To sum it up, the AdGuard extension, as well as many others, may require intrusive-sounding permissions to work. We also need the webNavigation permission to catch the moment when to inject ad-blocking scriptlets, that is before the page loads any ads. Thus we explain that we need permissions to read and change all your data on all websites (“host permission” in Chrome) and to access tabs (“tabs permission”) in order to block ads, as well as apply cosmetic rules so that web pages look clean and tidy. In the AdGuard extension description in the Chrome Web Browser Store, we try to be transparent about why we need certain permissions. This process is called “cosmetic processing.”
It also allows them to hide “ad leftovers” - empty spaces and broken elements that may have been left behind by the blocked ads.
So, what about ad blockers?Īd blockers run JavaScript to scan web pages for ad scripts and other elements that match their blocklist, so that they can block them.
#ADGUARD ADBLOCKER CHROME WEB STORE PASSWORD#
For example, password managers use JavaScript to insert passwords and usernames into input fields, while productivity tools use it to block distractions, track time, save web pages, etc. The technical reason behind this is that these extensions use JavaScript, a programming language that allows them to read and transform HTML elements on the web page to fulfill their purpose. Nor is it just about ad blockers: all extensions that need to modify the content of web pages, such as password managers and productivity tools, require broad access to the information on these web pages. The issue is not specific to Chrome - extensions for other browsers, such as Firefox, have the same capabilities and permissions. In fact, it’s by far not the first time that alarm bells have been sounded about the extent to which extensions can access user data. And you have to trust them to do it right. It’s just they have no other way to do their job. While it might be true that ad blocking extensions (like many others) require some scary-sounding permissions, it’s not because they are inherently malicious or hell-bent on stealing your data. It’s a trust issue, there’s no getting round it Sounds ominous, doesn’t it? So, let’s set things straight. This maintains the lack of security boundary between the extension and web page and allows an extension to be loaded on the DOM tree and gain unrestricted access to the webpage, posing security risks for the users.” They said: “Despite MV3’s intended advancements in user privacy and security, content scripts’ operations remain unchanged. While Google Chrome’s new platform for extensions, Manifest V3, has imposed constraints on what extensions can do, the researchers found that these measures did not mitigate risks to security in any substantial way. “Analyzing the manifest files (the JSON-formatted files that provide important information about the extension’s capabilities and the files it uses), we find that 12.5% (17.3K) extensions have the necessary permissions to extract sensitive information on all web pages.” During their research, they identified 190 extensions that were “directly accessing password fields,” including such popular extensions as AdBlockPlus and Honey - both of them boasting over 10 million downloads. The researchers found that on 15% of the websites they studied - and these are not some obscure and unknown portals, but the likes of Google and Cloudflare (among others) - passwords were “present in plain text in the HTML source code.” In the researchers’ opinion, this careless attitude by website developers combined with relatively lax Chrome rules for extension developers leave the door wide open for attackers to exploit this vulnerability. These unprotected passwords, they argue, can become easy targets for malicious data-hungry extensions.
#ADGUARD ADBLOCKER CHROME WEB STORE CODE#
The paper mainly focuses on passwords that the researchers say are often stored in plaintext within the source code of even reputable websites. Recent research by the University of Wisconsin-Madison found that “a significant percentage” of extensions in Chrome - about 12.5% - have received permissions from users that enable them to access sensitive personal information.
0 kommentar(er)
