How does deprecating --locad-extension for Chrome "enhance the security and stability of the Chrome browser"?
902 views
Skip to first unread message
guest271314
Apr 5, 2025, 9:47:32 PM4/5/25
to Chromium-dev
How does deprecating --locad-extension for Chrome "enhance the security and stability of the Chrome browser"?
Richard Chen
Apr 7, 2025, 1:19:29 PM4/7/25
to Chromium-dev, guest271314
Hi,
Thanks for reaching out. The `load-extension` switch is frequently exploited to load malicious and unwanted software. We understand this may impact some workflows and appreciate your understanding of this necessary measure to improve browser security. You can learn more about this change here.
Thanks,
Thanks for reaching out. The `load-extension` switch is frequently exploited to load malicious and unwanted software. We understand this may impact some workflows and appreciate your understanding of this necessary measure to improve browser security. You can learn more about this change here.
Thanks,
Richard
guest271314
Apr 9, 2025, 10:37:41 AM4/9/25
to Richard Chen, Chromium-dev
> Thanks for reaching out. The `load-extension` switch is frequently exploited to load malicious and unwanted software.
Huh?
I don't see how that's possible. YOU have to write out the absolute
path to YOUR local extensions.
Mike Frysinger
Apr 9, 2025, 12:30:20 PM4/9/25
to guest...@gmail.com, Richard Chen, Chromium-dev
that assumes no one ever has malicious code run on their system and make changes. we've seen this option be abused by plenty of such actors.
-mike
--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/CA%2BsyWAO4thjbER%3D7B_XCxjiy%3Dzyr0dPSo%3DSQL1bw7W-yAaBUhw%40mail.gmail.com.
K. Moon
Apr 9, 2025, 12:30:53 PM4/9/25
to guest271314, Richard Chen, Chromium-dev
https://en.wikipedia.org/wiki/Argument_from_ignorance
Not understanding why something is a problem does not require anyone else to prove it to you.
guest271314
Apr 9, 2025, 8:37:54 PM4/9/25
to Chromium-dev, K. Moon, Richard Chen, Chromium-dev, guest271314
There is no problem. Not that I have read.
I'm on my own machine, launching 20 extension I wrote from my own machine.
I have no idea how you could say a user on their own machince lauching extensions on the command line is "malicious". Makes no sense to me.
guest271314
Apr 9, 2025, 8:38:47 PM4/9/25
to Mike Frysinger, Richard Chen, Chromium-dev
I don't understand. You're saying users maliciously abuse themselves
my use chrome --load-extension=/home/user/ext?
I'm talking about chrome, on my own machine, and upackaed extensions I
wrote on my own machine.
You say, jusr get rid of the flag, without a thought for the local
developers who use that flag to load 20 or 30 local unpacked
extensions.
my use chrome --load-extension=/home/user/ext?
I'm talking about chrome, on my own machine, and upackaed extensions I
wrote on my own machine.
You say, jusr get rid of the flag, without a thought for the local
developers who use that flag to load 20 or 30 local unpacked
extensions.
guest271314
Apr 9, 2025, 8:43:38 PM4/9/25
to Chromium-dev, guest271314, K. Moon, Richard Chen, Chromium-dev
> we've seen this option be abused by plenty of such actors.
Are we talking about the same thing here?
Are you saying a user is abusing themselves by launching extensions using --load-extension?
I have no idea what context you folks are talking about where a user on their own machine loading unpacked extensions using --load-extension could possibly cause any harm to any machine. You have to delibertately write that command line switch out. If you don't want to load extensions don't load them that way. Otherwsie you're taking away from extnsion developers who use that command line switch extensively, for no reason relating to what they do.
So far I have not read anything articulated about exactly how a user could abuse themselves and be malicious to themselves by using --load-extension.
Are you folks talking about some shared machine?
Mike Frysinger
Apr 9, 2025, 9:10:32 PM4/9/25
to guest...@gmail.com, Chromium-dev, K. Moon, Richard Chen
if you're not familiar with malicious code, check out these sites:
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/8b4e01d5-c956-4f4b-984b-32c7d550770an%40chromium.org.
guest271314
Apr 9, 2025, 11:05:04 PM4/9/25
to Chromium-dev, Mike Frysinger, Chromium-dev, K. Moon, Richard Chen, guest...@gmail.com
Did you just deliberately ignore everything I just wrote?
