Brave this week said it is blocking the installation of a popular Chrome extension called L.O.C. because it exposes users' Facebook data to potential theft.
"If a user is already logged into Facebook, installing this extension will automatically grant a third-party server access to some of the user's Facebook data," explained Francois Marier, a security engineer at Brave, in a GitHub Issues post. "The API used by the extension does not cause Facebook to show a permission prompt to the user before the application's access token is issued."
"Facebook just happens to have a legacy web permission hardcoded into a page on their 'creator studio' they built, which makes it possible for someone who controls one of these extensions to scrape hundreds of thousands of Facebook tokens, without ever signing up for the Facebook developer program and using the correct/native Facebook app/dev sharing features," explained Edwards.
So this really highlights a potential threat that bad actors could make use of. So nothing should have happened, as long as it is not exploited in the meanwhile. Only a browser itself can ban an extension, and Meta is looking into the issue too, apparently. The article below unpacks the potential vulnerability in a bit more detail.
See Facebook exposes 'god mode' token miscreants could use
Ban of Chrome extension by Brave reveals risk of potential API abuse at Meta