http://labs.detectify.com/post/133528218381/chrome-extensions-aka-total-absence-of-privacy
>TL;DR, Popular Google Chrome extensions are constantly tracking you per default, making it very difficult or impossible for you to opt-out. These extensions will receive your complete browsing history, all your cookies, your secret access-tokens used for authentication (i.e., Facebook Connect) and shared links from sites such as Dropbox and Google Drive. The third-party services in use are hiding their tracking by all means possible, combined with terrible privacy policies hidden inside the Chrome Web Store.
>Google, claiming that Chrome is the safest web browser out there, is actually making it very simple for extensions to hide how aggressively they are tracking their users. We have also discovered exactly how intrusive this sort of tracking actually is and how these tracking companies actually do a lot of things trying to hide it. Due to the fact that the gathering of data is made inside an extension, all other extensions created to prevent tracking (such as Ghostery) are completely bypassed.
>The tracked browsing history data is made available through analytics services, where anyone can sign up to pay for a monthly subscription to analyze and dig through this traffic. It is still unknown what happens with some of the data, such as your personal cookies, but there’s a possibility that it is being used to enhance the profile of the user to make the analytics even more accurate in terms of location, gender, age and interests.
>Through these services, we’ve been able to confirm that even browsing patterns from only one user ended up in the search results, making it possible to fingerprint a specific user’s browser history.
>They are running the tracking scripts in a separate background instance of the extension, but can still get access to all information about your tabs. By doing this, your network traffic of a web page will not disclose that requests are being done to a third party. This bypasses all Content Security Policy-rules and Chrome extensions – such as Ghostery – that tries to prevent tracking, since the requests are being done inside the extension itself.
>They are packing the data using different methods to make it obfuscated and hard to identify.
>Some tracking scripts are using different subdomains for each extension making it harder to see that they are using the same solutions for tracking users and to make it harder to block them.
>The extensions always enable this tracking per default, some of them do give you an option to disable it, but it’s always activated from start. Some extensions have added these scripts inside an incremental update, automatically enabling the tracking for all users from before the update.
>This is an ugly one. Some third-party tracking services use a tracking script SDK inside the extensions. But the first time it runs, it replaces this code by making a few requests fetching new JavaScript-code and storing it in the extension’s file storage and saves references to the files in the local storage of the extension. This makes it possible for the extension to constantly run and update arbitrary code controlled by the third-party not included by the extension from the beginning. Now, note that this file storage and local storage functionality is only because of the tracking scripts, not due to the functionality of extension itself.
>They are sending over everything about you. Every. Thing. Even relations between websites that is only known by the current user, since the pages themselves are not linked in any way. They also steal all your cookies and OAuth access-tokens (provided between web pages using URL fragments aka location.hash).
>The extensions are in fact exposing that they do have these tracking scripts embedded. The GUI of the Chrome Web Store is actually helping these companies to hide this information perfectly.
Does anybody have an example of an extension doing this?
>>51434487
there were reports of ublock sending a lot of encrypted data, even keystrokes, just use adblock plus, its safe
>>51434515
Eyeo devs pls go
>>51434293
>>51434302
>>51434312
>>51434515
Links to those "reports" pls.
>>51434557
oh come on faggot, noones gonna spoonfeed you, just google it
reminder that google is an ADVERTISING COMPANY first and a browser dev second. how else would they make money with chrome?
>>51434573
>implying these reports exist
>>51434629
Not really. Anon could have been implying that you should Google it to see how obvious it is that they don't exist.
>>51434610
but google doesnt harvest any info from this, they are hiding extensions that do this, these extensions are literally omitting google
>>51434645
nah, i was just baiting ;^)
I only have adblock plus on chrome and only use it for websites that have some multimedia ( jewtube, twitch, porn ) because firefox' performance with flash and html5 is so fucking bad
>>51434645
Ah, ok, I read his answer differently, but ok.
>using chrome
>caring about being tracked
does not compute.
just use firefox or a fork or go back to facebook with your google shit. i wish hiro would ban people from /g/ based on their user agent
>>51434691
this is far more tracking than anyone would expect
>>51434720
have you been living under a rock? they will track as much data as they possibly can, both advertisers as well as google. microsoft is doing the same thing with windows 10. privacy has been dead since the day snowden arrived and it only gets worse. it's safe to assume that every keystroke you make is being recorded while using chrome.
>>51434293
Well, that's the whole point of Chrome, isn't it?
>>51434735
really? they will grab authentication cookies? answer: no
this shit is pretty much fucking hacking
>>51434293
>These extensions will receive your complete browsing history, all your cookies, your secret access-tokens used for authentication (i.e., Facebook Connect) and shared links from sites such as Dropbox and Google Drive.
No they fucking don't.
>>51434822
Keep being in denial.
