Comment by GeekyBear

2 days ago

I stick to extensions that Mozilla has manually vetted as part of the Firefox recommended extensions program.

> Firefox is committed to helping protect you against third-party software that may inadvertently compromise your data – or worse – breach your privacy with malicious intent. Before an extension receives Recommended status, it undergoes rigorous technical review by staff security experts.

https://support.mozilla.org/en-US/kb/recommended-extensions-...

I know that Google hates to pay human beings, but this is an area that needs human eyes on code, not just automated scans.

31 comments

GeekyBear

Reply
Santosh83  2 days ago

Yeah IT pros and tech aware "power" users can always take these measures but the very availability of poor or maliciously coded extensions and apps in popular app stores makes it a problem considering normies will get swayed by the swanky features the software promises and will click past all misgivings and warnings. Social engineering attacks are impossible to prevent using technical means alone. Either a critical mass of ordinary people need to become more safety/privacy conscious or general purpose computing devices will become more & more niche as the very industry which creates these problems in the first place by poor review will also sell the solution of universal thin-clients and locked down devices, of course with the very happy cooperation of govts everywhere.

Terr_  2 days ago

> I stick to extensions that Mozilla has manually vetted as part of the Firefox recommended extensions program.

If you're feeling extra-paranoid, the XPI file can be unpacked (ZIP) and to check over the code for anything suspicious or unreasonably-complex, particularly if the browser-extension is supposed to be something simple like "move the up/down vote arrows further apart on HN". :P

While that doesn't solve the overall ecosystem issue, every little bit helps. You'll know it's time to run away if extensions become closed-source blobs.

dvratil  2 days ago

The question is, does Mozilla rigorously review every single update of every featured extension? Or did they just vet it once, and a malicious developer may now introduce data collection or similar "features" though a minor update of the extension and keep enjoying the "recommended" badge by Mozilla?

londons_explore  2 days ago

The problem is most codebase are huge - millions of lines when you include all the libraries etc.

Often they're compiled with typescript etc making manual review almost impossible.

And if you demand the developer send in the raw uncompiled stuff you have the difficulty of Google/Mozilla having to figure out how to compile an arbitrary project which could use custom compilers or compilation steps.

Remember that someone malicious wont hide their malicious code in main.ts... it's gonna be deep inside a chain of libraries (which they might control too, or might have vendored).

  • londons_explore  2 days ago

    For example, the following hidden anywhere in the codebase allows arbitrary code execution even under the most stringent JavaScript security policy (no eval etc):

    I=c=>c.map?c[0]?c.reduce((a,b)=>a[b=I(b)]||a(b),self):c[1]:c

    (How it works is an exercise to the reader)

    The actual code to run can be delivered as an innocuous looking JavaScript array from some server, and potentially only delivered to one high value target.

    • ikekkdcjkfke  2 days ago

      And the reason we can’t put execution of non-declared code behind a permission is because one anal developer at chrome thinks that we shouldn’t break existing sites even though no serious site would do this and you could just show a permission popup with triangle exclamation mark

      2 replies →

    • arein3  2 days ago

      Let me ask gemini

      Wow, it deconstructed it beautifully

      A Concrete Example Imagine you pass this array to the function: ['alert', 'Hello World'] Here is the step-by-step execution:

        Initialization: The accumulator a starts as self (the window object).
  Iteration 1 (b = "alert"):
  I("alert") returns string "alert".
  It tries a["alert"] (which is window["alert"]).
  This finds the alert function.

  New Accumulator a: The alert function.
  Iteration 2 (b = "Hello World"):
  I("Hello World") returns string "Hello World".
  It tries a["Hello World"]. The alert function does not have a property named "Hello World", so this is undefined.
  The || operator moves to the right side: a(b).
  It executes alert("Hello World").
  Result: A browser popup appears.

  • sixtyj  2 days ago

    Probably off topic: I once tried to find bad code in a WordPress theme. And it was hidden so deep and inconspicuously. The only thing that really helped was to do a diff.

    In JS this can be much harder to find anything suspicious when the code can be minified.

    But back to Firefox: My house, my rules. So let external developers set some more strict rules that discourage the bad actors a little.

    • sixtyj  2 days ago

      When managers take up their positions, they must sign not only their employment contracts but also various codes of ethics and other documents.

      When a survey was conducted on the misuse of finances and powers, it was found that managers who did not sign the code (because they had to study it and then "forgot" to do so) were more likely to cheat than those who actually signed the documents.

j-bos  2 days ago

Funny enough the article mentions this extension was manially reviewed: > A "Featured" badge from Google, meaning it had passed manual review and met what Google describes as "a high standard of user experience and design."

  • megous  2 days ago

    I at some point vetted the extensions for myself.

    What I saw in Mozilla extensions store was anything from using minified code (what is this? it might have been useful in the late 90's on the web, but it surely is not necessary as part of an extension, that doesn't download its code from anywhere), to just full on data stealing code (reported, and mozilla removed it after 2 weeks or so).

    I don't trust the review process one bit if they allow minified code in the store. For the same reason, "manual" review doesn't fill me with any extra warm confidence feeling. I can look at minified code manually myself, but it's just gibberish, and suspicious code is much harder to discern.

    Also, I just stopped using third party extensions, except for 2 (violentmonkey, ublock), so I no longer do reviews. I had a script that would extract the XPI into a git repository before update, do a commit and show me a diff.

    Friendly extension store for security conscious users would make it easy to review source code of the extension before hitting install or update. This is like the most security sensitive code that exists in the browser.

Llamamoe  2 days ago

> I know that Google hates to pay human beings, but this is an area that needs human eyes on code, not automated scans.

I think we need both human review and for somebody to create an antivirus engine for code that's on par with the heuristics of good AV programs.

You could probably do even better than that since you could actually execute the code, whole or piecewise, with debugging, tracing, coverage testing, fuzzing and so on.

wzdd  2 days ago

The article states that Google has done the same for this extension as part of providing its "Featured" badge.

jwr  2 days ago

The article says the extension has been "manually reviewed" by Google.

  • tremon  2 days ago

    ...and we all know that Google never does anything "manually", so I'd take that with the appropriate serving of salt.