00:00:00
If you use browser extensions, which is
00:00:01
probably almost all of you watching this
00:00:03
video, you need to listen up because
00:00:05
this incident exposed some really
00:00:07
interesting things that a browsers
00:00:09
extensions can do, as well as some
00:00:11
interesting ethical questions that maybe
00:00:14
we should be asking ourselves. SARS
00:00:15
Technica put out this uh paper that
00:00:17
pretty much said browser extensions turn
00:00:19
nearly 1 million browsers into website
00:00:21
scraping bots. And I'm going to show you
00:00:23
why that is and what to do about it.
00:00:25
First, I want to walk you through the
00:00:27
extensions that this specific problem
00:00:29
impacted even before I cover the problem
00:00:31
because this sets the the scene a little
00:00:33
bit better. Some of these look like
00:00:35
obvious issues like extra dim or mimic
00:00:39
AI chrome compare. I don't know what
00:00:41
these do, but they just look like
00:00:43
problems. Some of these though look like
00:00:46
pretty reasonable things like Netflix
00:00:49
1080p light. No, I'm kidding. Like Blue
00:00:51
Sky Media Downloader. Uh, also idle
00:00:54
forest is one that I feel like I've seen
00:00:56
before and also some of these are
00:00:58
privacy oriented like user agent
00:01:00
switcher. Now these uh change your user
00:01:02
agent to try to you know get rid of
00:01:04
fingerprinting. I've covered
00:01:04
fingerprinting in this whole master
00:01:06
class to see if those are even
00:01:07
effective. Uh sneak preview they're
00:01:09
mostly not. But my point is this is a
00:01:12
huge list of a variety of extensions and
00:01:15
any of you could have at least installed
00:01:17
one of these at some point. I don't keep
00:01:18
up with these but some of these are
00:01:20
extensions I might have installed 5
00:01:21
years ago. Some of these allow you to
00:01:22
use dark mode on sites that don't
00:01:24
support dark mode. Some of these add
00:01:26
functionality to sites that don't
00:01:27
support certain features. Now, here's
00:01:29
where things get really interesting.
00:01:31
This isn't formally malware because this
00:01:35
actually comes from something called
00:01:36
Melotellgs.
00:01:38
And this was covered by someone called
00:01:40
Secure Annex. Um, and what this is, they
00:01:43
have a whole response, but this is
00:01:44
actually an open- source library that uh
00:01:47
essentially allows developers to
00:01:49
monetize their browser plugins. Now, you
00:01:52
might already start to see the ethical
00:01:54
considerations here because they are
00:01:56
very much in the camp that they're doing
00:01:58
something good and they're offering a
00:01:59
monetization strategy for developers
00:02:01
that doesn't otherwise really exist. And
00:02:03
so, this is a good alternative to the
00:02:05
maybe advertising industry or the
00:02:08
surveillance industry. So, here's how
00:02:09
Melat works. So, you as a developer
00:02:12
essentially implement this so that you
00:02:13
can monetize off of your users. What
00:02:16
this does, it declares a couple
00:02:17
permissions that you need to add. Um,
00:02:19
and then those permissions are used to
00:02:21
essentially uh generate incognito
00:02:23
windows without you seeing. And this all
00:02:26
happens in the background. And you can
00:02:28
see the example here of idle forest is
00:02:30
what they use. Um, what you do is you
00:02:32
click start planting. And that now
00:02:34
allows you to contribute your unused
00:02:37
bandwidth to this extension. And then
00:02:39
the researcher says that it sends device
00:02:40
info like location, bandwidth,
00:02:42
available, heartbeats, and status. Now
00:02:44
what's interesting is this loads an
00:02:46
iframe. Now, if you don't know what
00:02:47
iframes are, uh, all you really need to
00:02:49
know is that they can be manipulated in
00:02:51
a lot of ways to steal data about you or
00:02:53
a lot of security vulnerabilities can
00:02:55
actually utilize iframes. And so,
00:02:57
websites a lot of times, properly
00:02:59
designed websites will have things
00:03:00
called content security policies and
00:03:02
x-frame options and different things
00:03:03
that are designed to prevent this kind
00:03:05
of stuff from happening. And the way
00:03:07
that this works, the way that this these
00:03:09
extensions work actually bypass um the
00:03:12
way that web browsing is supposed to
00:03:14
work so that sites can be properly
00:03:15
secure. So, when you use extensions like
00:03:18
this, not only is there this potential
00:03:20
privacy issue that we're going to talk
00:03:21
about shortly, but there's this security
00:03:23
issue as well because sites are actually
00:03:25
not being utilized in a way that they're
00:03:27
intended to be utilized based on their
00:03:29
own security policies. The way the
00:03:30
author describes this is the weakening
00:03:32
of all web browsing can open users up to
00:03:34
attacks like cross-sight scripting that
00:03:36
would generally be prevented under
00:03:37
normal conditions. Not only are your
00:03:39
users unintentionally becoming bots, but
00:03:41
their actual web browsing is more
00:03:42
vulnerable as well. The researcher
00:03:44
actually dives a little bit more into
00:03:46
like the personal stuff and covers how
00:03:48
