| ▲ | GeekyBear 21 hours ago |
| I stick to extensions that Mozilla has manually vetted as part of the Firefox recommended extensions program. > Firefox is committed to helping protect you against third-party software that may inadvertently compromise your data – or worse – breach your privacy with malicious intent. Before an extension receives Recommended status, it undergoes rigorous technical review by staff security experts. https://support.mozilla.org/en-US/kb/recommended-extensions-... I know that Google hates to pay human beings, but this is an area that needs human eyes on code, not just automated scans. |
|
| ▲ | Santosh83 21 hours ago | parent | next [-] |
| Yeah IT pros and tech aware "power" users can always take these measures but the very availability of poor or maliciously coded extensions and apps in popular app stores makes it a problem considering normies will get swayed by the swanky features the software promises and will click past all misgivings and warnings. Social engineering attacks are impossible to prevent using technical means alone. Either a critical mass of ordinary people need to become more safety/privacy conscious or general purpose computing devices will become more & more niche as the very industry which creates these problems in the first place by poor review will also sell the solution of universal thin-clients and locked down devices, of course with the very happy cooperation of govts everywhere. |
|
| ▲ | Terr_ 20 hours ago | parent | prev | next [-] |
| > I stick to extensions that Mozilla has manually vetted as part of the Firefox recommended extensions program. If you're feeling extra-paranoid, the XPI file can be unpacked (ZIP) and to check over the code for anything suspicious or unreasonably-complex, particularly if the browser-extension is supposed to be something simple like "move the up/down vote arrows further apart on HN". :P While that doesn't solve the overall ecosystem issue, every little bit helps. You'll know it's time to run away if extensions become closed-source blobs. |
| |
| ▲ | insin 15 hours ago | parent [-] | | You can also, more conveniently, plug an extension's URL into this viewer: https://robwu.nl/crxviewer/ | | |
| ▲ | Y_Y 10 hours ago | parent [-] | | Now I have to trust that viewer doesn't hide the malicious code, nor that my browser does (presumably from an existing untrustworthy extension) |
|
|
|
| ▲ | dvratil 19 hours ago | parent | prev | next [-] |
| The question is, does Mozilla rigorously review every single update of every featured extension? Or did they just vet it once, and a malicious developer may now introduce data collection or similar "features" though a minor update of the extension and keep enjoying the "recommended" badge by Mozilla? |
| |
| ▲ | tuetuopay 18 hours ago | parent | next [-] | | This may also be the reason for the extension begin "Featured" on the Chrome Web Store: Google vetted it once, and didn't think about it for each update. | |
| ▲ | GeekyBear 8 hours ago | parent | prev | next [-] | | > The question is, does Mozilla rigorously review every single update of every featured extension? Yes. | |
| ▲ | pacifika 19 hours ago | parent | prev [-] | | This is just spreading FUD where an answer could have been provided. > Before an extension receives Recommended status, it undergoes rigorous technical review by staff security experts. https://support.mozilla.org/en-US/kb/recommended-extensions-... | | |
| ▲ | nevon 19 hours ago | parent [-] | | That link doesn't answer the question though. It states that the extension is reviewed before receiving the recommended status. It does not state that updates are reviewed. | | |
| ▲ | insin 15 hours ago | parent [-] | | They do, and it takes longer for updates to Recommended extensions to be reviewed as a result. This is what the Firefox add-ons team sent to me when one of my extensions was invited to the Recommended program: > If you’re interested in Control Panel for Twitter becoming a Firefox Recommended Extension there are a couple of conditions to consider: > 1) Mozilla staff security experts manually review every new submission of all Recommended extensions; this ensures all Recommended extensions remain compliant with AMO’s privacy and security standards. Due to this rigorous monitoring you can expect slightly longer review wait times for new version submissions (up to two weeks in some cases, though it’s usually just a few days). > 2) Developers agree to actively maintain their Recommended extension (i.e. make timely bug fixes and/or generally tend to its ongoing maintenance). Basically we don't want to include abandoned or otherwise decaying content, so if the day arrives you intend to no longer maintain Control Panel for Twitter, we simply ask you to communicate that to us so we can plan for its removal from the program. | | |
|
|
|
|
| ▲ | londons_explore 15 hours ago | parent | prev | next [-] |
| The problem is most codebase are huge - millions of lines when you include all the libraries etc. Often they're compiled with typescript etc making manual review almost impossible. And if you demand the developer send in the raw uncompiled stuff you have the difficulty of Google/Mozilla having to figure out how to compile an arbitrary project which could use custom compilers or compilation steps. Remember that someone malicious wont hide their malicious code in main.ts... it's gonna be deep inside a chain of libraries (which they might control too, or might have vendored). |
| |
| ▲ | londons_explore 14 hours ago | parent | next [-] | | For example, the following hidden anywhere in the codebase allows arbitrary code execution even under the most stringent JavaScript security policy (no eval etc): I=c=>c.map?c[0]?c.reduce((a,b)=>a[b=I(b)]||a(b),self):c[1]:c (How it works is an exercise to the reader) The actual code to run can be delivered as an innocuous looking JavaScript array from some server, and potentially only delivered to one high value target. | | |
| ▲ | ikekkdcjkfke 13 hours ago | parent | next [-] | | And the reason we can’t put execution of non-declared code behind a permission is because one anal developer at chrome thinks that we shouldn’t break existing sites even though no serious site would do this and you could just show a permission popup with triangle exclamation mark | | |
| ▲ | londons_explore 3 hours ago | parent | next [-] | | That's what's great about this - it is an interpreter which allows the attacker to do absolutely anything, but no non-declared code is directly run. | |
| ▲ | johnebgd 11 hours ago | parent | prev [-] | | Users have largely been trained to click okay when asked to give permission without thinking. |
| |
| ▲ | arein3 11 hours ago | parent | prev | next [-] | | Let me ask gemini Wow, it deconstructed it beautifully A Concrete Example
Imagine you pass this array to the function: ['alert', 'Hello World']
Here is the step-by-step execution: Initialization: The accumulator a starts as self (the window object).
