A new kind of Apple phishing scam

Safari users: Where did your extensions go?

Safari 12 has brought with it some changes to how OSX handles browser extensions. At WWDC in June, Apple announced that Safari would block legacy extensions installed from outside the Extensions Gallery, which itself would now be deprecated.

As a replacement, Safari will now rely on “app extensions.” Apple said that app extensions don’t see any browsing details, are more segregated from user data, and put much less of a strain on overall performance. Sounds great, right? Unfortunately implementation has been somewhat high-handed, as you can see below:

No user interaction required, no real information on why specific extensions were turned off to the exclusion of others, just an automatic disabling. When this happens with security-focused extensions, it can be a little alarming, and a lot of users seem to have been caught by surprise.

How to re-enable extensions

Some extension makers like Adblock Plus have

With Safari open:

  • Go to Preferences
  • Click the Extensions icon
  • Manually check the box next to the extension you’d like to enable

But why is this a security issue?

That’s not very much work to get your extensions back, so what’s the big deal? Apple announced it in advance, after all. Let’s look at a few reasons why this might not have been the best way to roll out new OSX features.

The dialog box lies

“Safari turned off extensions that slow down web browsing.” In the most literal sense, this is true.  Browsing without any extensions at all would most likely be fractionally faster. This is not why Safari turned them off, however.

“You can find newer extensions in the App Store.” This is literally true. But can you find newer versions of the specific extensions referenced? Who knows? The extensions in the screenshot at the top were most likely turned off because they did not come from the extension gallery to begin with, and only one had a new app extension available at time of writing.

Apple does not communicate any of this via the dialog box.

The release notes are confusing

Here’s what the Safari 12 release notes say on the subject:

  • Automatically turns off Safari extensions that negatively impact browsing performance
  • Improves security by only supporting legacy Safari Extensions that have been reviewed by Apple

In the above example, the extension block was most likely due to the second bullet. But the dialog only references the first bullet. Which one was it? How can I tell which of my legacy extensions will continue to receive support?

The choice is made for you

This is somewhat a matter of taste, as not everyone wants to be bothered with the inner machinations of their Mac. Very few people read the text in any dialog box, and when it comes to security, most people assume that their Mac knows best.

But when security improvements impact performance, shouldn’t you be given the option to think about it before a change? Further, what about extensions that are used routinely to get work done? Some are much more critical than those that change the word “millennial” to “snake people” on web pages. Switching off everything indiscriminately can have negative effects on productivity.

Apple’s motives with the change are pure, and strengthening a wall between extensions and user data is a great idea. But implementations that don’t consider user experience create a great deal of short term frustration, and can erode trust in future security improvements.

ABOUT THE AUTHOR

William Tsing

Breaking things and wrecking up the place since 2005.