the owner of this extension also owns a
00:03:50
lot of the extensions that it doesn't
00:03:52
seem like it's owned by them, which is a
00:03:54
bit sketchy. And actually, they came
00:03:56
forward and gave a lot of the rebuttals
00:03:57
and pretty much addressed like, oh yeah,
00:03:59
we do do this. We don't do this. Here's
00:04:01
context behind why we do this. I
00:04:03
recommend reading all of it cuz it's a
00:04:05
pretty complicated situation. But here's
00:04:07
my problem. Actually, multiple problems
00:04:10
that I have with this story. One, I
00:04:12
don't think a lot of people understand
00:04:13
what contributing bandwidth means if
00:04:15
they were actually trying to contribute
00:04:16
bandwidth. But most likely, like most
00:04:19
people, if you're using one of these
00:04:20
extensions, um, you're not actually
00:04:22
freaking aware that stuff is happening
00:04:24
in the background, which is this entire
00:04:26
consent problem that really needs to be
00:04:28
addressed. This seriously matters and
00:04:30
could impact a lot of people. Not only
00:04:33
is there a potential performance impact
00:04:34
if again you're not opting in to use a
00:04:37
service like this where you're
00:04:38
contributing your bandwidth to a
00:04:39
developer's paycheck which fully
00:04:41
understandable. I know it's hard to be a
00:04:42
developer but if you weren't aware you
00:04:44
were doing that that's a bit shady.
00:04:46
There are of course privacy implications
00:04:48
with this as well. Um like we said there
00:04:50
is some sort of data transmission that's
00:04:52
happening here and they do say that
00:04:53
they're more private um and they are
00:04:56
better for privacy than the traditional
00:04:57
advertising industry but I don't think
00:04:59
that's the best bar for us to try to
00:05:00
shoot for. Now, as for the actual
00:05:03
privacy implications, it seems to be
00:05:04
pretty hard to figure out what's going
00:05:06
on. So, either way, the fact that this
00:05:09
is in question should be a concern for
00:05:11
many of you. And of course, we talked
00:05:12
about the security risks, how the entire
00:05:14
way that this extension works actually
00:05:16
breaks the model of how you're supposed
00:05:18
to have proper security on websites.
00:05:20
Now, before I touch on uh what to do
00:05:21
about this and how to make sure your
00:05:23
extensions aren't caught in this, I want
00:05:24
to also touch on another important tool
00:05:26
that's also the sponsor of our video,
00:05:28
where we're death. I'm a firm believer
00:05:30
there is no magic bullet for privacy and
00:05:32
security and that you need to use
00:05:34
multiple tools in different areas of
00:05:36
your life for maximum effectiveness. And
00:05:39
I think redact.dev is a perfect solution
00:05:41
that fits into a lot of people's
00:05:43
workflows. If you've ever wanted to
00:05:45
delete any social media accounts or
00:05:46
specific messages or maybe just
00:05:48
attachments in your DMs, redact.dev
00:05:51
helps you automatically find and delete
00:05:53
old messages, attachments, images. The
00:05:56
customization just lets you do whatever
00:05:58
you want. so you can actually take
00:05:59
control of your data. It works with
00:06:01
major platforms like Twitter and
00:06:03
Discord. It has automated services so
00:06:05
that you can just run it in the
00:06:07
background. And my personal favorite
00:06:08
feature is it lets you do things like
00:06:10
ephemeral timelines so that maybe your
00:06:12
tweets get automatically deleted after a
00:06:15
month. My favorite thing about Redact 2
00:06:16
is that it's trustless. They don't
00:06:18
actually store your credentials on their
00:06:20
end. It's all done locally on your
00:06:22
machine. In fact, if you set up Redact
00:06:23
on a second device, you have to sign
00:06:25
into your accounts again on that device
00:06:27
because it's all done locally on each
00:06:29
device, so they never get your
00:06:30
credentials. To put it simply, if you're
00:06:32
trying to improve your digital
00:06:33
footprint, make yourself a little more
00:06:35
minimal, make it harder for data brokers
00:06:37
to track you, redact.dev is probably the
00:06:39
best thing you can use. Visit them using
00:06:41
the link here on the screen or down in
00:06:43
the description. And now, back to the
00:06:45
video. Before I get into the protection
00:06:47
tips, I want to just cover some basic
00:06:49
things that are pretty much staples in
00:06:51
the tech lore community, which is this
00:06:52
channel. It's a digital rights
00:06:54
community. Um, always advocated for
00:06:56
digital minimalism. And what this means
00:06:58
in the context of extensions is you only
00:07:00
should be installing extensions you
00:07:01
absolutely need. And if you actually go
00:07:03
up here, you're going to see that uh my
00:07:06
browser right here literally has one
00:07:08
extension that comes pre-installed, and
00:07:09
it's Ublock Origin, which is a very safe
00:07:11
and trusted extension. And then I have
00:07:13
another browser that has Ublock Origin
00:07:15
as well as a password manager, but
00:07:17
that's it. Now, why I recommend keeping
00:07:19
extensions to a minimum besides this
00:07:21
story, extensions are notoriously not
00:07:24
very security first nor privacy first.