I'm on my own machine, loading code I wrote.
There's no chance of "malicious code" whatsoever in this case.
But y'all just shot the door on this command line switch without even considering the user who writes and loads their own unpacked extensions.
For no reason.
Evinced by your complete lack of specificity as to exactly how a user loading a local extension on their own machine could possibly have anything to do with some vahgue notion of "security".
chrome --load-extension=/home/user/half_duplex_stream,/home/user/native-messaging-file-writer,/home/user/native-messaging-file-writer-quickjs,/home/user/native-messaging-txiki.js,/home/user/native-messaging-nodejs,/home/user/native-messaging-deno,/home/user/native-messaging-bun,/home/user/native-messaging-quickjs,/home/user/native-messaging-llrt,/home/user/native-messaging-rust,/home/user/native-messaging-webassembly,/home/user/native-messaging-c,/home/user/native-messaging-cpp,/home/user/native-messaging-python,/home/user/native-messaging-bash,/home/user/native-messaging-d8,/home/user/native-messaging-spidermonkey,/home/user/native-messaging-typescript,/home/user/capture_system_audio,/home/user/devtools_panel_formatter,/home/user/isolated-web-app-utilities,/home/user/no-copilot-ad-main,/home/user/no-so-banner,/home/user/offscreen-audio-main,/home/user/remove_csp,/home/user/tab,/home/user/telnet-client/direct-sockets,/home/user/native-messaging-piper,/home/user/fetch-local-file \
guest271314
Apr 9, 2025, 11:17:06 PM4/9/25
to Chromium-dev, guest271314, Mike Frysinger, Chromium-dev, K. Moon, Richard Chen
Wait a minute? Did you really just link to CrowdStrike? The folks who insisted on loading their alleged "security" software in the bootloader of Microsoft software run machines, resulting in a whole bunch of machines around the world crashing a few months ago?
That's your security model reference?
Again, you folks appear to have just decided to ignore the case of programmers writing their own programs and loading their own programs on their own machine, based on some as-yet undisclosed supposed "malicious code" that the user themselves had to decide to load by intentionally writing the --load-extension command line switch.
Just to be clear.
There is absolutely no way for any alleged "malicious code" to get anywhere in my workflow - because i write my own code and decide to load my own code.
So whatewver universal declaration you have conceived of internally for some myterious "malicious code" that just pops up out of the ether because --load-extension is used is mathematically false.
guest271314
Apr 9, 2025, 11:29:39 PM4/9/25
to Chromium-dev, Mike Frysinger, Chromium-dev, K. Moon, Richard Chen
By the way, the majority, if not all of the extension I load are published on GitHub. FOSS. No CWS. Is this a strategy to say something like only load extensions from CWS?
I had to write an extension just to get rid of a recent Chromium/Chrome update that gave some link to Chrome Web Store 1/3 of chrome://extensions UI.
I really don't think you folks considered the local programmer in your decision-making. Whatever alleged "malicious code" that supposedly exists and just magically gets loaded when --load-extension is used is simply an untrue assumption. Time to reconsider this. In lieu of your ommission from thinking about the local Chrome developer that writes their own code and might load 20 or 50 extensions they wrote.
Mike Frysinger
Apr 9, 2025, 11:33:37 PM4/9/25
to guest271314, Chromium-dev
we understand your personal priorities and usage might not be aligned with Chrome's goals to focus on user security. the source code of Chromium is readily available and you're free to compile/change it however you like. no one is forcing you to use Chrome.
-mike
guest271314
Apr 9, 2025, 11:36:17 PM4/9/25
to Chromium-dev, Mike Frysinger, Chromium-dev, guest271314
> the source code of Chromium is readily available and you're free to compile/change it however you like. no one is forcing you to use Chrome.
Wow. Almost sounds like corporate...
Why can't you just answer a straight question?
Why can't you just answer a straight question?
Do you admit that what I'm doing with --load-extension has absolutely nothing to do with the as-yet undisclosed alleged "malicious code" that supposedly exists just because --load-extension is used?
guest271314
Apr 9, 2025, 11:40:33 PM4/9/25
to Chromium-dev, guest271314, Mike Frysinger, Chromium-dev
> we understand your personal priorities and usage might not be aligned with Chrome's goals to focus on user security.
Just 'cause you internally slap a "security" label on something doesn't make that label true and correct.
