this post was submitted on 02 Sep 2023
147 points (90.2% liked)

Technology

59135 readers
2532 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
all 16 comments
sorted by: hot top controversial new old
[–] redditReallySucks@lemmy.dbzer0.com 41 points 1 year ago* (last edited 1 year ago) (2 children)

Or maybe only install extensions from trusted ~~sources~~ developers.

[–] 2Xtreme21@lemmy.world 28 points 1 year ago (1 children)

I think the point is that even if an extension comes from a trusted source, the developer could fairly easily push out an update that turns the extension into malware. Check the GitHub link in another comment below where the developer posts the solicitation emails he gets on a regular basis offering to monetize his extension. He isn’t selling out, but maybe not every dev is as willing as he is to forgo a potentially lucrative offer.

[–] RdVortex@lemmy.world 8 points 1 year ago* (last edited 1 year ago)

And there are cases where this has already happened: https://www.bleepingcomputer.com/news/security/-particle-chrome-extension-sold-to-new-dev-who-immediately-turns-it-into-adware/ There are probably more recent cases too, but this was the first one I could find.

[–] TheEntity@kbin.social 13 points 1 year ago (1 children)

To be specific: from trusted developers. Installing them only from the official repository (is it still possible to reasonably install them any other way?) won't help if a dev sells such an addon. On the other hand I cannot imagine someone like Raymond Hill (the uBlock Origin dev) doing it, considering his track record.

Yeah, that's what I meant.

[–] kindenough@kbin.social 15 points 1 year ago

Firefox will disable extensions in private mode if you want to

It’s interesting to read as I never thought about the vulnerability these extensions are.

I guess you should limit the number of extensions you have.

[–] igorlogius@lemmy.world 8 points 1 year ago* (last edited 1 year ago) (1 children)

I think i remember a post not to far back with a similar topic. Not sure if it was from the developer of the hooverzoom extension itself, but it definitly referenced some offers they collected.

edit: just noticed, that the article also references the offers (ref. https://github.com/extesy/hoverzoom/discussions/670 )

[–] Coolcoder360@lemmy.world 4 points 1 year ago

I love the offer of almost $15k to then say they can bargain if the users are active, like if it's worth that much without active users then that's definitely shady.

[–] djsaskdja@reddthat.com 7 points 1 year ago (1 children)

Exactly why most enterprise organizations disable them. You should too if you’re doing anything sensitive data.

[–] munderzi@feddit.ch 3 points 1 year ago (1 children)

That's why on my work PC I use a completely vanilla Firefox, gotta live with the ads. But I'm not risking giving full access to website content to any extension

[–] Franzia@lemmy.blahaj.zone 3 points 1 year ago (1 children)

I thought my ISP already had this data and is selling it. Should I go make sure all my extensions are 100% kosher?

[–] beaubbe@lemmy.world 9 points 1 year ago (1 children)

Your ISP cannot read https data in transit. Extensions can because the page is now rendered on your local browser.

[–] Franzia@lemmy.blahaj.zone 2 points 1 year ago