00:07:26
And so, it's one of the things that we
00:07:28
want to reduce um the usage as much as
00:07:30
possible. On top of that, extensions
00:07:32
have a lot of access to your system,
00:07:34
especially if you grant it access to
00:07:36
every website you're on. So, you want to
00:07:38
be very aware of this and make sure
00:07:39
you're reducing the amount of people
00:07:41
that have access to that data to lower
00:07:43
the likelihood that someone's doing
00:07:45
something wrong with it. With that said,
00:07:47
let's talk about what you should do.
00:07:48
First, go through this list and see if
00:07:51
your extensions are impacted by this
00:07:53
specific problem. But realistically,
00:07:56
there are so many issues that extensions
00:07:58
can pose that aren't only represented in
00:08:01
this problem. So, what I would do, and
00:08:03
this is step one, go through your
00:08:04
extensions and just remove things that
00:08:06
you literally never use. Um, I know a
00:08:09
lot of people that are like, "Oh, I
00:08:10
don't know why I have this extension
00:08:11
anymore. I haven't used it in months."
00:08:13
That's the extension to remove right
00:08:14
now. Next, you want to have a little bit
00:08:17
of discomfort and apply like remove a
00:08:19
few extra ones beyond that. Uh in terms
00:08:22
of how to choose the ones to go from
00:08:24
there, I like to look for extensions
00:08:26
that are tied to um some kind of broader
00:08:29
business model where it's not just the
00:08:31
extension. A really good example of this
00:08:33
is password managers. Your password
00:08:35
manager, if you're using something like
00:08:37
Proton Pass, if you're using something
00:08:38
like Bit Warden, if you're using
00:08:40
something like One Password, these all
00:08:42
have their own business model that's
00:08:44
independent of their extension. And
00:08:46
their extension is just an extension
00:08:49
of their service. And that's what they
00:08:52
should be. What you need to avoid is
00:08:54
extensions. That is their whole product.
00:08:56
This reminds me of Shark Tank where
00:08:58
sometimes they say like, "Oh, this is a
00:09:01
product, not a business." And this is
00:09:02
the same situation. An extension should
00:09:04
be the equivalent of a product, uh, but
00:09:06
not the entire business. So, try to go
00:09:08
through your extensions, uninstall what
00:09:10
you don't need, see what actually has a
00:09:12
real business model with a real company
00:09:14
behind it that doesn't need to just
00:09:15
monetize off of your browsing data. And
00:09:18
of course, if you need something done,
00:09:20
see if there's a better dedicated
00:09:21
solution for it. In the context of dark
00:09:24
mode readers, maybe what that means is
00:09:26
moving over to a browser that just has a
00:09:28
better dark mode support. Bray, for
00:09:30
example, has a reader mode that you can
00:09:32
use to read articles in dark mode, even
00:09:33
if the site doesn't have a dark mode.
00:09:35
And Safari, I believe, has something
00:09:37
similar as well nowadays. But that's an
00:09:39
example of how you can repurpose uh
00:09:41
different tools to avoid needing to
00:09:43
install an extension that has access to
00:09:45
a lot of sites and can cause a lot of
00:09:47
damage. So, please pause this video
00:09:49
right now, go check your extensions, and
00:09:51
do it on all your browsers. But keep in
00:09:53
mind that this also has broader
00:09:54
implications that I really want to
00:09:56
remind people about. First, this really
00:09:59
implicates extension stores, right?
