[HN Gopher] Show HN: Little Rat - Chrome extension monitors netw...
___________________________________________________________________
Show HN: Little Rat - Chrome extension monitors network calls of
all extensions
Hi HN I needed a way to monitor network calls made by chrome
extensions so I made a small extension. You can install it by
dropping the zip or crx into the extensions page. It'll be on the
chrome store whenever/if it gets through the review. Hopefully
it's useful to others. https://github.com/dnakov/little-rat
https://twitter.com/dnak0v
Author : npace12
Score : 334 points
Date : 2023-08-14 11:49 UTC (11 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| canthonytucci wrote:
| Love the name. I have been looking for something just like this.
| p1mrx wrote:
| Given that this extension is not very easy to install, I suggest
| adding a screenshot showing some actual captured network events.
| The current screenshot hides the most interesting feature.
| yuvalkarmi wrote:
| Pretty close naming to Little Snitch - the Mac network monitoring
| tool!
| npace12 wrote:
| haha yes, I called it Tiny Snitch at first, but it's too close.
| [deleted]
| cantSpellSober wrote:
| I assumed that was intentional (rat being slang for snitch)
| cantSpellSober wrote:
| Thanks for sharing! I'll wait till it's on chrome store cuz I'm
| lazy and don't use Twitter.
| judge2020 wrote:
| Since it uses `declarativeNetRequest.onRuleMatchedDebug`[0],
| which is supposed to be debug-only, I doubt it'll be allowed in
| the chrome webstore.
|
| 0: https://github.com/dnakov/little-
| rat/blob/f0b9b6be39af9fe7f4...
| Daviey wrote:
| 1) Go to Releases, right click the crx file and save. 2)
| In Chrome, go to Extensions then drag and drop the crx file
| 3) Profit
| smusamashah wrote:
| It is added to extensions but remains disabled with following
| message
|
| > This extension is not listed in the Chrome Web Store and
| may have been added without your knowledge. Learn more https:
| //support.google.com/chrome_webstore/answer/2811969?vi...
| mdaniel wrote:
| Depending on your intentions, the repo would benefit from a
| license instead of just using github for code hosting
| npace12 wrote:
| Thanks for pointing it out, forgot to add it.
| swyx wrote:
| github could advance OSS a lot by making license reminders
| much more prominent. so much code intended-to-be-open-source
| cant be treated that way because no license file. if anyone
| from github is here please prod someone in your UI department
| to make a banner or something!
| [deleted]
| altairprime wrote:
| I wish this was a feature of Firefox (or Chrome, as if Google
| would ever), rather than a third-party extension, so that it had
| enough adoption to compel other browsers to care too. I'd like
| very much to authorize certain extensions to only make GET
| requests to specific static URLs without any ability to vary the
| headers, so that they can get data updates without there being
| any risk of leaking data. And for others, they don't need network
| access at all to do their job locally in my browser instance. But
| that would be circumventable (since anything that can modify page
| source can add data transmission), so I imagine they aren't doing
| it because of that. Too bad -- better to _try_ than just give up
| and cede it to a Chrome extension.
| tim1994 wrote:
| IIRC extensions cannot access any URL that hasn't been
| specified in the manifests permission section. I think Firefox
| shows those URLs in the permission prompt. Those URLs can
| contain wildcards though and I even think there is a special
| value for all URLs but only few extensions should require that
| permission.
| altairprime wrote:
| * * *
| 1vuio0pswjnm7 wrote:
| "I wish this was a feature of Firefox (or Chrome, as if Google
| would ever), rather than a third-party extension, so that it
| had enough adoption to compel other browsers to care too."
|
| "I'd like very much to authorize certain extensions to only
| make GET requests to specific static URLs without any ability
| to vary the headers, so that they can get data updates without
| there being any risk of leaking data."
|
| This is possible using a forward proxy that the user compiles
| and controls.
|
| Keep in mind that if this was a "feature of Firefox/Chrome"
| then it's under Mozilla/Google control.
|
| Further, it will only limit Firefox/Chrome not any other
| application.
|
| This will involve fighting against the TLS certificate
| "business", e.g., warning screens and the like in response to
| certificate created by the computer owner, in order to control
| HTTP traffic coming from a computer owned by the user not
| Mozilla/Google, and (if at home, for example) going over a
| network owned by the user not Mozilla/Google.
|
| It's possible to conclude that these so-called "tech" companies
| are using the TLS certificate business, whether intentionally
| or not, to ensure they can keep covertly collecting data from
| users to support their online advertising services business and
| remain free from user control over data exfiltration from user-
| owned computers and networks. People working for such so-called
| "tech" companies will almost certainly dismiss that conclusion.
| Nevertheless, it's still possible to reach it.
| hsbauauvhabzb wrote:
| A get request can leak data via the request path or querystring
| parameters, if that was restricted you could setup
| communication which time or frequency imply activity with a
| morse code like protocol (and with enough requests, easily
| transfer megabytes of data).
