mery Ted
            yesterday












          • also a bonus question if you have time to answer: what about sending the visited site url/content to their server immediately after visiting without accessing the history, is this possible for them?

            – Mery Ted
            yesterday












          • @MeryTed Exactly. It should ask during installation. Chrome eg uses a popup which says "Add [extension]? It can: [permissions; eg 'Read and change all your data on the websites you visit']", Firefox says "Add [extension]? It requires permission to: [...]". What browser are you using?

            – tim
            yesterday











          • @MeryTed If the permission to history and/or "access/read data on websites you visit" or similar isn't granted, extensions should imho have no primary way to see which websites you visit (there may be side-channels which leak this, but this probably wouldn't leak this to just extensions, but any website, see eg here; extensions may have a bit more options, so the possibility of such an issue may be a bit more likely as compared to websites).

            – tim
            yesterday












          • so if an addon says it can read data on websites I visit it means it knows which sites I visit and it could technically send it to their server and basically record my history this way? (for example Netcraft Extension addon) (I also use chrome mostly)

            – Mery Ted
            yesterday


















          • Thanks for answer, so when you say if permission is granted, do you mean during installation I will be met with a "pop up" that asks me if I'm OK with granting that addon to my history? and if no such popup occurs then it means that addon has no access to history? (I'm asking this because I have never encountered with such popup during installation of my addons)

            – Mery Ted
            yesterday












          • also a bonus question if you have time to answer: what about sending the visited site url/content to their server immediately after visiting without accessing the history, is this possible for them?

            – Mery Ted
            yesterday












          • @MeryTed Exactly. It should ask during installation. Chrome eg uses a popup which says "Add [extension]? It can: [permissions; eg 'Read and change all your data on the websites you visit']", Firefox says "Add [extension]? It requires permission to: [...]". What browser are you using?

            – tim
            yesterday











          • @MeryTed If the permission to history and/or "access/read data on websites you visit" or similar isn't granted, extensions should imho have no primary way to see which websites you visit (there may be side-channels which leak this, but this probably wouldn't leak this to just extensions, but any website, see eg here; extensions may have a bit more options, so the possibility of such an issue may be a bit more likely as compared to websites).

            – tim
            yesterday












          • so if an addon says it can read data on websites I visit it means it knows which sites I visit and it could technically send it to their server and basically record my history this way? (for example Netcraft Extension addon) (I also use chrome mostly)

            – Mery Ted
            yesterday

















          Thanks for answer, so when you say if permission is granted, do you mean during installation I will be met with a "pop up" that asks me if I'm OK with granting that addon to my history? and if no such popup occurs then it means that addon has no access to history? (I'm asking this because I have never encountered with such popup during installation of my addons)

          – Mery Ted
          yesterday






          Thanks for answer, so when you say if permission is granted, do you mean during installation I will be met with a "pop up" that asks me if I'm OK with granting that addon to my history? and if no such popup occurs then it means that addon has no access to history? (I'm asking this because I have never encountered with such popup during installation of my addons)

          – Mery Ted
          yesterday














          also a bonus question if you have time to answer: what about sending the visited site url/content to their server immediately after visiting without accessing the history, is this possible for them?

          – Mery Ted
          yesterday






          also a bonus question if you have time to answer: what about sending the visited site url/content to their server immediately after visiting without accessing the history, is this possible for them?

          – Mery Ted
          yesterday














          @MeryTed Exactly. It should ask during installation. Chrome eg uses a popup which says "Add [extension]? It can: [permissions; eg 'Read and change all your data on the websites you visit']", Firefox says "Add [extension]? It requires permission to: [...]". What browser are you using?

          – tim
          yesterday





          @MeryTed Exactly. It should ask during installation. Chrome eg uses a popup which says "Add [extension]? It can: [permissions; eg 'Read and change all your data on the websites you visit']", Firefox says "Add [extension]? It requires permission to: [...]". What browser are you using?

          – tim
          yesterday













          @MeryTed If the permission to history and/or "access/read data on websites you visit" or similar isn't granted, extensions should imho have no primary way to see which websites you visit (there may be side-channels which leak this, but this probably wouldn't leak this to just extensions, but any website, see eg here; extensions may have a bit more options, so the possibility of such an issue may be a bit more likely as compared to websites).

          – tim
          yesterday






          @MeryTed If the permission to history and/or "access/read data on websites you visit" or similar isn't granted, extensions should imho have no primary way to see which websites you visit (there may be side-channels which leak this, but this probably wouldn't leak this to just extensions, but any website, see eg here; extensions may have a bit more options, so the possibility of such an issue may be a bit more likely as compared to websites).

          – tim
          yesterday














          so if an addon says it can read data on websites I visit it means it knows which sites I visit and it could technically send it to their server and basically record my history this way? (for example Netcraft Extension addon) (I also use chrome mostly)

          – Mery Ted
          yesterday






          so if an addon says it can read data on websites I visit it means it knows which sites I visit and it could technically send it to their server and basically record my history this way? (for example Netcraft Extension addon) (I also use chrome mostly)

          – Mery Ted
          yesterday














          9















          how does chrome/firefox make sure addons are safe?




