Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: Little Rat – Chrome extension monitors network calls of all extensions (github.com/dnakov)
555 points by npace12 on Aug 14, 2023 | hide | past | favorite | 101 comments
Hi HN

I needed a way to monitor network calls made by chrome extensions so I made a small extension.

You can install it by dropping the zip or crx into the extensions page. It'll be on the chrome store whenever/if it gets through the review.

Hopefully it's useful to others.

https://github.com/dnakov/little-rat

https://twitter.com/dnak0v




I wish this was a feature of Firefox (or Chrome, as if Google would ever), rather than a third-party extension, so that it had enough adoption to compel other browsers to care too. I'd like very much to authorize certain extensions to only make GET requests to specific static URLs without any ability to vary the headers, so that they can get data updates without there being any risk of leaking data. And for others, they don't need network access at all to do their job locally in my browser instance. But that would be circumventable (since anything that can modify page source can add data transmission), so I imagine they aren't doing it because of that. Too bad — better to try than just give up and cede it to a Chrome extension.


For observing it at least, you can - you need to open a debugger for the browser rather than for the current page.

The process is roughly the same as inspecting the UI, you basically enable remote debugging and then launch the Browser Toolbox: https://superuser.com/questions/1608096/how-to-inspect-firef...

(this is also a great way to figure out what you need to do for a user-chrome CSS file, e.g. if you want to change how tabs appear beyond just theming. though using a user-chrome CSS file is unfortunately a minor pain in the ass.)

I had to switch it to "multi-process mode" to get network requests from extensions to show up, but that broadly makes sense.

e.g. here's ublock pulling a random block list that I clicked on to test: https://i.imgur.com/wBYbBM2.png

and here's Firefox itself updating the safe-browsing list in the background: https://i.imgur.com/JYxWwjW.png


A get request can leak data via the request path or querystring parameters, if that was restricted you could setup communication which time or frequency imply activity with a morse code like protocol (and with enough requests, easily transfer megabytes of data).


You can just do whatever the modern equivalent of document.trackingPixel.src = 'leak all your data here in a single request', since extensions can modify content blocking. Firefox should ask for, accept, and audit a statement of whether your extension needs to make dynamic network calls or not, and why it needs to do so. Yes, you could lie — but then you'd get caught lying, in violation of, kicked off the store, etc. Today, you can just add tracking, and no one can take any useful action as a result.


100% agree. I think extensions are an odd place to start, but this is the exact reason I avoid browser extensions unless I’ve explicitly audited them (and still don’t like they auto update without permission).


Same, but on Firefox, the latter can be nicely configured both on a default and on a per-extension basis.


I'd say any extension that's making an http request that isn't just repeating URLs that are already in the page should show a toast notification with the request body prettified into legibility.

A well made extension will only pop up an occasional toast. One that needs the server to work will show the toast when the user expects it to be talking to the server. One sending keypresses or other suspicious data will be really obvious.


IIRC extensions cannot access any URL that hasn't been specified in the manifests permission section. I think Firefox shows those URLs in the permission prompt. Those URLs can contain wildcards though and I even think there is a special value for all URLs but only few extensions should require that permission.


For extensions that modify page data, is that prompt still shown? My understanding was that once you have the 'modify page data' permission, you're no longer required to present URLs in the permission prompt at all — but I'd be thrilled to be wrong, if that's changed!


I think browser makers don't offer this because any protection put in place would be easy to work around.

For example, even if the extension itself can't make requests, there are plenty of ways to 'trick' a webpage into making a request on your behalf when you have permissions to modify the Dom of the web page.


Given that this extension is not very easy to install, I suggest adding a screenshot showing some actual captured network events. The current screenshot hides the most interesting feature.


Open google chrome > click options (3 dots) in upper right corner > Extensions > Manage Extensions > Click to toggle Developer Mode in upper right corner > upper left corner button "Load Packged" > Load the directory of the un-zipped .zip file

Next, back in the normal browser-- Click the puzzle piece icon where your extensions icons are to the right side of the URL address bar. Click the little thumbtack next to Little Rat extension. Now it's installed and shows in the list of extension icons


Neat. I'm surprised this is possible tbh.

Not being familiar with exactly what data these APIs (or similar?) provide: could extensions' abilities to access other extensions' requests imply any security concerns for e.g. password manager extensions? Or auth-token-using extensions?


Nice! Feels like something that should be a chrome:// URL.


That was my first thought. Why isn't this native to Chromium seeing that extensions are such a security/privacy risk.


Because Chrome is made by a company whose primary source of revenue is the sale of its users’ data. Cui bono. Or, “It is difficult to get a man to understand something, when his salary depends on his not understanding it.”


Sure, but someone could fork Chromium and add it in.


sounds great, do you have plans to port it to Firefox?

Does anyone know an equivalent that do the same thing on Firefox?


