Lex Friedman blogs here.

Lex is the Chief Revenue Oficer for ART19, the world's biggest podcasting company.

He was previously Chief Business Development Officer at Midroll, Macworld's senior writer, and the co-founder of a diet tracking website in the pre-iPhone era. Not all at the same time.

He is the cohost of the Not Playing podcast, a cohost of the Turning This Car Around podcast, a cohost of the The Rebound podcast, and the sole host of the Your Daily Lex podcast.

Lex's first book, The Snuggie Sutra, is exactly what it sounds like. His most recent book is a Dr. Seuss parody for adults; it's called The Kid in the Crib.

You should follow Lex on Twitter.

Be careful with your Safari Extensions, and turn off auto-updating

I’m a big fan of Safari Extensions. I’ve written several of my own, some of which I share with the Internet public. But because I’ve built those extensions, I’ve realized how easily a malicious developer could harvest all sorts of information about you, using a method that could sneak in and evade immediate detection.

First, a very broad primer on how Safari Extensions work: Like webpages, extensions consist of Javascript, CSS, and HTML. My “Affiliatizer for Safari” extension, for example, uses Javascript to pull all the links on a page. It then checks each link in turn to see whether it points to Amazon, and tweaks the URL that link points to (adding in an affiliate code of your choosing, if one isn’t already present) — all via Javascript.

Installed extensions can add any HTML to any page you surf to. And that’s where the danger comes in — and that danger is actually even worse than it first seems, which is already pretty bad.

Check out my new (actually harmless) extension, which I’ve dubbed The Evil Extension. Instead of searching the page you’re on for links, or tweaking its fonts, this extension creates a new chunk of HTML called an <iframe>. 

An <iframe> is used to include an entirely separate webpage within another one. Basically, if I create a webpage called “Lex’s Page,” I can use an <iframe> to embed “John’s Page” somewhere inside it. Web developers these days tend to avoid <iframes>, but <iframes> are still around, and all modern web browsers support them.

The Evil Extension creates an <iframe>, using Javascript, on every page you navigate to. That <iframe> points to http://lexfriedman/extensions/evil.php, with one caveat: I append the URL of the page you’re currently visiting to the URL. With my Evil extension installed, when I go to Google, an <iframe> is added to the page that points to http://lexfriedman.com/extensions/evil.php?url=http://www.google.com/. 

Now, my extension is, as I said, actually harmless. All my evil.php script does is output the URL you were just visiting, and the IP you came from if it can tell, without saving or storing any of that information. And it shows you what it finds out:

An Evil Extension

But it could be eviler: It could make that <iframe> invisible, instead of being so obvious. It could pass along the entire contents of the webpage you visited — which could be troublesome if you didn’t want me, say, reading your Gmail messages, or checking out your bank account balance.

Even worse, though, it could disguise itself as something useful — and even start out pure.

Safari can update your extensions automatically. Included in the extension is a URL that the developer may optionally provide, and Safari checks that URL on occasion to see if a new version of your extension is available. If it is, Safari will install that new version silently.

Thus, the mythical A Decidedly Un-Evil Extension, which could provide the definition of any word you double-clicked on, could seem noble and safe. After a few months of swelling popularity, the extension’s nefarious creator could update the extension with <iframe> evilness, and start gathering personal information about you, from the webpages you visit. Unless you regularly check your Safari Extensions’ versions number, you might never even know that the extension had been updated, and therefore never even suspect any change had occurred. 

My short-term solution to this problem is that you should, at a minimum, disable automatic updating for Safari Extensions by unchecking the box:

I realize, though, that you could manually install upgrades to your extensions, and still get tricked by a nefarious attacker. Short of decompiling every new version of an extension and inspecting its code, which is neither scalable nor accessible, there’s no way to know at a glance whether an extension is performing <iframe> (or other, fancier versions) of this sort of privacy invasion.

Sadly, there’s no easy solution for Apple to implement, either. Certainly Safari could block various elements of what makes this hack work, but to block every means of gathering this data would necessitate artificially limiting what Safari Extensions can do. The only other alternative is to rely on Apple’s own Extensions Directory, on the (potentially erroneous) assumption that Apple inspects the extensions it includes there for just such trickery.

Now, let me be clear: I know of no such Safari Extension that’s doing evil stuff like this. I also have no doubt that such evilness is possible with Chrome and Firefox extensions, but I’m a Safari man, and that’s the browser I know. I’m not suggesting you avoid extensions or fear each new one you install. Rather, I’m suggesting that you should be aware of what extensions can do, make sure you trust the developers who make the ones you use, and stay informed.

Posted on August 10th, 2010