addon.xpi --> addon.zip
Note: Obfuscation is NOT the same as minification, and I don't mean minification when using the word obfuscation!
this addon connects to:
* https://484044b296.execute-api.us-east-1.amazonaws.comIs it even possible or would the sandbox prevent such an extension from functioning?
Great idea!
and insert the URL of the extension, for example https://addons.mozilla.org/en-US/firefox/addon/decentraleyes... .
Should they choose to, nothing stops the site you've linked from masking malicious tidbits in code you request.
Side note: the joke goes that Perl is a write only language as it is difficult to read it and understand it. Some twisted souls decided to create the obfuscated perl content: https://en.wikipedia.org/wiki/Obfuscated_Perl_Contest
For a list of some of the winners: https://www.foo.be/docs/tpj/issues/vol4_3/tpj0403-0017.html
e.g. original code:
function NewObject()
{
var mainApiUrl="https://google.com";
}
minified code:
function NewObject(){var mainApiUrl="https://google.com";}
obfuscated code:
var _0x8275=["\x68\x74\x74\x70\x73\x3A\x2F\x2F\x67\x6F\x6F\x67\x6C\x65\x2E\x63\x6F\x6D"];function ahyt56(){var _0xb40bx2=_0x8275[0]}
And why is this? Unless the extension source is already public, I don't see any reason why anyone would not use obfuscation
I'm not saying all obfuscation is necessarily bad, just something to look out for if you're trying to sleuth around for malicious intent by the addon's author.
Typically if you want to hide the fact you are collecting the browsing secrets of the addon's user, you would use some form of obfuscation (in order to have the addon in good standing by Mozilla and to stop a simple sweep by people like myself who first look for things like http:/https: in the source).
Note: Obfuscation is NOT the same as minification, and I don't mean minification when using the word obfuscation!
If the only way to monetize an extension is to exploit its users for data, this kind of thing is going to keep happening. It's perfectly understandable how someone who is doing a lot of work for no pay will eventually get tired of it or have other priorities in life, which is what happened in this case. Perhaps we all need to stop taking it for granted that browser extensions ought to be free? Or maybe the browser vendors themselves can find ways of financially supporting extension authors. I feel that money is essential to both the problem and the solution.
Of course, paid upfront software gets sold to new owners too. But if the software is paid upfront, the expectation is that the new owner will perhaps do a better job of maintaining and marketing the software, and that's why the new owner buys it. When the software is paid, the new owner has an opportunity to make money legitimately, without secretly exploiting the existing user base.
The problem here isn't exploiting user's data; that is not necessarily bad as long as the user is kept informed and accepts. The problem is that the current maintainers are essentially handing over code execution privileges on millions of machines to an untrustworthy actor and that actor intentionally exploits this to run spyware-like code on those machines without their user's knowledge nor consent.
When you can't accept money for your work, selling data instead seems to be the only business model for the Internet (sadly)
I disagree. Online commerce has always been very healthy and pervasive almost since the beginning of the web. Payments were never the problem they're sometimes made out to be. "Standards" are completely unnecessary except for the de facto standards of MasterCard and Visa that predated the web.
The rise of adtech is explained simply: many if not most consumers make decisions based on the price of the product, and nothing beats a price of free! If you can offer a product that's free and still make a profit from it by selling ads, then you have a huge advantage over non-free competitors. For physical products, that's nearly impossible, but for virtual products it's quite feasible.
Paid upfront software has a long history on the web, despite the Orwellian revisionism of the App Store apologists who want to erase the past. Even paid upfront software plugins sold on the web have a long history. Web browser plugins and extensions, on the other hand, have tended to be free. This may be the result of most web browsers being free, or included with the operating system. Firefox is free, Chrome is included with Android and free otherwise, Safari is included with macOS/iOS, Internet Explorer was and now Microsoft Edge is included with Windows. The browsers themselves never made a point of taking payments, and so browser extensions were never really designed by the browser vendors with taking payments as a priority. It's kind of an historical accident, but one the browser vendors don't seem to be interested in correcting. Although now for better or worse, Safari web extensions can only be distributed via the Mac App Store.
This can come either because the proliferation of *analytics, broad openness of supposedly sandboxed systems, needless availability of fingerprinting methods and lack of proof of privacy commitment by the vendors (and any published privacy policy is not enough), or because I just became too paranoid (or both?).
Examples like these validate the suspicion that you can’t trust any app or plug-in anymore, with big vendors being in a inbetween position of “too big to lose trust”.
I wonder when we will reach the point where there is no trusted web browser anymore, no trusted computer appliance. When will it be that you cannot even say a word to a person in-person anymore because it lands in a weakly secured cloud by the microphone inside their smartwatch that runs a weather app that is run by crooks. Or is that point reached already?
