11

Assuming that an extension for Firefox or Chrome does not request any WebExtensions permission, what harm could this extension do?

Or put another way: What (potentially malicious) actions can an extension without permissions perform that an ordinary website could not do?

tim
  • 29,640
  • 7
  • 98
  • 121

1 Answers1

4

This is surprisingly difficult to find information on.

By default, extensions are subject to a Content Security Policy (CSP) of:

"script-src 'self'; object-src 'self';"

In this case, the self keyword refers to the extension package, and hence they can access any files which are included in the extension package itself. This strongly suggests that extensions cannot access any scripts which are hosted elsewhere, without the default CSP being overridden. Similarly, they can't run scripts using eval without explicitly allowing it.

This does not actually require a permission though, so, in theory, given a self-contained JS flaw which can compromise the browser, an extension with no permissions could execute arbitrary code. This is of limited benefit - such a flaw would presumably work from a web page as well, so it doesn't meet your requirement.

Based on the repository of example webextensions, explicit permissions are not required to change the style of a specific site (e.g. the borderify example), the text content shown to the user (e.g. the Emoji Substitution example), or to copy data from pages to system clipboard (election-to-clipboard example) - the clipboard example does require the ability to "Access your data for all websites", which is implicitly granted by the content_scripts value <all_urls>.

It is therefore possible to see some potential malicious actions, although it does appear possible for sites to block these (see the notes about addons.mozilla.org disallowing content scripts):

  • Change the target for forms, so that data is sent to a third party upon submission (user activated submission - this is effectively just changing text)
  • Modify the values shown on pages (e.g. change the target for online banking payments where a second factor isn't used to confirm this, add a "sorry your payment failed, please try again" message when the page returns a "payment complete" message)
  • Combine with another application which can read clipboard content, and use the extension to get more useful data into the clipboard (e.g. copying values from logged in sites which are not otherwise visible)

All of these are dependent on the malicious actor being able to make reasonable guesses about what pages the users will visit, but if a large user base is assumed, this becomes a numbers game - someone will probably visit the target page eventually.

Matthew
  • 27,381
  • 7
  • 91
  • 103
  • 1
    Thanks for your answer! However, the clipboard example does require permissions ("Access your data for all websites" if you build it and try to install it). This makes a lot of sense. It would be shocking if you could inject JavaScript into any website without permission, as that would make all of the host permissions meaningless. – tim Oct 22 '18 at 15:39
  • I did find this interesting documentation, which has a list of permissions which aren't shown to the user (which to me suggests that they aren't permissions which need to be requested from a user, but basically are granted by default). If I find the time, I'll check out what can be done with those. – tim Oct 22 '18 at 15:41
  • @tim I was working off the manifest, which for the clipboard script, does not include any permissions. It's interesting that it prompts for permission though – Matthew Oct 22 '18 at 17:06
  • 1
    Yes, I think it would be a lot better if the permission would have to be explicitely requested via permissions instead of implicitely via content_scripts. But either way it's good that it does require a permission :) – tim Oct 22 '18 at 17:25