The Quick Note Chrome extension from Diigo (now removed) submits every URL visited to a third-party server and those URLs are then crawled the next day.
We just switched our 25 member customer service team to Chromeboxes and were very concerned to find soon after that an EC2-based crawler was querying private URLs of our platform.
Because the Chrome Web Store had not banned bad actors like Diigo, we now blacklisted all Chrome extensions except for a very small number that I personally approve. Rather than feeling that ChromeOS was improving our security, we had our chief software architect spend most of the weekend figuring out who was targeting our platform. (All queries received 404 errors, but we remained concerned whether the rogue extension could read the submitted form credentials or the cookie store to get access.)
Rogue extensions are wasting a huge amount of time and destroying trust in the Chrome platform. Here's some more detail on similar stories about Diigo:
Sounds like it's the same as Google's previous clampdowns on rogue extensions - they removed a few high-profile offenders, put out a press release about it, and left a whole load of malicious extensions untouched even though they'd been repeatedly reported.
A good thing would probably to have a way to see the requests triggered by installed extensions. Even checking this list once in a while and manually reporting the suspicious ones with a "report" button would make these rogue extensions almost worthless.
That would be pretty nice.. I tend to have half a dozen extensions loaded, mostly dev extensions from trusted sources. I've also used the source versions of a few as well.
I think one of the worst things to me is the number of drive-by installers that now target chrome, firefox and ie with malware extensions, or transparent proxies. I saw one on a friend's son's computure and mainly noticed because there were additional ads on Amazon's site. Sometimes I think we should bring back outlaw (dead or alive) status for certain classes of criminal dredge on society... Then I think about where the likes of Snowden would fall from the governments perspective and think it over again.
Just a guess but can you see those in the DevTools on the Network tab? Needs to be open before you load the page. I'd check but I don't have any extensions installed except WTF and the WebGL Inspector.
This depends on what/how the extension is accessing the network. They have a background page and they can inject scripts on visited pages. If they are injecting scripts which then make the requests then it would show up in the DevTools on the page you are visiting, but this is uncommon.
Instead it is far more likely for the extension to make the requests from their background page (which has elevated permissions) which is essentially its own page with its own inspector. You can inspect each extension individually by going to your extension listing, enabling developer mode and inspecting the background page of the extension you suspect.
You can see EFF PrivacyBadger code getting injected in the source tab in dev tools, not positive about network requests. It wouldn't be hard to test though, just make a simple extension that does XHR to example.com and load it up locally. Chrome extensions are surprisingly easy to write, and there are some simple tutorials if you google around a bit :)
somewhat unrelated but if you email a private URL to a Microsoft email address, they will also crawl it, about once a month (I get an email anytime someone access it and MS bot is the only one accessing it). Not sure if Google also does that...
Agh, damn. Just removed Awesome Screenshot due to your comment and I liked it as an extension too. Not enough to leak information to third parties though..
And this is why google sucks: even technically apt people can get suckered. Google bears responsibility for what's in the chrome web store, except they (as standard) duck it and dump all responsibility onto the users. If even sophisticated users can get fooled, what hope do most folks have?
The answer is for google to own what is in their store, but that costs money.
The Quick Note Chrome extension from Diigo (now removed) submits every URL visited to a third-party server and those URLs are then crawled the next day.
We just switched our 25 member customer service team to Chromeboxes and were very concerned to find soon after that an EC2-based crawler was querying private URLs of our platform.
Because the Chrome Web Store had not banned bad actors like Diigo, we now blacklisted all Chrome extensions except for a very small number that I personally approve. Rather than feeling that ChromeOS was improving our security, we had our chief software architect spend most of the weekend figuring out who was targeting our platform. (All queries received 404 errors, but we remained concerned whether the rogue extension could read the submitted form credentials or the cookie store to get access.)
Rogue extensions are wasting a huge amount of time and destroying trust in the Chrome platform. Here's some more detail on similar stories about Diigo:
https://chrisa.wordpress.com/2014/08/25/chrome-extensions-go... https://mig5.net/content/awesome-screenshot-and-niki-bot
I am thrilled to see Google finally acting to restore trust in their platform.
Update: Google removed Diigo Quick Note, but still has Awesome Screenshot <https://chrome.google.com/webstore/search/diigo?hl=en-US> which captures the identical data and sells it to third party crawlers.