New issue
Advanced search Search tips

Issue 918781 link

Starred by 3 users
Status: Unconfirmed
Owner: ----
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 3
Type: Bug



Sign in to add a comment

Extensions needlessly having access to passwords.

Reported by m...@tomaszubiri.com, Jan 3 
Chrome Version: Current


Steps to reproduce:

1- Go to the following link in Chrome: https://chrome.google.com/webstore/detail/wayback-machine/fpnmgdkabkmnadcjpehmlllkndpkmiak
2- Click on "Add to chrome"



Actual results:


3- Read that the addon developer requires permissions to access all your data.
4- Google my way into "https://blog.mozilla.org/addons/2018/02/01/understanding-extension-permission-requests/" (I have yet to find the version for chrome, but since firefox addons are based on chromiums extensions I'm assuming it should translate fairly)
5- Read that "The  extension can read the content of any web page you visit as well as  data you enter into those web pages, such as usernames and passwords."
6- Make an informed decision about whether I want to grant access to my passwords to the developer of the addon.


Expected results:

3- Read that the addon developer requires permissions to access the relevant datapoints, in this case, url and webpage contents.
4- Click on a "More details" or "Learn more" button that redirects me to a google hosted version of https://support.mozilla.org/en-US/kb/permission-request-messages-firefox-extensions?redirectlocale=en-US&redirectslug=permission-request-messages-explained

5- Make an informed decision about whether I want to grant access to my passwords to the developer of the addon.

Of course this includes the following features at the desing time:
0- Allow developers to choose what type of information they want to handle and provide them with a javascript object that contains only the information that they need.

What is the impact to the user, and is there a workaround? If so, what is
it?

The impact is that users are having to reluctantly trust extension developers with more data than they need. And developers have to reluctantly request data that they don't even want to be handling. This vulnerability makes malicious handling of data like passwords easier than if granular permissions were granted. In the wake of so many data mishandling scandals and GDPR regulations, I feel this is an important bottleneck.

I'm aware this is hard to implement, but I am available to collaborate and send pull requests under someone's guidance.

Thank you for your time.

Comment 1 by m...@tomaszubiri.com, Jan 3 

We would need to split the pageCapture API element into multiple elements. Currently the page is being passed as a binary parameter containing the full html document. I don't know into how many sub-elements it should be split into, but at the very least there should be a separate permission for the password. This could be done by scrubbing the password elements in password forms. It's worth investigating if other developers would benefit from other granular permissions, since we would have to package the changes into one release in order to allow developers to upgrade their permissions all at once.

https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions
https://developer.chrome.com/extensions/pageCapture

Comment 2 by rsleevi@chromium.org, Jan 3

Components: Platform>Extensions

Sign in to add a comment