Why Loox Reviews Exporter Requires New Permissions?
With the latest version of Loox Reviews Exporter, many existing users may encounter the following permission request:
To be honest, this permission request may cause concern, and I think it’s important to write an article explaining the basic functionality of this extension and why these permissions are needed. Openness and transparency can help put your mind at ease. If you have any doubts after reading this article, feel free to send us an email with your questions. Thank you for your continued support of our extension.
1. Basics
First, let’s introduce the basic functionality of the Loox Reviews Exporter extension. This is not a plugin for exporting reviews in the backend of the Loox Reviews System; it was developed to allow you to export high-quality reviews from your competitors’ product pages for your own use.
When a user uses this extension, it first checks if the page contains valid Loox Reviews. If the system is detected, it will dynamically request all user reviews based on Loox’s system rules. Each time a request is sent to the Loox server, it retrieves an HTML page. The extension then sends this HTML page to our server for unified parsing and returns the final parsed result, which is not stored on our server (to save costs), but is instead saved locally in the browser. Our server only stores basic request log data. We use this information to improve and optimize our parsing system.
Specifically, the log information includes: request time, request IP, user ID, and potential error messages. After the new version of the extension went live, we received a large number of invalid authentication requests on our server. Over the coming days, we may gradually block IP addresses that are sending these requests to prevent wasting server resources. If there are any false positives, please contact us promptly.
2. User Information
Now that we’ve covered the functionality, let’s explain what user information is stored when using this extension. In the old version of the system, we saved the user’s email and the license code generated after purchase. When the user used the extension, it sent a permission verification request to our system to confirm whether the user had actually purchased the product. Only after this confirmation could the full functionality of the extension be enabled.
In the new version of the extension, we’ve changed the approach and now directly use the website’s user login module. The benefit of this approach is that when verifying user rights, there is no need to send the user’s email and license code to the backend for validation each time. Instead, we now use cookies, which do not contain any user information themselves. All the mapping data is stored on the server, and the user’s information is not visible to third parties.
Of course, this method is highly dependent on cookies. If your browser disables cookies, the permission verification will not work. However, most websites currently use this solution, and abandoning cookies is still a long way off. Cookies do have some risks. For example, if someone steals your website’s cookie, they cannot access all the data from your website, but they can still use your cookie to perform actions. This is a potentially risky situation, and it’s one of the reasons Google has been working on phasing out cookies. However, part of the cookie risk comes from users clicking on randomly placed links or installing insecure extensions.
In the new version, users are registered through the website. We currently support two login methods: Google login and username/password login. We recommend using Google third-party login.
If you use Google third-party login, we will save your username, email, avatar, and Google account ID.
If you use email/password login, we will save your username, email, and encrypted password.
You may have noticed that we do not save your password if you use Google login. This is a more secure approach, even though we store encrypted passwords for users who register with email/password. If you choose email/password registration, I recommend using a strong password that you don’t commonly use.
If our system is ever breached, the most likely information to be exposed is your email. Beyond that, it would be of little use to a hacker. We most likely will not send any marketing emails to your inbox (to save costs). If you do receive such an email, please be cautious. If you receive an urgent action request, such as a password change or security alert, and you didn’t perform any action yourself, it is likely a phishing attempt. Do not click on links or download attachments. You can take a screenshot and reach out to us to confirm the source of the email.
3. Extension Permissions
In addition to the user information stored on the website, you may be most concerned about the extension’s permissions. Loox Reviews Exporter currently requires four permissions, which are:
3.1 tabs
This permission is used to manipulate Chrome tabs. Loox Reviews Exporter uses it to open the history page.
3.2 scripting
This permission is used to insert script code into the front-end page. In Loox Reviews Exporter, this permission is used to insert code for detecting Loox Reviews and extracting specific review content.
3.3 storage
This permission is used to store the user’s configuration information locally. If you switch to a different Chrome browser, this information will not be automatically synchronized.
3.4 downloads
This new permission, added in the latest version, allows for downloading videos and images in the background.
3.5 hosts
In addition to these specific permissions, there are also website-related permissions, which is why the extension prompts “Read and change all your data on all websites” when updated.
The reason for the “all websites” permission is that we cannot know in advance which websites will embed the Loox review system. Therefore, we include all websites so that we can use the scripting functionality to inject the detection code into these pages, enabling us to detect and extract review content.
That’s all I wanted to share with users of the extension. If you still have any questions, feel free to contact us by email.