LWN: Comments on "Malware in open-source web extensions"

Malware in open-source web extensions

ras — Mon, 22 Feb 2021 01:08:58 +0000

It's a mess. Maybe the tension between giving the extensions enough flexibility to do all the neat things they dream up now and forever more, yet not providing giving so much flexibility it can be exploited by malware is resolvable. But it seems unlikely to me. The same tension exists in Android. My wife's phone has been exploited by an app going the same transfer of ownership shenanigans. I guess it exists everywhere outside of an open source ecosystem like Debian, I just don't notice it for the most part because I only use Debian.

For a while now it I've thought the only way it is a 2 level permission system. Open source software that only uploads the output of a reproducible build to the store, preferably with the store doing the build or at least reproducing it first gets a fairly permissive set of permissions. The rest get Manifest V3, with added hand cuffs for good measure.

I guess Apple sort of has a third way: an app store policed by a truly vigilant benevolent dictator. Sort of, because while Apple has a lot of satisfied customers they aren't as benevolent as I'd like. My Android phone can do all sorts of things Apple bans - like run a 3rd party web browser.

It's just a dream, of course. There is no sign the capitalists who run our part of the planet have woken up to fact our western notions of a man having absolute dominion over his property doesn't work so well for software. Black box automatically updated software has lead to a break down in security for everyone. I had hoped some of their more recent extreme solutions, like banning proprietary code from Huawei, or the Australian government giving themselves permission to remotely, silently and undetectably install spy code on every proprietary platform out there owned by a company with a legal presence in Australia might have caused a penny to drop. But not yet.

Malware in open-source web extensions

calumapplepie — Sun, 21 Feb 2021 05:11:07 +0000

After I (and others) emailed them, the developer posted a few times on the discussion. The first post-removal example is here: https://github.com/greatsuspender/thegreatsuspender/issue...

(It's fairly annoying the degree to which GitHub collapses comments, making it hard to find the specific one you want)

Malware in open-source web extensions

giraffedata — Sun, 21 Feb 2021 04:06:51 +0000

That's weird. With Opera, you pay nothing and an engineer spends time reviewing your submission, and with Chrome, you pay and nobody does anything?

Malware in open-source web extensions

whyagaintang — Sat, 20 Feb 2021 22:18:08 +0000

Did anyone from LWN/author contact https://github.com/deanoemcke? A cursory search shows https://nz.linkedin.com/in/deanoemcke as the developer's bio. May be you can get their opinion on this issue?

Malware in open-source web extensions

ILMostro — Thu, 18 Feb 2021 19:28:46 +0000

Thanks for chiming in on this. I had the same question.
By the way, some of the other names referenced in this article show up as firefox addons, though I don't see that they are at all tied to the same nefarious actors. Sounds like similar attempts at this sort of thing will just keep getting more commonplace.

Malware in open-source web extensions

LtWorf — Wed, 17 Feb 2021 11:02:26 +0000

I have made a couple of chromium extensions and published it on the Opera extensions store because it's free to publish there (unlike google where I have to pay).

When I published them, they were reviewed manually and I even had to fix some issues in the code.

I guess google does no review.

Malware in open-source web extensions

calumapplepie — Wed, 17 Feb 2021 05:15:13 +0000

Firefox has two policies that prevent this: a 'recommended extensions' program of regularly vetted (and usually open-source) extensions, and a total ban on extensions executing code loaded from remote servers. They also require that reproducible source code be provided to them for analysis, which prevents just obfuscating the code. I won't say their system is perfect (For instance, WebOfTrust sold insufficiently anonymized user data) but IMHO it's better than Chrome.

The Great Suspender was never distributed on Firefox, however: possibly due to a chrome-specific API.

Malware in open-source web extensions

flussence — Wed, 17 Feb 2021 03:50:41 +0000

Honest question: is any other browser addon/extension repository doing better than Google at protecting users from this sort of thing? They all use the same WebExtension API nowadays, so things like that have become the only differentiator.

Author of uBlock Origin clarifies a few things

Henning — Wed, 17 Feb 2021 03:23:44 +0000

It might be minor, but Raymond Hill posted a comment on Hacker News regarding the history of uBlock Origin that clarified a few points regarding this article. I think it should be referenced here as well for those interested:
https://news.ycombinator.com/item?id=26161702

Thanks for this writeup

sumanah — Tue, 16 Feb 2021 23:48:56 +0000

I had heard about this extension being suspended but did not know the backstory and implications -- thank you for the detailed explanation!