Lex Friedman gives a short (or long, depending on what you read) horror story of what could go wrong if a nefarious Safari extension developer decides to include malicious code that could invade your privacy in an update. There are a few things that you can do to protect yourself.
1) Only install extensions from developers you trust.
2) Don’t install updates right away when they’re first released. Give it a day or two before you do. By that time if an extension has malicious code in it, it’s probably out there.
3) Use trusted sources to download extensions from. You can use the Apple Safari Extension Gallery or sites like Softpedia that inspect code for malware and the like before posting an update. All of my extensions are covered by Softpedia’s “100% Clean” Award.
Nonetheless, Friedman points out that it would be “potentially erroneous” to trust that Apple inspects the extensions it showcases in the gallery. I can see why he would say this as he doesn’t have enough information to base how extension updates are handled by Apple since his extensions aren’t listed in the gallery (which necessarily isn’t a bad thing). If a developer wants to stay in the extension gallery, he or she cannot post an update right away. The steps are outlined below in an email from Apple.
When you have an update to your extension available, send an email to safariextupdates@group.apple.com. For review, host the update at a new URL, in this format: /update/. Please ensure that you leave your current version in place while your update is reviewed.
So I would put my money on the fact that Apple does inspect each extension and its updates to make sure that the scenarios described by Friedman do not occur. I am also pretty sure he is not the first to think of such Safari extension exploits. You would think Apple has thought about these exploits before even releasing an extension-enabled web browser.
It is a good read for sure, but if you are smart about what and how you install Safari extensions, you have nothing to worry about.
I would, however, like to see “what’s new” in an extension update in the preference pane so I know what I am installing to determine if an update is necessary at that time. Maybe this feature will come soon.
