Re: [chromium-dev] Re: How does deprecating --locad-extension for Chrome "enhance the security and stability of the Chrome browser"?

[guest271314]

So what? Somebody used --load-extension. That just means whoever launched chome didn't bother to look at their commad line. So that same individual is going to get "attacked" continuously. They probably don't need to be on the Interwebs, which is an inherently insecure domain, just like the natural world.

Now go through all of  Chromium's command line switches and come back and tell me which ones cannot be exploited.

On Thu, Apr 10, 2025 at 2:36 PM Giovanni Ortuño <ort...@chromium.org> wrote:

A simple search for "Malware that hijacks Chrome" brings up some examples of the issue. For example this one, which describes the attack flow and specifically calls out --load-extension:

> [Malware] tampers with browser “.lnk” files to load a local extension that it drops ($shortcut.Arguments = “$CArgs --load-extension=$CLocalPath”): The local extension again focuses on stealing search queries, but it can also communicate with the C2. It goes through great efforts to obfuscate and hide its activity. It cannot be seen on the “Extensions” management page, so an unsuspecting user cannot easily detect the extension’s existence.

The attack flow might not apply to yourself, but it applies to many users of Chrome.

On Thu, Apr 10, 2025 at 10:03 AM guest271314 <guest...@gmail.com> wrote:

I wonder how many of these command line flags can be used to do what you claim is being done - without evidence - to allegedly infect machines https://peter.sh/experiments/chromium-command-line-switches/ ? A bunch of them I suspect.

Usually, when people claim a vector they detail how the exploit happens. Not so here.

A developer developing locally cannot do anything of the sort you folks claim is being done here. Again, without a scintilla of evidence disclosed.

On Thursday, April 10, 2025 at 1:52:55 PM UTC Greg Thompson wrote:

I find your tone extremely unprofessional and uncooperative. I'm trying to help you, so I will reply one more time. This will be my last reply on the topic.

No one has claimed that users get infected via this command line argument. The piece that you seem to be missing is that malware infects machines through other means. This malware takes advantage of command line arguments like this to interfere with users' intent to use the internet. This is very straightforward. There is no subterfuge here. I hope this is sufficiently clear. If it's not, I suspect it's because of your wish to believe that the authors of Chromium are somehow trying to pull a fast one on you.

On Thu, Apr 10, 2025 at 3:43 PM guest271314 <guest...@gmail.com> wrote:

That's far too vague. Still, nobody has explained exactly how
--load-extension could possibly be the cause of somebody getting
malware on their machine.

You have to manually write that command line flag out - and manually
write out where you're loading the extension from.

Might as well get rid of command line flags altogether if you are that
scared of some boogeyman that you can't even talk about.

All this myterious boogeyman stuff just sound like the same old Chrome.

I mean certain U.S. federal judges and the U.S. Dept. of Justice might
call Chrome itself a bad actor relevant to some alleged search engine
monopoly, and even go so far as to propose Alphabet sell Chrome. So,
could be Chromium authors who are bad actors from different
perspectives.

This just makes no sense to me. You can pick a few flags here to
exploit if you really wanted to.

By the way, Chrome is still recording user PII and sending that data
to remote servers for Web Speech API. Yet somehow managed to slide in
some "AI" into the browser before shipping STT and TTS technology in
the browser.



So, Chrome can train their garabge Gemini using users PII data?

By garbage, I mean the other day, Google decides to list their Gemini
first on searches, and Gemini is still rendering "assert" for Import
Attributes. That got replaced with "with" a while ago.

Is Google deliberately trying to mislead the hundreds of millions of
people who read Gemini search results?

Bad actors always point fingers at somebody else as if they are the
champions and heros.

In this case I can't even get a straight answer as to how that flag
could even be exploited. The user would have to exploit and abuse
themselves is the only way I see it.

On Thursday, April 10, 2025 at 11:59:27 AM UTC Greg Thompson wrote:

Hi.

The issue is not that the Chromium authors have decided that you, personally, cannot be trusted to run your own extensions on your own computer. The reality is that there is a great deal of malware / unwanted software in the world that is created to tamper with users' computing experience. This impacts all web browsers, not just Chromium. I can assure you that the authors of web browsers are even more frustrated by this than you are. If it weren't for the bad actors who create such software or for the OS platforms that allow them to do their bad deeds, the authors of web browsers wouldn't have to take steps such as removing the functionality that you have previously enjoyed. This isn't done without consideration for the impact on users in your situation. It's a tough world. We don't always get what we want.

On Thu, Apr 10, 2025 at 5:56 AM guest271314 <guest...@gmail.com> wrote:

You didn't answer the specific question about exactly what I posted.
How does writing and loading my own extensions using --load-extension
have anything to do with some alleged "malicious code"? Very simple
question. Of course, the only answer is, it doesn't. Thus the no
answer from you. Thanks anyway for confirmation by omission that what
I'm doing with --load-extension has nothing to do with any alleged
"malicious code", and that you folks didn't cosider the local
developer that is and has been using that commad line switch with
locall written code.

On Thu, Apr 10, 2025 at 3:50 AM Mike Frysinger <vap...@chromium.org> wrote:
>
> we've answered your questions.  you refusing to accept or not liking the answers is not the same thing as not answering them.
> -mike
>
> On Wed, Apr 9, 2025 at 11:36 PM guest271314 <guest...@gmail.com> wrote:
>>
>> >  the source code of Chromium is readily available and you're free to compile/change it however you like.  no one is forcing you to use Chrome.
>>
>> Wow. Almost sounds like corporate...
>>
>> Why can't you just answer a straight question?
>>
>> Do you admit that what I'm doing with --load-extension has absolutely nothing to do with the as-yet undisclosed alleged "malicious code" that supposedly exists just because --load-extension is used?
>>

--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
    http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.

To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/CA%2BsyWAPUZPZfMMu8P5ON4ou9Wfyhotwc9qDkxoVKMYJLMhPw%3DQ%40mail.gmail.com.

--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/5d963bc6-2bde-4c4f-b16d-c9974078d9ddn%40chromium.org.