| altairprime wrote:
| You can just do whatever the modern equivalent of
| document.trackingPixel.src = 'leak all your data here in a
| single request', since extensions can modify content
| blocking. Firefox should ask for, accept, and audit a
| statement of _whether_ your extension needs to make dynamic
| network calls or not, and _why_ it needs to do so. Yes, you
| could lie -- but then you 'd get caught lying, in violation
| of, kicked off the store, etc. Today, you can just add
| tracking, and no one can take any useful action as a result.
| emmanueloga_ wrote:
| Nice! Feels like something that should be a chrome:// URL.
| UberFly wrote:
| That was my first thought. Why isn't this native to Chromium
| seeing that extensions are such a security/privacy risk.
| elashri wrote:
| sounds great, do you have plans to port it to Firefox?
|
| Does anyone know an equivalent that do the same thing on Firefox?
| krono wrote:
| I believe that these connections should also appear in the
| browser console[1], otherwise you could always log the
| traffic[2] or inspect/debug any individual extension[3].
|
| You will be amazed at the obvious extension policy violations
| Mozilla is letting many of their "recommended" extensions get
| away with.
|
| [1]: https://firefox-source-docs.mozilla.org/devtools-
| user/browse...
|
| [2]: https://firefox-source-
| docs.mozilla.org/networking/http/logg...
|
| [3]: https://firefox-source-docs.mozilla.org/devtools-
| user/about_...
| Modified3019 wrote:
| Any notable offenders? Seems like something worth reporting.
| krono wrote:
| Listed some offences and offenders in another comment from
| last June: https://news.ycombinator.com/item?id=35792605
|
| I've reported these and several other extensions again
| every time they were updated in great technical detail and
| through various official channels, but stopped bothering
| when about a year and several extension updates later
| nothing had changed.
| ColoursofOSINT wrote:
| Could you provide some of the details regarding these
| extensions?
|
| I am not a user, but I have some time to throw something
| together about it.
|
| Giphy seems to have some compiled code in a weird .ts
| format (which I have not seen before, but I am a novice).
|
| It also loads a script from https://www.google-
| analytics.com/analytics.js, isn't that remote code?
|
| Also, I could not find a privacy policy, even though
| there is information being sent and received.
| Modified3019 wrote:
| Good to know, thank you.
|
| If you still happen to have the technical detail you sent
| off somewhere, that seems like it would be a great
| reference for starting to learn what to look for. Hell
| I'm sure HN would appreciate it as a submission (assuming
| it actually gets eyes and doesn't die in _new_ )
|
| I hadn't really cared about this topic, because it adds
| yet more cognitive overhead and I was relying on mozilla
| to care. Seems this faith was misplaced.
| npace12 wrote:
| Yeah, I'm going to try this shortly, will post an update.
| 123pie123 wrote:
| looking forward to this
| username135 wrote:
| Same
| distortedsignal wrote:
| Interesting.
|
| I'll be watching this. Thanks for the project!
| fjfuvucucuc wrote:
| Waiting :)
| npace12 wrote:
| update: so far not great...
|
| declarativeNetRequest.onRuleMatchedDebug is not available
| [1] Even though the docs say it's behind a flag [2], it's
| undefined.
|
| [1]: https://bugzilla.mozilla.org/show_bug.cgi?id=1745773
| [2]: https://developer.mozilla.org/en-US/docs/Mozilla/Add-
| ons/Web...
| vdfs wrote:
| In most cases, just adding "var chrome = browser;" to the top
| of each js files would make it work for firefox, which is just
| a copy of Chrome Extension APIs with slight changes
| judge2020 wrote:
| According to mdn[0], Firefox does not support
| onRuleMatchedDebug so just importing the code likely won't
| work.
|
| 0: https://developer.mozilla.org/en-US/docs/Mozilla/Add-
| ons/Web...
| [deleted]
| lapcat wrote:
| Firefox add-ons actually recognize the "chrome" keyword.
| weaksauce wrote:
| they actually have a js polyfill that lets you use promise
| based `browser` keyword in chrome too.
| Daviey wrote:
| Thanks for sharing, would you mind explaining how it works and if
| there are any general concerns you have with Chrome not
| sandboxing between extensions? ie, what else is shared between
| extensions and what risks do you feel are here.
|
| Thanks
| lapcat wrote:
| The key code is here: https://github.com/dnakov/little-
| rat/blob/f0b9b6be39af9fe7f4...
| chrome.declarativeNetRequest.onRuleMatchedDebug.addListener((e)
| => { if (e.request.initiator?.startsWith('chrome-
| extension://')) {
|
| Given that the extension is using a "Debug" API, it seems
| unlikely that the Chrome Web Store will approve. "Only
| available for unpacked extensions with the
| declarativeNetRequestFeedback permission as this is intended to
| be used for debugging purposes only."
