Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
honzaik 6 hours ago

it apparently scans for something like "PQC Checker", an extension for checking if TLS connection is PQC-enabled? how is that a spam extension (and thats just a random one i saw)

Aurornis 6 hours ago | parent [-]

Probably compromised extensions or misleading extensions.

It’s common for malware extensions to disguise themselves as something simple and useful to try to trick a large audience into installing them.

That’s why the list includes things like an “Islamic content filter” and “anti-Zionist tagger” as well as “neurodivergent” tools. They look for trending topics and repackage the scraper with a new name. Most people only install extensions but never remove them if they don’t work.

honzaik 6 hours ago | parent | next [-]

well if they have evidence why they dont report it? why are these extensions on the store? im sure linkedin has enough motion to report it directly to google

also, having a PQC enabled extension doesnt seem like a good "large user base capture" tactic.

the source code is as usual obfuscated react but that doesnt mean its malicious...

EDIT: i debuged the extension quickly and it doesnt seem to do anything malicious. it only sends https://pqc-extension.vercel.app/?hostname=[domain] request to this backend to which it has permissions. it doesnt seem to exfiltrate anything else. it might get triggered later but it has very limited permissions anyway so it doesnt seem to be a malicious extension. (but im no expert)

Aurornis 5 hours ago | parent [-]

> well if they have evidence why they dont report it? why are these extensions on the store?

We had a browser extension for our product. A couple times a month someone would clone it, add some data scraping or other malware to it, and re-upload it with the same or similar name.

We set up automated searches to find them. After reporting it could take weeks to get them removed, some times longer. That’s for extensions with clear copyright problems!

The extensions may not be breaking any rules of the extension stores if they’re just scraping a website. Many of the extensions on the list are literally designed to do that as their headline feature.

If you think sending data from a page to a server would disqualify an extension from an extension store then think again. Many of the plugins listed even have semi-plausible reasons for uploading the scraped data, like the “anti-Zionist tagger” extension on the list or the ones that claim to blur things that are anti-Islam. Manufacturing a reason to send data to their servers gives them cover.

honzaik 5 hours ago | parent [-]

I am aware that google will take looong time to act. that is why I mentioned that it is LinkedIn (Microsoft) or its contracted fingerprinting/"monitoring" partner who may have more direct ways to report this if they actually investigate malicious extensions.

but that doesn't really matter. for the sake of the argument assume the extensions are not malicious (as evidenced e.g. by the PQC one with ?16 users?) does that change the situation?

reaperducer 4 hours ago | parent | prev [-]

Probably compromised extensions or misleading extensions.

You'll have to do better than "Probably."

What is it about the tech bubble that compels people to proactively apologize for and excuse the bad behavior of trillion-dollar companies?