Iteration 1 (b = "alert"):
I("alert") returns string "alert".
It tries a["alert"] (which is window["alert"]).
This finds the alert function.
New Accumulator a: The alert function.
Iteration 2 (b = "Hello World"):
I("Hello World") returns string "Hello World".
It tries a["Hello World"]. The alert function does not have a property named "Hello World", so this is undefined.
The || operator moves to the right side: a(b).
It executes alert("Hello World").
Result: A browser popup appears.
| |
| ▲ | cj 12 hours ago | parent | prev [-] | | Isn’t minified code banned from chrome extensions? | | |
| ▲ | electroly 11 hours ago | parent [-] | | Google allows minified extensions and doesn't require you to provide the original unminified source. I've never provided Google the real source code to my extension and they rubber-stamp every release. The Chrome Web Store is the wild west--you're on your own. Mozilla allows minification but you're required to provide the original buildable source. Mozilla actually looks at the code and they reject updates all the time. | | |
|
| |
| ▲ | sixtyj 13 hours ago | parent | prev [-] | | Probably off topic: I once tried to find bad code in a WordPress theme. And it was hidden so deep and inconspicuously. The only thing that really helped was to do a diff. In JS this can be much harder to find anything suspicious when the code can be minified. But back to Firefox: My house, my rules. So let external developers set some more strict rules that discourage the bad actors a little. | | |
| ▲ | sixtyj 13 hours ago | parent [-] | | When managers take up their positions, they must sign not only their employment contracts but also various codes of ethics and other documents. When a survey was conducted on the misuse of finances and powers, it was found that managers who did not sign the code (because they had to study it and then "forgot" to do so) were more likely to cheat than those who actually signed the documents. |
|
|
|
| ▲ | j-bos 15 hours ago | parent | prev | next [-] |
| Funny enough the article mentions this extension was manially reviewed:
> A "Featured" badge from Google, meaning it had passed manual review and met what Google describes as "a high standard of user experience and design." |
| |
| ▲ | megous 15 hours ago | parent [-] | | I at some point vetted the extensions for myself. What I saw in Mozilla extensions store was anything from using minified code (what is this? it might have been useful in the late 90's on the web, but it surely is not necessary as part of an extension, that doesn't download its code from anywhere), to just full on data stealing code (reported, and mozilla removed it after 2 weeks or so). I don't trust the review process one bit if they allow minified code in the store. For the same reason, "manual" review doesn't fill me with any extra warm confidence feeling. I can look at minified code manually myself, but it's just gibberish, and suspicious code is much harder to discern. Also, I just stopped using third party extensions, except for 2 (violentmonkey, ublock), so I no longer do reviews. I had a script that would extract the XPI into a git repository before update, do a commit and show me a diff. Friendly extension store for security conscious users would make it easy to review source code of the extension before hitting install or update. This is like the most security sensitive code that exists in the browser. |
|
|
| ▲ | Llamamoe 21 hours ago | parent | prev | next [-] |
| > I know that Google hates to pay human beings, but this is an area that needs human eyes on code, not automated scans. I think we need both human review and for somebody to create an antivirus engine for code that's on par with the heuristics of good AV programs. You could probably do even better than that since you could actually execute the code, whole or piecewise, with debugging, tracing, coverage testing, fuzzing and so on. |
|
| ▲ | wzdd 16 hours ago | parent | prev | next [-] |
| The article states that Google has done the same for this extension as part of providing its "Featured" badge. |
|
| ▲ | jwr 13 hours ago | parent | prev | next [-] |
| The article says the extension has been "manually reviewed" by Google. |
| |
| ▲ | tremon 11 hours ago | parent [-] | | ...and we all know that Google never does anything "manually", so I'd take that with the appropriate serving of salt. |
|
|
| ▲ | alfiedotwtf 18 hours ago | parent | prev | next [-] |
| The same applies to code editor extensions! |
|
| ▲ | 20 hours ago | parent | prev [-] |
| [deleted] |
