| ▲ | deanc 7 hours ago |
| Over 15 years ago now, I had a popular chrome extension that did a very specific thing. I sold it for a few thousand bucks and moved on. It seemed a bit strange at the time, and I was very cautious in the sale, but sold it and moved on. It's abundantly obvious to me now that bad actors are purchasing legitimate chrome extensions to add this functionality and earn money off the user's data (or even worse). I have seen multiple reports of this pattern. |
|
| ▲ | extesy 3 hours ago | parent | next [-] |
| For over 10 years that I maintain a reasonably popular cross-browser extension, I've been collecting various monetization offers. They simply don't stop coming: https://github.com/extesy/hoverzoom/discussions/670 |
|
| ▲ | RupertSalt 6 hours ago | parent | prev | next [-] |
| It is a classic supply-chain attack. The same modality is used by gamers to sell off their high-level characters, and social media accounts do "switcheroos" on posts, Pages, and Groups all the time. You know, a lot of consumer cybersecurity focuses on malware, browser security, LAN services, but I propose that the new frontier of breaches involves browser extensions, "cloud integrations", and "app access" granted from accounts. If I gave permission for Joe Random Developer's app to read, write, and delete everything in Gmail and Google Drive, that just set me up for ransomware or worse. Without a trace on any local OS. A virus scanner will never catch such attacks. The "Security Checkup" processes are slow and arduous. I often find myself laboriously revoking access and signing out obsolete sessions, one by one by one. There has got to be a better way. |
| |
| ▲ | dalmo3 6 hours ago | parent | next [-] | | Pardon the ignorance but what's being exploited by someone buying a video game character? | | |
| ▲ | asimovDev 4 hours ago | parent | next [-] | | If you buy someone's old gaming account (Steam for example) with many years of activity, you can appear more legitimate when trading, therefore making it easier for people to trust you and fall victim to your scam(s) | |
| ▲ | elashri 6 hours ago | parent | prev | next [-] | | I think he was just saying that it is similar business to that. Just drawing comparison that there are a market like selling video games accounts. Also usually people who cheats in games will buy high level accounts because they will be banned much faster if they start playing with new accounts for cheats. This happens in some of the games I play all the time. | |
| ▲ | 5 hours ago | parent | prev [-] | | [deleted] |
| |
| ▲ | kevincloudsec an hour ago | parent | prev [-] | | [dead] |
|
|
| ▲ | qcontinuum1 5 hours ago | parent | prev | next [-] |
| 15 years ago was probably this type of business in its very early stage. There is little that can be done about "selling" extensions. Chrome Web Store should have tighter checks and scans to minimize this type of data exfiltration. |
| |
| ▲ | netsharc 5 hours ago | parent [-] | | It's a moronic industry, waiting for the catastrophic data-theft disaster to happen before they do anything... Google is doing it, Apple did it, Zuck did it (the only hindrance Cambridge Analytica had to go over seemed to be the apps developer agreement that devs had to click to promise you won't do anything bad with the personal information of all those Facebook users...). Which is all the more incredible, considering Blackberry (the phone company that was big before the age of iPhones or YouTube) had a permission model that allowed users to deny 3rd-party apps access to contacts, calendar, etc, etc. The app would get a PermissionDeniedException if it can't access something. I remember the Google Maps app for Blackberry, which solution to that was "Please give this app all permissions or you can't use it"... |
|
|
| ▲ | gilrain 6 hours ago | parent | prev | next [-] |
| [flagged] |
| |
| ▲ | coldtea 5 hours ago | parent | next [-] | | He sold a piece of software he wrote. It's something totally legit that happens all the time. And we don't know if the new owner changed anything or if anybody at all got hurt by that. We do know you rudely insulted the parent, however. | |
| ▲ | benregenspan 6 hours ago | parent | prev | next [-] | | This is what I'd say about someone who sold their extension today, but I don't think this business model was nearly as well-known 15 years ago. | |
| ▲ | Forgeties79 6 hours ago | parent | prev [-] | | How were they supposed to know that was going to happen? You think they walked up and said, “Hi. I’m here to buy your software and hurt people with it”? | | |
| ▲ | ptx 5 hours ago | parent [-] | | If a stranger walks up to the chef in a restaurant and offers to pay them to put some mystery stuff in the food, or someone walks up in during a surgery and asks if they can make some incisions and inject some mystery stuff, would you (as a customer of the restaurant or hospital) expect this to be allowed? | | |
| ▲ | pocksuppet 5 hours ago | parent | next [-] | | If someone walks up to the owner in a restaurant and offers to pay them money to buy the restaurant, it's not considered suspicious. | | |
| ▲ | Ntrails 4 hours ago | parent [-] | | Assuming the someone is private equity buying out, I expect the quality to drop like a stone and the place to go to hell. So. It's not suspicious. But you can rest assured as a customer it isn't good news (that doesn't make it wrong to sell ofc) |
| |
| ▲ | Forgeties79 4 hours ago | parent | prev [-] | | That isn’t remotely comparable. You’re asking someone to quietly alter someone else’s product, not selling the product to them. They didn’t pay him to change the extension, they bought it. | | |
| ▲ | ptx 4 hours ago | parent [-] | | They bought the permission to make changes to customer machines that had been granted to the seller by the customer. If it's just a sale of the source code, there's no problem. But what is bought is usually the pre-existing update channel (the installed base), precisely to be able to alter the product for existing users without explicitly informing them or asking for consent. | | |
| ▲ | Forgeties79 2 hours ago | parent [-] | | I get what you’re trying to say but comparing selling your tool to pocketing money on the job to commit a crime is not the same thing. |
|
|
|
|
|
|
| ▲ | Rygian 3 hours ago | parent | prev [-] |
| While assuming absolutely zero bad will on your part, I would nevertheless find it fair if you were legally on the hook for whatever happened after the sale, unless you could prove that you provided reasonable means for the users of your extension to perform their due diligence on the new owner of the extension. This is of course easy to say in hindsight, and is absolutely a requirement that should be enforced by the extension appstore, not by individual contributors such as yourself. |
| |
| ▲ | deanc 19 minutes ago | parent | next [-] | | I wouldn't find that fair at all. Bad actors should be legally responsible for their bad action. If I sell you a taxi business, and then all of a sudden you decide to start robbing the customers - it's not my fault is it? And just to be clear, I had no idea if my extension was used for nefarious purposes, but in hindsight it probably was. | | |
| ▲ | anonymous908213 13 minutes ago | parent [-] | | In this analogy, you're selling the taxi while the customer is still inside the car, allowing the new owner to take them hostage with very little ability to defend themselves because they trusted you. |
| |
| ▲ | eli 2 hours ago | parent | prev [-] | | How would that even work? What if the seemingly clean buyer sells it to someone else scammy? |
|