I believe that these connections should also appear in the browser console[1], otherwise you could always log the traffic[2] or inspect/debug any individual extension[3].

You will be amazed at the obvious extension policy violations Mozilla is letting many of their "recommended" extensions get away with.

[1]: https://firefox-source-docs.mozilla.org/devtools-user/browse...

[2]: https://firefox-source-docs.mozilla.org/networking/http/logg...

[3]: https://firefox-source-docs.mozilla.org/devtools-user/about_...


Any notable offenders? Seems like something worth reporting.


Listed some offences and offenders in another comment from last June: https://news.ycombinator.com/item?id=35792605

I've reported these and several other extensions again every time they were updated in great technical detail and through various official channels, but stopped bothering when about a year and several extension updates later nothing had changed.


Good to know, thank you.

If you still happen to have the technical detail you sent off somewhere, that seems like it would be a great reference for starting to learn what to look for. Hell I'm sure HN would appreciate it as a submission (assuming it actually gets eyes and doesn't die in new)

I hadn't really cared about this topic, because it adds yet more cognitive overhead and I was relying on mozilla to care. Seems this faith was misplaced.


Seems like I didn't keep it around, but it amounted to a description of the violation, some reproduction steps where applicable, and essentially a stacktrace for the offending code in the distributed extension package (xpi) and in the source code when publicly available.

As for the extensions I listed in my older comment, as far as I remember:

- Even though the extension policy explicitly and unconditionally forbids it, they were all sending some form of telemetry to either Google or Sentry without so much as a mention or let alone having provided any sort of opt-out controls.

- Some would load and run external scripts at runtime (not limited to "just" Google Analytics/Tags stuff), none of which appeared to be nefarious in nature - when I checked them over after downloading them directly, that is. Obviously, as is the whole point behind not allowing them, the external script could simply be swapped out for something else one day, or a different one could be served depending on whether it was requested by the extension.

- One of them would occasionally advertise the author's other extensions when new or updated, either with a weird in-page popup notification or a video announcement on YouTube, which it would hijack the current tab or create and focus a new one for to show.

- Tracking parameters would be added to outgoing links by several extensions, including ones to third parties which I guess were partners/affiliates which is also forbidden.

Tangent: Funny thing is that even Firefox itself ignores a disabled "Allow Firefox to send technical and interaction data to Mozilla" setting by tacking on parameters to all of the preinstalled search engine providers' results pages, and all external pages the browser provides links to such as documentation, legal, support, and other Mozilla product pages. Perhaps no PII, but interaction data is interaction data and no is no.

Of course this isn't all, and there are more offenders besides those extensions I listed before. Just downloading the extension (from the extension page, easiest to use a different browser and "save as" since Firefox will ask to install), unpacking the XPI archive, and grepping for common telemetry service names/collection endpoints or suspicious terms like "promo" or "utm" will do it in most cases (Mozilla extension review team should try it sometime). Although let me know if you want some more pointers or details on specific extensions.


- One of them would occasionally advertise the author's other extensions when new or updated, either with a weird in-page popup notification or a video announcement on YouTube, which it would hijack the current tab or create and focus a new one for to show.

Looks like pocket tube, I see, "https://p.yousub.info/referral" mentions in the extension. I can fully comprehend Giphy's tracking code, but pocket tube's eludes me.

I have started a Github repo to try and report to report them, but I only have time for Giphy for now. [1] Plus I have not done this sort of thing before. Any pointers are very appreciated.

[1]: https://github.com/ColoursofOSINT/extensions-investigation


Could you provide some of the details regarding these extensions?

I am not a user, but I have some time to throw something together about it.

Giphy seems to have some compiled code in a weird .ts format (which I have not seen before, but I am a novice).

It also loads a script from https://www.google-analytics.com/analytics.js, isn't that remote code?

Also, I could not find a privacy policy, even though there is information being sent and received.


My reply to your sibling comment has some further details: https://news.ycombinator.com/item?id=37137552

Let me know if there is anything else or more specific you'd like to know.


.ts is typescript, FYI


Yeah, I'm going to try this shortly, will post an update.


Interesting.

I'll be watching this. Thanks for the project!


Waiting :)


update: so far not great...

declarativeNetRequest.onRuleMatchedDebug is not available [1] Even though the docs say it's behind a flag [2], it's undefined.

[1]: https://bugzilla.mozilla.org/show_bug.cgi?id=1745773 [2]: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...


looking forward to this


Same


In most cases, just adding "var chrome = browser;" to the top of each js files would make it work for firefox, which is just a copy of Chrome Extension APIs with slight changes


According to mdn[0], Firefox does not support onRuleMatchedDebug so just importing the code likely won't work.

0: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...


Firefox add-ons actually recognize the "chrome" keyword.


they actually have a js polyfill that lets you use promise based `browser` keyword in chrome too.


