[HN Gopher] Show HN: Little Rat - Chrome extension monitors netw... ___________________________________________________________________ Show HN: Little Rat - Chrome extension monitors network calls of all extensions Hi HN I needed a way to monitor network calls made by chrome extensions so I made a small extension. You can install it by dropping the zip or crx into the extensions page. It'll be on the chrome store whenever/if it gets through the review. Hopefully it's useful to others. https://github.com/dnakov/little-rat https://twitter.com/dnak0v Author : npace12 Score : 334 points Date : 2023-08-14 11:49 UTC (11 hours ago) (HTM) web link (github.com) (TXT) w3m dump (github.com) | canthonytucci wrote: | Love the name. I have been looking for something just like this. | p1mrx wrote: | Given that this extension is not very easy to install, I suggest | adding a screenshot showing some actual captured network events. | The current screenshot hides the most interesting feature. | yuvalkarmi wrote: | Pretty close naming to Little Snitch - the Mac network monitoring | tool! | npace12 wrote: | haha yes, I called it Tiny Snitch at first, but it's too close. | [deleted] | cantSpellSober wrote: | I assumed that was intentional (rat being slang for snitch) | cantSpellSober wrote: | Thanks for sharing! I'll wait till it's on chrome store cuz I'm | lazy and don't use Twitter. | judge2020 wrote: | Since it uses `declarativeNetRequest.onRuleMatchedDebug`[0], | which is supposed to be debug-only, I doubt it'll be allowed in | the chrome webstore. | | 0: https://github.com/dnakov/little- | rat/blob/f0b9b6be39af9fe7f4... | Daviey wrote: | 1) Go to Releases, right click the crx file and save. 2) | In Chrome, go to Extensions then drag and drop the crx file | 3) Profit | smusamashah wrote: | It is added to extensions but remains disabled with following | message | | > This extension is not listed in the Chrome Web Store and | may have been added without your knowledge. Learn more https: | //support.google.com/chrome_webstore/answer/2811969?vi... | mdaniel wrote: | Depending on your intentions, the repo would benefit from a | license instead of just using github for code hosting | npace12 wrote: | Thanks for pointing it out, forgot to add it. | swyx wrote: | github could advance OSS a lot by making license reminders | much more prominent. so much code intended-to-be-open-source | cant be treated that way because no license file. if anyone | from github is here please prod someone in your UI department | to make a banner or something! | [deleted] | altairprime wrote: | I wish this was a feature of Firefox (or Chrome, as if Google | would ever), rather than a third-party extension, so that it had | enough adoption to compel other browsers to care too. I'd like | very much to authorize certain extensions to only make GET | requests to specific static URLs without any ability to vary the | headers, so that they can get data updates without there being | any risk of leaking data. And for others, they don't need network | access at all to do their job locally in my browser instance. But | that would be circumventable (since anything that can modify page | source can add data transmission), so I imagine they aren't doing | it because of that. Too bad -- better to _try_ than just give up | and cede it to a Chrome extension. | tim1994 wrote: | IIRC extensions cannot access any URL that hasn't been | specified in the manifests permission section. I think Firefox | shows those URLs in the permission prompt. Those URLs can | contain wildcards though and I even think there is a special | value for all URLs but only few extensions should require that | permission. | altairprime wrote: | * * * | 1vuio0pswjnm7 wrote: | "I wish this was a feature of Firefox (or Chrome, as if Google | would ever), rather than a third-party extension, so that it | had enough adoption to compel other browsers to care too." | | "I'd like very much to authorize certain extensions to only | make GET requests to specific static URLs without any ability | to vary the headers, so that they can get data updates without | there being any risk of leaking data." | | This is possible using a forward proxy that the user compiles | and controls. | | Keep in mind that if this was a "feature of Firefox/Chrome" | then it's under Mozilla/Google control. | | Further, it will only limit Firefox/Chrome not any other | application. | | This will involve fighting against the TLS certificate | "business", e.g., warning screens and the like in response to | certificate created by the computer owner, in order to control | HTTP traffic coming from a computer owned by the user not | Mozilla/Google, and (if at home, for example) going over a | network owned by the user not Mozilla/Google. | | It's possible to conclude that these so-called "tech" companies | are using the TLS certificate business, whether intentionally | or not, to ensure they can keep covertly collecting data from | users to support their online advertising services business and | remain free from user control over data exfiltration from user- | owned computers and networks. People working for such so-called | "tech" companies will almost certainly dismiss that conclusion. | Nevertheless, it's still possible