• Fizz@lemmy.nzEnglish
    2·
    8 hours ago

    So what’s the lesson? How can we trust browser extensions? Ublock could go bad and cook half the globe.

    • mal3oon@lemmy.worldEnglish
      2·
      4 hours ago

      It’s really unbelievable at this point. It’s like that gentoo, meme, you have to compile your extension from sources. Even worse, as the ‘supply chain’ chain attack in ssh showed, you have to read the code yourself too. I am not sure if Linux becoming popular is a good thing anymore.

    • MalMen@masto.pt
      3·
      7 hours ago

      @Fizz @homesweethomeMrL samething with everyrhing we use… You can go gentoo way and compile yourself the software you use, but even that way unless you check every line of code, you are trusting that the code behave the way you supose it does

      • Fizz@lemmy.nzEnglish
        1·
        1 hour ago

        I really dont wanna do that. Firefox should add 3rd party repos so my distro packagers can handle that. They love that nerd shit and I trust them more than Firefox or chrome

  • earthworm@sh.itjust.worksEnglish
    28·
    18 hours ago

    TL;Dr: Browser extensions are malware sleeper agents.

    The systemic problem isn’t just one malicious actor. It’s that the security model incentivizes this behavior:

    1. Build something legitimate
    2. Pass review and gain trust signals (installs, reviews, verified badges)
    3. Collect large user base
    4. Weaponize via update
    5. Profit before detection

    ShadyPanda proved this works. And now every sophisticated threat actor knows the playbook.

    • vacuumflower@lemmy.sdf.orgEnglish
      2·
      12 hours ago

      So, asking the past defenders of such a situation again, was XUL really worse or is it in effect the same?

      Except XUL also allowed such customization that very rarely an extension would become as popular as they become now. Fragmentation as a defense.

      (That refers to the discussions about Firefox dropping XUL in the past, killing many-many good extensions and ways to make them and alternative browsers built on XULRunner.)

    • HeerlijkeDrop@thebrainbin.org
      6·
      10 hours ago

      I don’t see anything special on this screenshot. Most of the websites display this, at least when you have an European IP. This pop up is only exceptional in that it doesn’t lag on my phone, displays correctly and has a “Reject all” button