Thanks for sharing! I'll wait till it's on chrome store cuz I'm lazy and don't use Twitter.


Since it uses `declarativeNetRequest.onRuleMatchedDebug`[0], which is supposed to be debug-only, I doubt it'll be allowed in the chrome webstore.

0: https://github.com/dnakov/little-rat/blob/f0b9b6be39af9fe7f4...


  1) Go to Releases, right click the crx file and save.
  2) In Chrome, go to Extensions then drag and drop the crx file
  3) Profit


It is added to extensions but remains disabled with following message

> This extension is not listed in the Chrome Web Store and may have been added without your knowledge. Learn more https://support.google.com/chrome_webstore/answer/2811969?vi...


Why not on the chrome store?


It's currently under review because it's using the chrome.declarativeNetRequest (same API uBlock is using)


Hang on do you mean to say the web store might accept an extension with `declarativeNetRequestFeedback` permission, it just might take longer and be less certain? I've got an extension that could potentially really benefit from using this permission (because I want to be able to dynamically decide whether to take an action in a content script based on the `Content-Type` header; currently I use imperfect content-sniffing heuristics instead). The last time I dug into it, it seemed that this permission just wasn't going to be available after the Manifest v3 moratorium that has already passed. So I'm interested to know if anything has changed (or if there's any special way that extensions can be approved with this permission, e.g. if they're popular enough and have a good privacy track record).


I'm not sure, but I was curious too, so I submitted it for review to find out.


Interesting, I had assumed it wouldn't even allow uploading it if the manifest required that permission. Hope they allow it for you!


It got rejected today but not due to the permission, I'll pretty it up and try again.

Violation reference ID: Yellow Zinc Violation: Description provided is insufficient to understand the functionality of the item.


Appreciate you keeping me posted, please comment again when your next attempt gets approved/rejected!


Managed to get it in! [1]

I added ability to do blocking and made the "management" and "declarativeNetRequestFeedback" permissions optional, requested via a button on the popup page. While declarativeNetRequestFeedback works when you install it manually, the store version tells you the permissions are there, but chrome.declarativeNetRequest.onRuleMatchedDebug is undefined, so unfortunately, the store version can't count the number of requests. Blocking still works though, just you don't get any feedback about what's blocked. I think this is still useful to be able to block extensions, so I'll keep carrying 2 versions, 1 for the store with limited functionaly.

1: https://chrome.google.com/webstore/detail/little-rat/oiopkpa...


I have an extension with a small user base that uses 'declarativeNetRequestFeedback' permission. I haven't experienced any issue with the review process.

https://ris58h.github.io/youtube-chapters-in-player/


Your extension is not actually using declarativeNetRequestFeedback, though.


Isn't declarativeNetRequest the new, less powerful Manifest V3 API that uBlock Origin Lite is using?


yeah, little rat is using manifest v3


Nifty - but please do this more carefully:

https://github.com/dnakov/little-rat/blob/main/popup.js#L36

I do not want to have to worry about whether another extension can inject xss into yours with a crafted request/id/name.


that is a very good point but:

* the content security policy does not allow unsafe-inline

* extension ids are autogenerated by chrome


While unsafe-inline prevents execution of scripts, it doesn't prevent another extension from including HTML in one of the URLs it is requesting, and adding DOM elements that might entirely change the display of the extension. Likely not a huge problem here (there are much easier ways to bypass/cheat this extension e.g. by inserting tracking code into the DOM of a visited page so it's executed by that page) but it's definitely not good practice to interpolate HTML with untrusted strings.


Love the name. I have been looking for something just like this.


The lack of a network call doesn't prove the extension is safe. It might cache some data you want to keep private, and send it periodically.


Downloaded the extension and tested that it's working. QQ: What does it mean when there is a "hit" (e.g., 1 appears), but when I click the extension to investigate all extensions show 0, and the original displayed number disappears?

Also, if I delete an extension, it still appears in the list of extensions in Little Rat. Any easy way to fix this?


Yeah, it's only getting the list of extensions once on load, I'll push a change in tomorrow to have it refresh. The number shows the number of requests the extension has made. When you click on the name (if > 0), it will show the unique URLs of those requests


What does it mean when there is a number shown (indicative of a network call), however when you check little rat extension no extension in the list shows > 0?


this was probably due to an earlier bug where not all extensions were showing on the first load of the popup page, it should be fixed now


Thanks for sharing, would you mind explaining how it works and if there are any general concerns you have with Chrome not sandboxing between extensions? ie, what else is shared between extensions and what risks do you feel are here.