to reach it. | hsbauauvhabzb wrote: | A get request can leak data via the request path or querystring | parameters, if that was restricted you could setup | communication which time or frequency imply activity with a | morse code like protocol (and with enough requests, easily | transfer megabytes of data). | altairprime wrote: | You can just do whatever the modern equivalent of | document.trackingPixel.src = 'leak all your data here in a | single request', since extensions can modify content | blocking. Firefox should ask for, accept, and audit a | statement of _whether_ your extension needs to make dynamic | network calls or not, and _why_ it needs to do so. Yes, you | could lie -- but then you 'd get caught lying, in violation | of, kicked off the store, etc. Today, you can just add | tracking, and no one can take any useful action as a result. | emmanueloga_ wrote: | Nice! Feels like something that should be a chrome:// URL. | UberFly wrote: | That was my first thought. Why isn't this native to Chromium | seeing that extensions are such a security/privacy risk. | elashri wrote: | sounds great, do you have plans to port it to Firefox? | | Does anyone know an equivalent that do the same thing on Firefox? | krono wrote: | I believe that these connections should also appear in the | browser console[1], otherwise you could always log the | traffic[2] or inspect/debug any individual extension[3]. | | You will be amazed at the obvious extension policy violations | Mozilla is letting many of their "recommended" extensions get | away with. | | [1]: https://firefox-source-docs.mozilla.org/devtools- | user/browse... | | [2]: https://firefox-source- | docs.mozilla.org/networking/http/logg... | | [3]: https://firefox-source-docs.mozilla.org/devtools- | user/about_... | Modified3019 wrote: | Any notable offenders? Seems like something worth reporting. | krono wrote: | Listed some offences and offenders in another comment from | last June: https://news.ycombinator.com/item?id=35792605 | | I've reported these and several other extensions again | every time they were updated in great technical detail and | through various official channels, but stopped bothering | when about a year and several extension updates later | nothing had changed. | ColoursofOSINT wrote: | Could you provide some of the details regarding these | extensions? | | I am not a user, but I have some time to throw something | together about it. | | Giphy seems to have some compiled code in a weird .ts | format (which I have not seen before, but I am a novice). | | It also loads a script from https://www.google- | analytics.com/analytics.js, isn't that remote code? | | Also, I could not find a privacy policy, even though | there is information being sent and received. | Modified3019 wrote: | Good to know, thank you. | | If you still happen to have the technical detail you sent | off somewhere, that seems like it would be a great | reference for starting to learn what to look for. Hell | I'm sure HN would appreciate it as a submission (assuming | it actually gets eyes and doesn't die in _new_ ) | | I hadn't really cared about this topic, because it adds | yet more cognitive overhead and I was relying on mozilla | to care. Seems this faith was misplaced. | npace12 wrote: | Yeah, I'm going to try this shortly, will post an update. | 123pie123 wrote: | looking forward to this | username135 wrote: | Same | distortedsignal wrote: | Interesting. | | I'll be watching this. Thanks for the project! | fjfuvucucuc wrote: | Waiting :) | npace12 wrote: | update: so far not great... | | declarativeNetRequest.onRuleMatchedDebug is not available | [1] Even though the docs say it's behind a flag [2], it's | undefined. | | [1]: https://bugzilla.mozilla.org/show_bug.cgi?id=1745773 | [2]: https://developer.mozilla.org/en-US/docs/Mozilla/Add- | ons/Web... | vdfs wrote: | In most cases, just adding "var chrome = browser;" to the top | of each js files would make it work for firefox, which is just | a copy of Chrome Extension APIs with slight changes | judge2020 wrote: | According to mdn[0], Firefox does not support | onRuleMatchedDebug so just importing the code likely won't | work. | | 0: https://developer.mozilla.org/en-US/docs/Mozilla/Add- | ons/Web... | [deleted] | lapcat wrote: | Firefox add-ons actually recognize the "chrome" keyword. | weaksauce wrote: | they actually have a js polyfill that lets you use promise | based `browser` keyword in chrome too. | Daviey wrote: | Thanks for sharing, would you mind explaining how it works and if | there are any general concerns you have with Chrome not | sandboxing between extensions? ie, what else is shared between | extensions and what risks do you feel are here. | | Thanks | lapcat wrote: | The key code is here: https://github.com/dnakov/little- | rat/blob/f0b9b6be39af9fe7f4... | chrome.declarativeNetRequest.onRuleMatchedDebug.addListener((e) | => { if (e.request.initiator?.startsWith('chrome- | extension://')) { | | Given that the extension is using a "Debug" API, it seems | unlikely that the Chrome Web Store will approve. "Only | available for unpacked extensions with the | declarativeNetRequestFeedback permission as this is intended to | be used for debugging purposes