Mike Frysinger
Apr 9, 2025, 11:57:17 PM4/9/25
to guest271314, Chromium-dev
we've answered your questions. you refusing to accept or not liking the answers is not the same thing as not answering them.
-mike
guest271314
Apr 9, 2025, 11:58:17 PM4/9/25
to Mike Frysinger, Chromium-dev
You didn't answer the specific question about exactly what I posted.
How does writing and loading my own extensions using --load-extension
have anything to do with some alleged "malicious code"? Very simple
question. Of course, the only answer is, it doesn't. Thus the no
answer from you. Thanks anyway for confirmation by omission that what
I'm doing with --load-extension has nothing to do with any alleged
"malicious code", and that you folks didn't cosider the local
developer that is and has been using that commad line switch with
locall written code.
How does writing and loading my own extensions using --load-extension
have anything to do with some alleged "malicious code"? Very simple
question. Of course, the only answer is, it doesn't. Thus the no
answer from you. Thanks anyway for confirmation by omission that what
I'm doing with --load-extension has nothing to do with any alleged
"malicious code", and that you folks didn't cosider the local
developer that is and has been using that commad line switch with
locall written code.
Greg Thompson
Apr 10, 2025, 7:59:27 AM4/10/25
to guest...@gmail.com, Mike Frysinger, Chromium-dev
Hi.
The issue is not that the Chromium authors have decided that you, personally, cannot be trusted to run your own extensions on your own computer. The reality is that there is a great deal of malware / unwanted software in the world that is created to tamper with users' computing experience. This impacts all web browsers, not just Chromium. I can assure you that the authors of web browsers are even more frustrated by this than you are. If it weren't for the bad actors who create such software or for the OS platforms that allow them to do their bad deeds, the authors of web browsers wouldn't have to take steps such as removing the functionality that you have previously enjoyed. This isn't done without consideration for the impact on users in your situation. It's a tough world. We don't always get what we want.
--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.
guest271314
Apr 10, 2025, 9:42:56 AM4/10/25
to Chromium-dev, Greg Thompson, Mike Frysinger, Chromium-dev, guest...@gmail.com
That's far too vague. Still, nobody has explained exactly how
--load-extension could possibly be the cause of somebody getting
malware on their machine.
You have to manually write that command line flag out - and manually
write out where you're loading the extension from.
Might as well get rid of command line flags altogether if you are that
scared of some boogeyman that you can't even talk about.
All this myterious boogeyman stuff just sound like the same old Chrome.
I mean certain U.S. federal judges and the U.S. Dept. of Justice might
call Chrome itself a bad actor relevant to some alleged search engine
monopoly, and even go so far as to propose Alphabet sell Chrome. So,
could be Chromium authors who are bad actors from different
perspectives.
This just makes no sense to me. You can pick a few flags here to
exploit if you really wanted to.
By the way, Chrome is still recording user PII and sending that data
to remote servers for Web Speech API. Yet somehow managed to slide in
some "AI" into the browser before shipping STT and TTS technology in
the browser.
So, Chrome can train their garabge Gemini using users PII data?
By garbage, I mean the other day, Google decides to list their Gemini
first on searches, and Gemini is still rendering "assert" for Import
Attributes. That got replaced with "with" a while ago.
Is Google deliberately trying to mislead the hundreds of millions of
people who read Gemini search results?
Bad actors always point fingers at somebody else as if they are the
champions and heros.
In this case I can't even get a straight answer as to how that flag
could even be exploited. The user would have to exploit and abuse
themselves is the only way I see it.
--load-extension could possibly be the cause of somebody getting
malware on their machine.
You have to manually write that command line flag out - and manually
write out where you're loading the extension from.
Might as well get rid of command line flags altogether if you are that
scared of some boogeyman that you can't even talk about.
All this myterious boogeyman stuff just sound like the same old Chrome.
I mean certain U.S. federal judges and the U.S. Dept. of Justice might
call Chrome itself a bad actor relevant to some alleged search engine
monopoly, and even go so far as to propose Alphabet sell Chrome. So,
could be Chromium authors who are bad actors from different
perspectives.
This just makes no sense to me. You can pick a few flags here to
exploit if you really wanted to.
By the way, Chrome is still recording user PII and sending that data
to remote servers for Web Speech API. Yet somehow managed to slide in
some "AI" into the browser before shipping STT and TTS technology in
the browser.
