I’m a big fan of Safari Extensions. I’ve written several of my own, some of which I share with the Internet public. But because I’ve built those extensions, I’ve realized how easily a malicious developer could harvest all sorts of information about you, using a method that could sneak in and evade immediate detection.
Installed extensions can add any HTML to any page you surf to. And that’s where the danger comes in — and that danger is actually even worse than it first seems, which is already pretty bad.
Check out my new (actually harmless) extension, which I’ve dubbed The Evil Extension. Instead of searching the page you’re on for links, or tweaking its fonts, this extension creates a new chunk of HTML called an <iframe>.
An <iframe> is used to include an entirely separate webpage within another one. Basically, if I create a webpage called “Lex’s Page,” I can use an <iframe> to embed “John’s Page” somewhere inside it. Web developers these days tend to avoid <iframes>, but <iframes> are still around, and all modern web browsers support them.
Now, my extension is, as I said, actually harmless. All my evil.php script does is output the URL you were just visiting, and the IP you came from if it can tell, without saving or storing any of that information. And it shows you what it finds out:
But it could be eviler: It could make that <iframe> invisible, instead of being so obvious. It could pass along the entire contents of the webpage you visited — which could be troublesome if you didn’t want me, say, reading your Gmail messages, or checking out your bank account balance.
Even worse, though, it could disguise itself as something useful — and even start out pure.
Safari can update your extensions automatically. Included in the extension is a URL that the developer may optionally provide, and Safari checks that URL on occasion to see if a new version of your extension is available. If it is, Safari will install that new version silently.
Thus, the mythical A Decidedly Un-Evil Extension, which could provide the definition of any word you double-clicked on, could seem noble and safe. After a few months of swelling popularity, the extension’s nefarious creator could update the extension with <iframe> evilness, and start gathering personal information about you, from the webpages you visit. Unless you regularly check your Safari Extensions’ versions number, you might never even know that the extension had been updated, and therefore never even suspect any change had occurred.
My short-term solution to this problem is that you should, at a minimum, disable automatic updating for Safari Extensions by unchecking the box:
I realize, though, that you could manually install upgrades to your extensions, and still get tricked by a nefarious attacker. Short of decompiling every new version of an extension and inspecting its code, which is neither scalable nor accessible, there’s no way to know at a glance whether an extension is performing <iframe> (or other, fancier versions) of this sort of privacy invasion.
Sadly, there’s no easy solution for Apple to implement, either. Certainly Safari could block various elements of what makes this hack work, but to block every means of gathering this data would necessitate artificially limiting what Safari Extensions can do. The only other alternative is to rely on Apple’s own Extensions Directory, on the (potentially erroneous) assumption that Apple inspects the extensions it includes there for just such trickery.
Now, let me be clear: I know of no such Safari Extension that’s doing evil stuff like this. I also have no doubt that such evilness is possible with Chrome and Firefox extensions, but I’m a Safari man, and that’s the browser I know. I’m not suggesting you avoid extensions or fear each new one you install. Rather, I’m suggesting that you should be aware of what extensions can do, make sure you trust the developers who make the ones you use, and stay informed.