only." | https://developer.chrome.com/docs/extensions/reference/decla... | npace12 wrote: | Yeah, that's correct. The extension loads a rules_1.json file | that just "allow"s all traffic originating from third-party | scripts through, then logs just the URL of each request | coming from a chrome extension. There's probably a way to do | this with chrome.webRequest, I'll experiment with that, but | generally that one is more expensive in terms of performance. | gorhill wrote: | > There's probably a way to do this with chrome.webRequest | | Network requests initiated by other extensions in their own | context are not visible to other extensions through the | webRequest API. | FrenchDevRemote wrote: | really cool thanks! | horsawlarway wrote: | Nifty - but please do this more carefully: | | https://github.com/dnakov/little-rat/blob/main/popup.js#L36 | | I do not want to have to worry about whether another extension | can inject xss into yours with a crafted request/id/name. | [deleted] | npace12 wrote: | that is a very good point but: | | * the content security policy does not allow unsafe-inline | | * extension ids are autogenerated by chrome | cryptoegorophy wrote: | If you can - do not install any extensions. I've had a couple | like an ad blocker and something else leak my browser history to | similarweb and neither extension or similarweb showed that they | sell/collect my data. | pkd wrote: | Which ad blocker was it? | jedberg wrote: | How can I be assured that installing a random Chrome extension | from a random person on the internet that has access to all my | network data and can't get approved in the Chrome store is safe? | :) | [deleted] | spread_love wrote: | By reading the source code? No wonder reddit used to go down so | often... | jedberg wrote: | I don't pretend to be a security expert in every language. | | > No wonder reddit used to go down so often... | | That's uncalled for. If this were reddit I'd have a much | spicier retort. | [deleted] | teakie wrote: | [dead] | npace12 wrote: | I'm with you on that one, that's why the code is on github. The | best way to install it is to check out the code for any risks, | download the repo as a ZIP file and install it. | duiker101 wrote: | I guess the answer is that you must be able to read the code | and use your own judgement. | | Here the actual code of the extension is basically 2 files, one | of 114 lines and the other 66. Plain js, easy to digest. Looks | pretty safe. | meesles wrote: | Verifying Github source code is not sufficient, since you don't | know the release contains that source code (when downloading | fro the store). You'd have to verify signatures | | Also, plenty of these extensions have been acquired by data | firms or other sketchy places to then add your browser to | botnets. If these are absolutely necessary for you, I highly | recommend downloading the source and dumping it into | Chrome/Edge via developer mode. At least then you know they | can't update it in the background and you know what you're | running. | SoKamil wrote: | .crx is just a .zip underneath. You can unzip it and inspect | the code. | throwaway290 wrote: | I thought it's just installed and that's it, cool... | Exuma wrote: | It's not in the store, you download it | leke wrote: | Why not on the chrome store? | npace12 wrote: | It's currently under review because it's using the | chrome.declarativeNetRequest (same API uBlock is using) | p1mrx wrote: | Isn't declarativeNetRequest the new, less powerful Manifest | V3 API that uBlock Origin Lite is using? | npace12 wrote: | yeah, little rat is using manifest v3 | cal85 wrote: | Hang on do you mean to say the web store might accept an | extension with `declarativeNetRequestFeedback` permission, it | just might take longer and be less certain? I've got an | extension that could potentially really benefit from using | this permission (because I want to be able to dynamically | decide whether to take an action in a content script based on | the `Content-Type` header; currently I use imperfect content- | sniffing heuristics instead). The last time I dug into it, it | seemed that this permission just wasn't going to be available | after the Manifest v3 moratorium that has already passed. So | I'm interested to know if anything has changed (or if there's | any special way that extensions can be approved with this | permission, e.g. if they're popular enough and have a good | privacy track record). | npace12 wrote: | I'm not sure, but I was curious too, so I submitted it for | review to find out. | cal85 wrote: | Interesting, I had assumed it wouldn't even allow | uploading it if the manifest required that permission. | Hope they allow it for you! | [deleted] | bromuk wrote: | ooh, love it. Would be great to have some installation | information within the repo for people who aren't savvy at | enabling dev mode in chrome extensions | swyx wrote: | or just link to something off google for it, we shouldnt have | to write that for every oss chrome extension | mschuster91 wrote: | Thing is, you can't, Google makes it very difficult to run | extensions from anywhere but Chrome Store for a reason - if | they didn't, scammers would jump on it. ___________________________________________________________________ (page generated 2023-08-14 23:00 UTC)