          They inspect them before publishing, and ban those found abusing its rights. But this ban can take from days to weeks.




          how much access can addons have?




          Addons can make anything you can, and more. They can access any server, read any cookie, alter any data, even encrypted by HTTPS, and send any data anywhere. They have to ask your permission when you install, but once you gave permission, for example, to read data on all websites, the addon can read data on all websites you visit.




          should I still worry about addons?




          Yes, you should. If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty.



          What you do? Don't install extensions unless they are from reputable sources, don't need lots and lots of permissions, and are really needed. Installing everything you think is cool will end up compromising your security.






          share|improve this answer




















          • 3





            You may want to add the caveat that extensions request specific permissions. They don't get full access unless they request that and the user approved it at install.

            – Daisetsu
            2 days ago











          • Good point, I added to my answer.

            – ThoriumBR
            2 days ago






          • 1





            "If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty." That's a scandalous claim. Do you have any evidence for this? A study showing the proportion of resold addons that have turned "nasty"? The linked article is interesting but is not sufficient evidence that "the chances are pretty high".

            – Lightness Races in Orbit
            yesterday












          • So basically if during installation I don't encounter any pop up about permissions of that addons then it means it don't have access to history and etc correct? (because I have never encountered such pop up during installation of my addons in chrome/firefox)

            – Mery Ted
            yesterday












          • I do not know any sold addon, which did not add something nasty, as long as you let adding tracking and adding advertising count as nasty.

            – allo
            yesterday















          9















          how does chrome/firefox make sure addons are safe?




          They inspect them before publishing, and ban those found abusing its rights. But this ban can take from days to weeks.




          how much access can addons have?




          Addons can make anything you can, and more. They can access any server, read any cookie, alter any data, even encrypted by HTTPS, and send any data anywhere. They have to ask your permission when you install, but once you gave permission, for example, to read data on all websites, the addon can read data on all websites you visit.




          should I still worry about addons?




          Yes, you should. If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty.



          What you do? Don't install extensions unless they are from reputable sources, don't need lots and lots of permissions, and are really needed. Installing everything you think is cool will end up compromising your security.






          share|improve this answer




















          • 3





            You may want to add the caveat that extensions request specific permissions. They don't get full access unless they request that and the user approved it at install.

            – Daisetsu
            2 days ago











          • Good point, I added to my answer.

            – ThoriumBR
            2 days ago






          • 1





            "If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty." That's a scandalous claim. Do you have any evidence for this? A study showing the proportion of resold addons that have turned "nasty"? The linked article is interesting but is not sufficient evidence that "the chances are pretty high".

            – Lightness Races in Orbit
            yesterday












          • So basically if during installation I don't encounter any pop up about permissions of that addons then it means it don't have access to history and etc correct? (because I have never encountered such pop up during installation of my addons in chrome/firefox)

            – Mery Ted
            yesterday












          • I do not know any sold addon, which did not add something nasty, as long as you let adding tracking and adding advertising count as nasty.

            – allo
            yesterday













          9












          9








          9








          how does chrome/firefox make sure addons are safe?




          They inspect them before publishing, and ban those found abusing its rights. But this ban can take from days to weeks.




          how much access can addons have?




          Addons can make anything you can, and more. They can access any server, read any cookie, alter any data, even encrypted by HTTPS, and send any data anywhere. They have to ask your permission when you install, but once you gave permission, for example, to read data on all websites, the addon can read data on all websites you visit.




          should I still worry about addons?




          Yes, you should. If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty.



          What you do? Don't install extensions unless they are from reputable sources, don't need lots and lots of permissions, and are really needed. Installing everything you think is cool will end up compromising your security.






          share|improve this answer
















          how does chrome/firefox make sure addons are safe?




          They inspect them before publishing, and ban those found abusing its rights. But this ban can take from days to weeks.




          how much access can addons have?




          Addons can make anything you can, and more. They can access any server, read any cookie, alter any data, even encrypted by HTTPS, and send any data anywhere. They have to ask your permission when you install, but once you gave permission, for example, to read data on all websites, the addon can read data on all websites you visit.




          should I still worry about addons?




          Yes, you should. If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty.



          What you do? Don't install extensions unless they are from reputable sources, don't need lots and lots of permissions, and are really needed. Installing everything you think is cool will end up compromising your security.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited 2 days ago

























          answered 2 days ago









          ThoriumBRThoriumBR

          24.2k75873




          24.2k75873







          • 3





            You may want to add the caveat that extensions request specific permissions. They don't get full access unless they request that and the user approved it at install.

            – Daisetsu
            2 days ago











          • Good point, I added to my answer.

            – ThoriumBR
            2 days ago






          • 1





            "If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty." That's a scandalous claim. Do you have any evidence for this? A study showing the proportion of resold addons that have turned "nasty"? The linked article is interesting but is not sufficient evidence that "the chances are pretty high".