So, Chrome can train their garabge Gemini using users PII data?
By garbage, I mean the other day, Google decides to list their Gemini
first on searches, and Gemini is still rendering "assert" for Import
Attributes. That got replaced with "with" a while ago.
Is Google deliberately trying to mislead the hundreds of millions of
people who read Gemini search results?
Bad actors always point fingers at somebody else as if they are the
champions and heros.
In this case I can't even get a straight answer as to how that flag
could even be exploited. The user would have to exploit and abuse
themselves is the only way I see it.
Greg Thompson
Apr 10, 2025, 9:52:55 AM4/10/25
to guest271314, Chromium-dev, Mike Frysinger
I find your tone extremely unprofessional and uncooperative. I'm trying to help you, so I will reply one more time. This will be my last reply on the topic.
No one has claimed that users get infected via this command line argument. The piece that you seem to be missing is that malware infects machines through other means. This malware takes advantage of command line arguments like this to interfere with users' intent to use the internet. This is very straightforward. There is no subterfuge here. I hope this is sufficiently clear. If it's not, I suspect it's because of your wish to believe that the authors of Chromium are somehow trying to pull a fast one on you.
No one has claimed that users get infected via this command line argument. The piece that you seem to be missing is that malware infects machines through other means. This malware takes advantage of command line arguments like this to interfere with users' intent to use the internet. This is very straightforward. There is no subterfuge here. I hope this is sufficiently clear. If it's not, I suspect it's because of your wish to believe that the authors of Chromium are somehow trying to pull a fast one on you.
guest271314
Apr 10, 2025, 10:01:59 AM4/10/25
to Chromium-dev, Greg Thompson, Chromium-dev, Mike Frysinger, guest271314
I wonder how many of these command line flags can be used to do what you claim is being done - without evidence - to allegedly infect machines https://peter.sh/experiments/chromium-command-line-switches/ ? A bunch of them I suspect.
Usually, when people claim a vector they detail how the exploit happens. Not so here.
A developer developing locally cannot do anything of the sort you folks claim is being done here. Again, without a scintilla of evidence disclosed.
Usually, when people claim a vector they detail how the exploit happens. Not so here.
A developer developing locally cannot do anything of the sort you folks claim is being done here. Again, without a scintilla of evidence disclosed.
guest271314
Apr 10, 2025, 10:10:32 AM4/10/25
to Chromium-dev, guest271314, Greg Thompson, Chromium-dev, Mike Frysinger
> I find your tone extremely unprofessional and uncooperative.
My tone? How do you glean "tone" on the Interwebs from text? You can't. Somebody in the wild dares to question somebody elses' claims? That's how science works. Somebody makes a claim, somebody else who doesn't want the claimaint to be correct has to reproduce the claim per the steps the party disclosing outlines. That's the scientific method. I'm just not buying the claims being made by Chromium authors relevant to --load-extension. You have produced absolutely no steps not evidence to support your claims that local usage of --load-extension will somehow infect somebody elses machine.
Giovanni Ortuño
Apr 10, 2025, 10:39:46 AM4/10/25
to guest...@gmail.com, Chromium-dev, Greg Thompson, Mike Frysinger
A simple search for "Malware that hijacks Chrome" brings up some examples of the issue. For example this one, which describes the attack flow and specifically calls out --load-extension:
> [Malware] tampers with browser “.lnk” files to load a local extension that it drops ($shortcut.Arguments = “$CArgs --load-extension=$CLocalPath”): The local extension again focuses on stealing search queries, but it can also communicate with the C2. It goes through great efforts to obfuscate and hide its activity. It cannot be seen on the “Extensions” management page, so an unsuspecting user cannot easily detect the extension’s existence.
> [Malware] tampers with browser “.lnk” files to load a local extension that it drops ($shortcut.Arguments = “$CArgs --load-extension=$CLocalPath”): The local extension again focuses on stealing search queries, but it can also communicate with the C2. It goes through great efforts to obfuscate and hide its activity. It cannot be seen on the “Extensions” management page, so an unsuspecting user cannot easily detect the extension’s existence.
The attack flow might not apply to yourself, but it applies to many users of Chrome.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/5d963bc6-2bde-4c4f-b16d-c9974078d9ddn%40chromium.org.
Reply all
Reply to author
Forward
This conversation is locked
You cannot reply and perform actions on locked conversations.
0 new messages