Doing this enough times I can mostly predict the result by just looking at the app and who's behind it so I no longer bother with apps and stick to the built-ins whenever possible.
Can’t it talk to its own servers that then talk to Facebook, in which case packet capture is of not much use?
I believe it can already be the case with Google’s (and possibly Facebook’s) apps on Android—at least in case of Google I witnessed real-life tests showing how saying something in presence of the phone causes related ads and content to be shown in feeds—but it’s scarier with less scrupulous app maintainers.
Disclaimer: I am not claiming that Android API grants all apps unauthorized access to always-on mic. The device in question was configured to enable continuous listening by the owner. I am not claiming voice recordings are stored or used in nefarious ways.
Since complex voice-recognition (of other than the activation hotword) is done off-device, you will be able to see network traffic as a result of this occurring. That's quite simple to check for.
I mean, just thinking potential threats (which now I'm removing the extension because of them):
-- corporate web pages potentially sniffable if installed on work computer
-- personal passwords, password manager traffic
The potentially malicious actor is able to just scoop up any domain's encrypted traffic, isn't it? Or is there any practical assurance that they're only gathering domain names, high level traffic stats, etc?
How do you handle a situation like this, where an extension was previously trusted (and would therefore have passed your vetting procedure), then acquired by somebody else who is apparently malicious? Do you review every new version?
It wouldn't fix everything (for example, you could still put a payload in an innocent-looking dependency), but it would at least fix the blatant problem that a maintainer can add code when uploading an extension even if the extension itself is open source and therefore (appears to be) auditable.
[1] https://news.ycombinator.com/item?id=23265699 [2] https://news.ycombinator.com/item?id=16881343 [3] https://news.ycombinator.com/item?id=16317686
(2) Traceability. git has secure hashes, and things can't change when you're not looking.
My experience is that Google cares deeply about its own security, but not much about the security of its users. This sort of change is reasonable, but completely outside of Google's psyche. Google will
(1) Silently disable Android updates, leaving many running exploitable phones
(2) Hold back security tools for Google Apps without a premium subscription. If your account was compromised, you have no way to do audits to understand what happened without $$$, which leads to many more attackers.
(3) Expires Chromebooks rather quickly. Fortunately, unlike Android, it lets users know, but given the target market, many can't afford to upgrade.
(4) Runs appstores full of malware. When malware is discovered, users have no way to know what it did. They're just notified malware existed.
(5) Doesn't allow any sort of reasonable sandboxing of Android apps. If an app asks for filesystem, maps, and other permissions, you need to agree to run the app. I can't have Android give a dummy location or otherwise
Given that the bulk of Google's business model is built on mass surveillance for advertising, with users-as-statistics, this isn't too surprising, but it's something to be aware of if you use Google.
I firmly believe in civil liability for software companies which ship insecure products. They shouldn't be able to externalize costs like this. Follow good security practices, or your insurance premiums go up.
If they hobble that, though, a large portion of extensions become useless. I don't personally see any real middle ground. It's either a credible risk, or too complicated for practical use. The way manifest v3 hobbles practically required things like heuristics is a good example.
There instead should be clear APIs for some access to page content (for example, right-click context menus, tab control without content access, etc).
The idea will probably be met with opposition because I didn’t explain it well enough, but maybe someone will get the idea hah.
I’ve worked on large chrome extensions that heavily rely on hacking UI on top of page content and it’s truly awful. Everything you do feels liked it will break at the setup of a feather, because it does. Sure, there are some ways of making that LESS painful, but at the end of the day it will always be dirty hacks.
I mean except the integrity of extension developers.
This is a huge issue and Google is doing absolutely nothing to address it.
I encourage people to disable all chrome extensions. They have unprecedented access to your data (they can read your bank credentials), and they are a big performance hit. e.g. using Chrome Devtools you can see that Lastpass doubles page load times.
You can use SimpleExtManager (only has perms to turn on /off extensions) to turn everything off until you need them.
I wouldn’t install any extension permanently. I only keep Lastpass and it’s disabled until it’s needed for login.
1. Demand removal of analytics software 2. If no action, fork and re-publish.
Obviously folks who aren't technical/didn't see these threads wouldn't get the benefit of an update.
This is something where an explicitly pro-opensource and anti-tracking (or at least minimal tracking) policy by the browser extension stores would be valuable. The store itself could recommend the no-tracking community version instead. Of course this would have to happen on an individual basis and be carefully managed as so not to be abused.
https://github.com/aciidic/thegreatsuspender-notrack
Plus you can download the old 7.16 version which works fine and doesn't have the suspicious changes
https://www.windowslatest.com/2020/09/17/microsoft-edge-slee...