| https://developer.chrome.com/docs/extensions/reference/decla...
| npace12 wrote:
| Yeah, that's correct. The extension loads a rules_1.json file
| that just "allow"s all traffic originating from third-party
| scripts through, then logs just the URL of each request
| coming from a chrome extension. There's probably a way to do
| this with chrome.webRequest, I'll experiment with that, but
| generally that one is more expensive in terms of performance.
| gorhill wrote:
| > There's probably a way to do this with chrome.webRequest
|
| Network requests initiated by other extensions in their own
| context are not visible to other extensions through the
| webRequest API.
| FrenchDevRemote wrote:
| really cool thanks!
| horsawlarway wrote:
| Nifty - but please do this more carefully:
|
| https://github.com/dnakov/little-rat/blob/main/popup.js#L36
|
| I do not want to have to worry about whether another extension
| can inject xss into yours with a crafted request/id/name.
| [deleted]
| npace12 wrote:
| that is a very good point but:
|
| * the content security policy does not allow unsafe-inline
|
| * extension ids are autogenerated by chrome
| cryptoegorophy wrote:
| If you can - do not install any extensions. I've had a couple
| like an ad blocker and something else leak my browser history to
| similarweb and neither extension or similarweb showed that they
| sell/collect my data.
| pkd wrote:
| Which ad blocker was it?
| jedberg wrote:
| How can I be assured that installing a random Chrome extension
| from a random person on the internet that has access to all my
| network data and can't get approved in the Chrome store is safe?
| :)
| [deleted]
| spread_love wrote:
| By reading the source code? No wonder reddit used to go down so
| often...
| jedberg wrote:
| I don't pretend to be a security expert in every language.
|
| > No wonder reddit used to go down so often...
|
| That's uncalled for. If this were reddit I'd have a much
| spicier retort.
| [deleted]
| teakie wrote:
| [dead]
| npace12 wrote:
| I'm with you on that one, that's why the code is on github. The
| best way to install it is to check out the code for any risks,
| download the repo as a ZIP file and install it.
| duiker101 wrote:
| I guess the answer is that you must be able to read the code
| and use your own judgement.
|
| Here the actual code of the extension is basically 2 files, one
| of 114 lines and the other 66. Plain js, easy to digest. Looks
| pretty safe.
| meesles wrote:
| Verifying Github source code is not sufficient, since you don't
| know the release contains that source code (when downloading
| fro the store). You'd have to verify signatures
|
| Also, plenty of these extensions have been acquired by data
| firms or other sketchy places to then add your browser to
| botnets. If these are absolutely necessary for you, I highly
| recommend downloading the source and dumping it into
| Chrome/Edge via developer mode. At least then you know they
| can't update it in the background and you know what you're
| running.
| SoKamil wrote:
| .crx is just a .zip underneath. You can unzip it and inspect
| the code.
| throwaway290 wrote:
| I thought it's just installed and that's it, cool...
| Exuma wrote:
| It's not in the store, you download it
| leke wrote:
| Why not on the chrome store?
| npace12 wrote:
| It's currently under review because it's using the
| chrome.declarativeNetRequest (same API uBlock is using)
| p1mrx wrote:
| Isn't declarativeNetRequest the new, less powerful Manifest
| V3 API that uBlock Origin Lite is using?
| npace12 wrote:
| yeah, little rat is using manifest v3
| cal85 wrote:
| Hang on do you mean to say the web store might accept an
| extension with `declarativeNetRequestFeedback` permission, it
| just might take longer and be less certain? I've got an
| extension that could potentially really benefit from using
| this permission (because I want to be able to dynamically
| decide whether to take an action in a content script based on
| the `Content-Type` header; currently I use imperfect content-
| sniffing heuristics instead). The last time I dug into it, it
| seemed that this permission just wasn't going to be available
| after the Manifest v3 moratorium that has already passed. So
| I'm interested to know if anything has changed (or if there's
| any special way that extensions can be approved with this
| permission, e.g. if they're popular enough and have a good
| privacy track record).
| npace12 wrote:
| I'm not sure, but I was curious too, so I submitted it for
| review to find out.
| cal85 wrote:
| Interesting, I had assumed it wouldn't even allow
| uploading it if the manifest required that permission.
| Hope they allow it for you!
| [deleted]
| bromuk wrote:
| ooh, love it. Would be great to have some installation
| information within the repo for people who aren't savvy at
| enabling dev mode in chrome extensions
| swyx wrote:
| or just link to something off google for it, we shouldnt have
| to write that for every oss chrome extension
| mschuster91 wrote:
| Thing is, you can't, Google makes it very difficult to run
| extensions from anywhere but Chrome Store for a reason - if
| they didn't, scammers would jump on it.
___________________________________________________________________
(page generated 2023-08-14 23:00 UTC)