            – Lightness Races in Orbit
            yesterday












          • So basically if during installation I don't encounter any pop up about permissions of that addons then it means it don't have access to history and etc correct? (because I have never encountered such pop up during installation of my addons in chrome/firefox)

            – Mery Ted
            yesterday












          • I do not know any sold addon, which did not add something nasty, as long as you let adding tracking and adding advertising count as nasty.

            – allo
            yesterday












          • 3





            You may want to add the caveat that extensions request specific permissions. They don't get full access unless they request that and the user approved it at install.

            – Daisetsu
            2 days ago











          • Good point, I added to my answer.

            – ThoriumBR
            2 days ago






          • 1





            "If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty." That's a scandalous claim. Do you have any evidence for this? A study showing the proportion of resold addons that have turned "nasty"? The linked article is interesting but is not sufficient evidence that "the chances are pretty high".

            – Lightness Races in Orbit
            yesterday












          • So basically if during installation I don't encounter any pop up about permissions of that addons then it means it don't have access to history and etc correct? (because I have never encountered such pop up during installation of my addons in chrome/firefox)

            – Mery Ted
            yesterday












          • I do not know any sold addon, which did not add something nasty, as long as you let adding tracking and adding advertising count as nasty.

            – allo
            yesterday







          3




          3





          You may want to add the caveat that extensions request specific permissions. They don't get full access unless they request that and the user approved it at install.

          – Daisetsu
          2 days ago





          You may want to add the caveat that extensions request specific permissions. They don't get full access unless they request that and the user approved it at install.

          – Daisetsu
          2 days ago













          Good point, I added to my answer.

          – ThoriumBR
          2 days ago





          Good point, I added to my answer.

          – ThoriumBR
          2 days ago




          1




          1





          "If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty." That's a scandalous claim. Do you have any evidence for this? A study showing the proportion of resold addons that have turned "nasty"? The linked article is interesting but is not sufficient evidence that "the chances are pretty high".

          – Lightness Races in Orbit
          yesterday






          "If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty." That's a scandalous claim. Do you have any evidence for this? A study showing the proportion of resold addons that have turned "nasty"? The linked article is interesting but is not sufficient evidence that "the chances are pretty high".

          – Lightness Races in Orbit
          yesterday














          So basically if during installation I don't encounter any pop up about permissions of that addons then it means it don't have access to history and etc correct? (because I have never encountered such pop up during installation of my addons in chrome/firefox)

          – Mery Ted
          yesterday






          So basically if during installation I don't encounter any pop up about permissions of that addons then it means it don't have access to history and etc correct? (because I have never encountered such pop up during installation of my addons in chrome/firefox)

          – Mery Ted
          yesterday














          I do not know any sold addon, which did not add something nasty, as long as you let adding tracking and adding advertising count as nasty.

          – allo
          yesterday





          I do not know any sold addon, which did not add something nasty, as long as you let adding tracking and adding advertising count as nasty.

          – allo
          yesterday










          Mery Ted is a new contributor. Be nice, and check out our Code of Conduct.









          draft saved

          draft discarded


















          Mery Ted is a new contributor. Be nice, and check out our Code of Conduct.












          Mery Ted is a new contributor. Be nice, and check out our Code of Conduct.











          Mery Ted is a new contributor. Be nice, and check out our Code of Conduct.














          Thanks for contributing an answer to Information Security Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206061%2fcan-a-malicious-add-on-access-internet-history-and-such-in-chrome-firefox%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -chrome, firefox, web-browser

          Popular posts from this blog

          Frič See also Navigation menuinternal link

          Identify plant with long narrow paired leaves and reddish stems Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) Announcing the arrival of Valued Associate #679: Cesar Manara Unicorn Meta Zoo #1: Why another podcast?What is this plant with long sharp leaves? Is it a weed?What is this 3ft high, stalky plant, with mid sized narrow leaves?What is this young shrub with opposite ovate, crenate leaves and reddish stems?What is this plant with large broad serrated leaves?Identify this upright branching weed with long leaves and reddish stemsPlease help me identify this bulbous plant with long, broad leaves and white flowersWhat is this small annual with narrow gray/green leaves and rust colored daisy-type flowers?What is this chilli plant?Does anyone know what type of chilli plant this is?Help identify this plant

          fontconfig warning: “/etc/fonts/fonts.conf”, line 100: unknown “element blank” The 2019 Stack Overflow Developer Survey Results Are In“tar: unrecognized option --warning” during 'apt-get install'How to fix Fontconfig errorHow do I figure out which font file is chosen for a system generic font alias?Why are some apt-get-installed fonts being ignored by fc-list, xfontsel, etc?Reload settings in /etc/fonts/conf.dTaking 30 seconds longer to boot after upgrade from jessie to stretchHow to match multiple font names with a single <match> element?Adding a custom font to fontconfigRemoving fonts from fontconfig <match> resultsBroken fonts after upgrading Firefox ESR to latest Firefox