TGS caused issues resulting in loosing pinned tabs in Brave and Vivaldi and so I had to remove it there; Now I'm glad I had to do it.
Speaking as a long time paid user of the free/paid Tabs Outliner, I can't recommend it strongly enough.
[0]https://chrome.google.com/webstore/detail/tabs-outliner/eggk...
Unloading entire subtrees and restoring them on other computers is also a nice feature that I don't want to miss anymore.
The extension is closed source, and its dev sometimes needs a few weeks for important fixes, but it is still one of my most favorite browser extensions out there.
We basically only look at the top level of things, when instead, every branch in the tree should have a bunch of security people watching it, like editors watch every change to a Wikipedia article, before it goes out.
Corporations using automation and technology have hijacked our "Free Speech" ideals, and caused us to think that it's a good thing when one party can push out a tweet to 5 million people at once, or a single corporation can buy up local stations and enforce talking points on journalism. That's not freedom of speech at all. That's just a preference for maintaining entrenched power because someone "amassed it voluntarily"... and this mentality extends recursively all the way down ... Take for example the first Twitter mega-celebrity. Ashton Kutcher himself amassed it voluntarily because he was chosen by TV and movie executives once upon a time, to be used in mass media, and their platforms were "voluntarily" built in the past, from the invention of the TV, and people subscribed "voluntarily", and Twitter was built "voluntarily" and funded by VCs voluntarily, and so on. And the end result is, some power (in this case, audience) is concentrated in the hands of a few people, who disproportionately act as kingmakers for various other people and ideas. That's also how we get "too big to fail" issues in telecoms, banks, and so on.
In science, things work differently. Arxiv.org exists but peer review is a big thing. Wikipedia has multiple distrusting parties for each large article. So does Bitcoin (presumably, anyway).
In general, the more value (votes, data, code, money) accumulates in one place, the more "checks and balances" you should have for each release. You can't just have someone push out something in the middle of the night and have everyone pull it into their codebase via npm and then "launder" the (malicious) bugs through more and more releases. You need it to go through "peer review", and not on the top level of an entire tree, but rather, for each subtree there need to be people who understand what's going on.
THAT is a society that's far more secure, that can't be easily backdoored by some hackers paid by a state to find vulnerabilities. And the capitalistic system we have today is pushing the other way (closed source, centralized databases, extract rents reward early investors through information asymmetry, etc.) and the result is stuff like SolarWinds, Equifax hack, Yahoo hack, etc. etc. etc. We're finally starting to put a tax on storing data without an explicit purpose, hopefully that will make it expensive enough that people will be custodying their own data at least. But when it comes to "broadcasting" things, I'd rather have less "real time pushes" and instead slow things down until we can "run byzantine consensus" gradually releasing to the public via concentric circles.
The full solution would involve Merkle trees where some security organizations and researchers / peers (anonymous or not, but with reputations) sign off on each changeset. Instead of just Apple or something. Git + Verified Claims can already support most of the infrastructure, btw.
This barely works for open source software (how many open source projects have people auditing every commit?). How will it possibly work for closed source software?
I'm talking about:
Wikipedia beating Britannica and Encarta
The Web beating AOL / MSN / Compuserve / Prodigy
Apache and NGinX beating IIS
Linux beating Windows for tons of apps & archs
Science beating Alchemy
But it will take time. Open source collaboration is the tortoise, closed source competition is the hare.
1. Mining the users' traffic and reselling it as market research, or
2. Using the users' computers as a pool for a residential proxy service, or
3. Replacing and inserting ads into users' browsers.
This is unfortunately quite common.
There might be a way of contesting the rights to the project name but that would require legal activism and external funding. Basically the original project is dead insofar as the contributors are not comfortable with supporting a parasitic and probably malicious actor. I guess a fork is inevitable. Meanwhile the parasite will harvest the value of the 'brand', distribution rights, and existing codebase until it is drained by obsolescence.
A really disgusting way to treat a community by both parties. One can only hope that Mr. Oemcke desperately needed the money for some vital purpose.
I receive almost-weekly messages from folks offering to buy my extension.
https://add0n.com/tab-discard.html
https://addons.mozilla.org/en-US/firefox/addon/auto-tab-disc...
https://chrome.google.com/webstore/detail/auto-tab-discard/j...
We should really have separate dedicated browsers just for doing transactions.
I’d also like them to not silently update in the background.
In doing so, I lost about 60 suspended tabs, with no record in history as to what they were.
In some ways, this is like a weight off my back. On the other hand, I was going to read those tabs, I swear!
Oh well, time for me to search jstor for a history of copper mine consolidation, again.
This Extension being GPLv2, is there a way to report this obvious license violation to Google/GitHub? Would they care?