00:10:02
because there's a lot of trust that you
00:10:03
give when you go to the Google Chrome
00:10:05
store or the Misilla Firefox store and
00:10:07
you say install extension, it's assumed
00:10:09
that extension is safe and it's not
00:10:10
doing anything nefarious. But it's not
00:10:13
really always the case as we see over
00:10:16
and over and over. So this story is a
00:10:19
good reminder to not have absolute faith
00:10:21
in browser extension stores and that
00:10:24
they need to step up their game in terms
00:10:26
of being transparent about what each
00:10:27
extension actually does on your system.
00:10:29
Browsers are also moving in a positive
00:10:31
direction in this way because browsers
00:10:33
are developing extension systems that uh
00:10:35
reduce the amount of permissions and
00:10:37
things extensions can do which does have
00:10:39
some benefits to security. And of course
00:10:41
this isn't an issue just for extensions.
00:10:44
Uh this is a good reminder that you need
00:10:45
to really watch your digital hygiene
00:10:48
everywhere. These issues I'm talking
00:10:49
about plague apps on the app store.
00:10:51
There are third party SDKs that
00:10:54
essentially just are there to track your
00:10:56
data, share it with data brokers and
00:10:57
that's purchased by either governments
00:10:59
or private companies and that's all
00:11:01
through just kind of whatever apps that
00:11:03
you wouldn't think twice about using
00:11:05
also programs in your computer and
00:11:06
really everything else you do on your
00:11:08
systems. So I really want all of you to
00:11:10
treat this incident as a reminder to
00:11:12
audit everything on your devices, remove
00:11:14
things you don't need and really see if
00:11:15
you have trustworthy solutions in place
00:11:17
for the rest of it. Now, I want to take
00:11:19
a minute to address the ethical
00:11:20
questions because this is something that
00:11:22
I think everybody should reflect on. I
00:11:24
don't have answers, but as a content
00:11:26
creator and somebody who publishes to
00:11:28
the internet and does make money off of
00:11:30
this, um, it's a really tough place to
00:11:33
be in because Templar makes money off of
00:11:35
YouTube advertising. Not a huge amount,
00:11:37
but some of the money that we make comes
00:11:39
from YouTube advertising. But also uh we
00:11:41
make money from the community, we make
00:11:43
money from sponsors, we make money from
00:11:45
affiliates and uh we have this really
00:11:47
diverse source of income. But if you're
00:11:49
a developer, it's you know of an
00:11:51
extension. It's really hard to have that
00:11:53
kind of diversity and all these
00:11:55
different revenue models that hold each
00:11:56
other accountable and also ensure that
00:11:58
you're not over prioritizing just one
00:12:01
thing over all the others. Maybe Melo
00:12:03
has a point. They are trying to build an
00:12:05
alternative to the you know traditional
00:12:07
surveillance system. At minimum, it's
00:12:10
open source. They try to be more privacy
00:12:12
respecting. Um, and they're trying to
00:12:14
essentially create a new revenue revenue
00:12:16
model for developers. And that mission
00:12:18
in itself is a noble one. What's worth
00:12:21
asking though is is that the correct
00:12:23
one? And really, what is the best
00:12:25
long-term sustainable solution for
00:12:27
situations like this? How are we going
00:12:29
to allow developers to grow and be
00:12:31
sustainable and build the cool stuff
00:12:32
that we enjoy using while making sure
00:12:34
they still get food on their plates?
00:12:36
This whole story has really introduced a
00:12:38
lot of questions for me and I don't have
00:12:40
that many answers but I think it's
00:12:41
really worth all of us reflecting on um
00:12:43
what this means for the digital
00:12:45
landscape and I would love to hear your
00:12:47
comments. So like please it's not just
00:12:49
like a engagement thing like no please
00:12:51
leave your comments down below. I'd love
00:12:52
to read them and kind of get some third
00:12:54
party perspectives on this. Check your
00:12:56
extensions right now. Share this with
00:12:57
friends or family cuz a lot of people
00:12:59
don't know that extensions do this
00:13:00
stuff. And of course join our community
00:13:02
for more security updates. Uh we have a
00:13:04
good forum. It's open source and it's
00:13:06
all down in the description. And uh I
00:13:08
also want to thank redact.dev for
00:13:10
sponsoring our content and making this
00:13:11
stuff possible. Thank you all for
00:13:13
watching and I'll see you next time on
00:13:15
Techlorore. Stay safe out there.