Thanks


The key code is here: https://github.com/dnakov/little-rat/blob/f0b9b6be39af9fe7f4...

  chrome.declarativeNetRequest.onRuleMatchedDebug.addListener((e) => {
    if (e.request.initiator?.startsWith('chrome-extension://')) {
Given that the extension is using a "Debug" API, it seems unlikely that the Chrome Web Store will approve. "Only available for unpacked extensions with the declarativeNetRequestFeedback permission as this is intended to be used for debugging purposes only." https://developer.chrome.com/docs/extensions/reference/decla...


Yeah, that's correct. The extension loads a rules_1.json file that just "allow"s all traffic originating from third-party scripts through, then logs just the URL of each request coming from a chrome extension. There's probably a way to do this with chrome.webRequest, I'll experiment with that, but generally that one is more expensive in terms of performance.


> There's probably a way to do this with chrome.webRequest

Network requests initiated by other extensions in their own context are not visible to other extensions through the webRequest API.


Damn, I was gonna go research it just in case, but then I noticed who posted this. Mad respect for your work!


FYI: That CRX in Releases did not work for me - it did install correctly, it showed up in the toolbar but opened an empty popup (no extensions were listed)...

The upnacked zip worked just fine though!

Nice extension, thanks!

(Vivaldi 6.2.3096.3 on Linux)


Also it seems that the "mute" button is somewhat broken or something - I have ~10 extensions and when I click "mute" on some extension, it will toggle mute on the second to the last.

Repeated clicking results in loop of 1) muting second to the last extension 2) muting the extension I'm actually clicking 3) unmuting second to the last and 4) unmuting the one I'm clicking :-D

It is quite hard to describe, I may create a video and upload it somewhere later.


Thanks for the feedback, I'll check it out, I haven't tried it in Vivaldi yet.


Hope it helps!

I was clicking around for a bit and noticed one more thing: it does not display "Anti Anti Debug" extension - but that extension suddenly appears when I toggle any mute button.

Maybe that extension is doing something funny? It is too late for me to try now but I will keep digging around tomorrow.


fixed the mute button btw. i noticed the other thing you mentioned as well


Thank you so much! This is so useful, now I don't have to audit extensions manually.


that's a good use case.


But who’s watching rat man?


little rat is watching itself too


ooh, love it. Would be great to have some installation information within the repo for people who aren't savvy at enabling dev mode in chrome extensions


or just link to something off google for it, we shouldnt have to write that for every oss chrome extension


Thing is, you can't, Google makes it very difficult to run extensions from anywhere but Chrome Store for a reason - if they didn't, scammers would jump on it.


really cool thanks!


If you can - do not install any extensions. I’ve had a couple like an ad blocker and something else leak my browser history to similarweb and neither extension or similarweb showed that they sell/collect my data.


The only viable adblocker is uBlock Origin.

There are several clones that are trying to piggyback on that name though. You have to go for the original one - the one from Raymond Hill (or gorhill)!


Which ad blocker was it?


Pretty close naming to Little Snitch - the Mac network monitoring tool!


I assumed that was intentional (rat being slang for snitch)


haha yes, I called it Tiny Snitch at first, but it's too close.


Depending on your intentions, the repo would benefit from a license instead of just using github for code hosting


Thanks for pointing it out, forgot to add it.


github could advance OSS a lot by making license reminders much more prominent. so much code intended-to-be-open-source cant be treated that way because no license file. if anyone from github is here please prod someone in your UI department to make a banner or something!


How can I be assured that installing a random Chrome extension from a random person on the internet that has access to all my network data and can't get approved in the Chrome store is safe? :)


I guess the answer is that you must be able to read the code and use your own judgement.

Here the actual code of the extension is basically 2 files, one of 114 lines and the other 66. Plain js, easy to digest. Looks pretty safe.


I'm with you on that one, that's why the code is on github. The best way to install it is to check out the code for any risks, download the repo as a ZIP file and install it.


Verifying Github source code is not sufficient, since you don't know the release contains that source code (when downloading fro the store). You'd have to verify signatures

Also, plenty of these extensions have been acquired by data firms or other sketchy places to then add your browser to botnets. If these are absolutely necessary for you, I highly recommend downloading the source and dumping it into Chrome/Edge via developer mode. At least then you know they can't update it in the background and you know what you're running.


You could always download it from github, turn on developer mode in chrome (there's a little switch in the top right corner of the chrome://extensions ui), and then load it as an unpacked extension from source without ever touching the chrome web store.


.crx is just a .zip underneath. You can unzip it and inspect the code.


I thought it's just installed and that's it, cool...


It's not in the store, you download it


By reading the source code? No wonder reddit used to go down so often...


I don't pretend to be a security expert in every language.

> No wonder reddit used to go down so often...

That's uncalled for. If this were reddit I'd have a much spicier retort.


just a joke, apologies :(

you leaving is actually part of the reason I left at the time, you were one of the few admins who regularly participated (it seemed)


No worries, I know it was a joke. You can't be a reddit admin for years and not a have a thick skin. :)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: