Some vendors store API keys in the localStorage, so you could dump those if you wanted as well. Browser extensions can be very dangerous and in a corporate environment they need to be reviewed and controlled.
I do have a quick question regarding the network capturing traffic part of the extension: is there any way to also get the server response as well (since webRequest beforeRequest is triggered before receiving any server side data)? I had an issue in the past with the webRequest API and couldn't find a way to get the response without making a new web request from the background service code.
As one of the core-team members of rrweb I was afraid you where going to mis-use rrweb for this case. Happy to see you didn’t but at the same time terrified that it would very much be possible to use it for this
If you have access to dev tools of an extension - background page in MV2, service worker in MV3. Then you could use debugger and read all data that are stored in memory. You could also check data that are saved/loaded from e.g local storage.
actually Manifest v2 is pretty limited already with no way to interact with the browser interface, browser generated pages (unless explicitly stated it needs that ability and user flips the flag in their browser and gets bothered by a warning every time they start their browser, this one isn't available in WebExtensions though), extension generated pages, in effect making things like (context aware, but even more basic) mouse gestures, keyboard shortcuts, GUI tweakers impossible
Dark Reader and the like is an issue for security, but could easily be built into chromium. Chromium already has a broken version of Dark Reader built in - and built in it is much faster. But we need white and black listing abilities at the minimum. This is a common thing that should be built in instead of an extension.
The only other thing that is pretty much universally needed is extension for password managers. Perhaps there's a way to better secure that too but I've not seen exploits for browser password extensions yet - but they may exist.
Is there a way to use this to save all pages of Google Books offline for perusal, say as a PDF or just raw image captures of every single page available?
epic and terrifying
Some vendors store API keys in the localStorage, so you could dump those if you wanted as well. Browser extensions can be very dangerous and in a corporate environment they need to be reviewed and controlled.
Great point. I might do a followup post with more 'sploits.
Discussed on Hacker News:
https://news.ycombinator.com/item?id=34889243
I was testing this out, but can’t find where the logs are stored
I tried it myself and all the warnings were presented. Did they fix it?
I tried it myself and all the warnings were presented. Did they fix it?
Hi Matt, great article!
I do have a quick question regarding the network capturing traffic part of the extension: is there any way to also get the server response as well (since webRequest beforeRequest is triggered before receiving any server side data)? I had an issue in the past with the webRequest API and couldn't find a way to get the response without making a new web request from the background service code.
As one of the core-team members of rrweb I was afraid you where going to mis-use rrweb for this case. Happy to see you didn’t but at the same time terrified that it would very much be possible to use it for this
Great article but what you can do with the captured data? can you send it to a server ?
Yes data you collect could be sent to your sercer, by using HTTP or WebSocket call.
but maybe the Browser has a protection vs that ?
If you have access to dev tools of an extension - background page in MV2, service worker in MV3. Then you could use debugger and read all data that are stored in memory. You could also check data that are saved/loaded from e.g local storage.
I will use chrome extension for another example. You could set so called - access level: https://developer.chrome.com/docs/extensions/reference/storage/#type-AccessLevel
By default you have trusted level. But as you could read here: https://groups.google.com/a/chromium.org/g/chromium-extensions/c/il2DYn49HAw?pli=1, it could be applied into session storage only.
actually Manifest v2 is pretty limited already with no way to interact with the browser interface, browser generated pages (unless explicitly stated it needs that ability and user flips the flag in their browser and gets bothered by a warning every time they start their browser, this one isn't available in WebExtensions though), extension generated pages, in effect making things like (context aware, but even more basic) mouse gestures, keyboard shortcuts, GUI tweakers impossible
Fix typo: "how it an be captured"
Dark Reader and the like is an issue for security, but could easily be built into chromium. Chromium already has a broken version of Dark Reader built in - and built in it is much faster. But we need white and black listing abilities at the minimum. This is a common thing that should be built in instead of an extension.
The only other thing that is pretty much universally needed is extension for password managers. Perhaps there's a way to better secure that too but I've not seen exploits for browser password extensions yet - but they may exist.
Is there a way to use this to save all pages of Google Books offline for perusal, say as a PDF or just raw image captures of every single page available?