(for firefox/derivatives anyways...)
There has to be a better system. Maybe a public extension safety directory?
Additionally, Brave a chromium based browser has adblocking built into the browser itself meaning it is not affected by webextention changes and does not require trusting an additional 3rd party.
That can be circumnavigated by bundling the conversations into one POST to an API endpoint, along with a few hundred calls to several dummy endpoints to muddy the waters. Bonus points if you can make it look like an normal-passing update script.
It'll still show up in the end, but at this point your main goal is to delay the discovery as much as you can.
“I know, let’s have an AI do all the work for us instead. Let’s take a coffee break.”
Sometimes things don't make sense to me, like how "Uber Driver app access background location and there is no way to change that from settings" - https://developer.apple.com/forums/thread/783227
The developer documentation is actually pretty clear about this: https://developer.apple.com/documentation/bundleresources/ch...
Or they'd tell WhatsApp to allow granting microphone permissions for one single call, instead of requesting permanent microphone permissions. All apps that I know of respect the flow of "Ask every time", all but Meta's app.
Google just doesn't care.
> Urban Cyber Security INC
https://opencorporates.com/companies/us_de/5136044
https://www.urbancybersec.com/about-us/
I found two addresses:
> 1007 North Orange Street 4th floor Wilmington, DE 19801 US
> 510 5th Ave 3rd floor New York, NY 10036 United States
and even a phone number: +1 917-690-8380
https://www.manhattan-nyc.com/businesses/urban-cyber-securit...
They look really legitimate on the outside, to the point that there's a fair chance they're not aware what their extension is doing. Possibly they're "victim" of this as well.
The NY address is a virtual office.
https://themillspace.com/wilmington/
The DE address is a virtual office plus coworking facility.
You run a business from home but do not want to reveal you personal address to the world.
You are from a country that Stripe doesn’t support but need to make use of their unique capabilities like Stripe Connect, then you might sign up for Stripe Atlas to incorporate in the USA so you can do business directly with Stripe. Your US business then needs a US physical address ie virtual office.
Etc
If that looks use-italics "really legitimate" to you, then you might be easily scammed. I'm not saying they're not legitimate, but nothing that you shared is a strong signal of legitimacy.
It would take a perhaps a few hundred dollars a month to maintain a business that looked exactly like this, and maybe a couple thousand to buy one that somebody else had aged ahead of time. You wouldn't have to have any actual operations. Just continuously filed corporate papers, a simple brochure website, and a couple virtual office accounts in places so dense that people don't know the virtual address sites by heart.
Old advice, but be careful believing what you encounter on the internet!
> Old advice, but be careful believing what you encounter on the internet!
Try to not be terminally cringe either?
And also, why extension for vpn? I live in country where almost everybody uses vpn just to watch YouTube and read twitter, and none of my friends uses some strange extensions. There are open source software for that - from real vpn like wireguard, to proxy software like nekoray/v2raytun. Browser extension is the last thing I would install to be private.
What, there's an issue because I'm not being underhanded about it like that swatcoder guy?
> And also, why extension for vpn?
Why are you asking me that?
> What, there's an issue because I'm not being underhanded about it like [that] guy?
Wow you’ve put something into words here I never consciously realized is an unwritten rule. Sounds silly but yea you’re 100% right; that seems to be exactly the game we play.
For better or for worse.
Based on what? The same instinct that told you having an address and phone number makes an entity legitimate? The chance the people behind this company live in the US is incredibly low. And even if they do live in the US what exactly would they be getting charged with and who would care enough to charge them?
1000 N. WEST ST. STE. 1501, WILMINGTON, New Castle, DE, 19801
It almost matches this law firms address but not quite.
https://www.skjlaw.com/contact-us/
Brandywine Building 1000 N. West Street, Suite 1501 Wilmington DE 19801
> This company has been on researchers' radar before. Security researchers Wladimir Palant and John Tuckner at Secure Annex have previously documented BiScience's data collection practices. Their research established that:
> BiScience collects clickstream data (browsing history) from millions of users Data is tied to persistent device identifiers, enabling re-identification The company provides an SDK to third-party extension developers to collect and sell user data
> BiScience sells this data through products like AdClarity and Clickstream OS
> The identical AI harvesting functionality appears in seven other extensions from the same publisher, across both Chrome and Edge:
Hmm.
> They look really legitimate on the outside
Hmm, what, no.
We have a data collection company, thriving financially on lack of privacy protections, indiscriminant collection and collating of data, connected to eight data siphoning "Violate Privacy Network" apps.
And those apps are free... Which is seriously default sketchy if you can't otherwise identify some obviously noble incentives to offer free services/candy to strangers.
Once is happenstance, twice is coincidence, three (or eight) times is enemy action.
The only thing that could possibly make this look any worse is discovering a connection to Facebook.
BiScience is an Israeli company.
I do think security researchers would be able to figure out what scripts are downloaded and run.
Regardless, none of this seems to matter to end users whether the script is in the extension or external.
If so, I feel like something that limited is hardly even a browser extension interface in the traditional sense.
In much of the physical world thankfully there's laws and pretty-effective enforcement against people clubbing you on the head and taking your stuff, retail stores selling fake products and empty boxes, etc.
But the tech world is this ever-boiling global cauldron of intangible software processes and code - hard to get a handle on what to even regulate. Wish people would just be decent to each other, and that that would be culturally valued over materialism and moneymaking by any possible means. Perhaps it'll make a comeback.
I spend a lot of time trying to think of concrete ways to improve the situation, and would love to hear people's ideas. Instinctively I tend to agree it largely comes down to treating your users like human beings.
Get as off-grid as you possibly can. Try to make your everyday use of technology as deterministic as possible. The free market punishes anyone who “respects their users”. Your best bet is some type of tech co-op funded partially by a billionaire who decided to be nice one day.
Part of the problem has been that there's a mountain to climb vis a vis that extra ten miles to take something that 'works for me' and turn it into 'gramps can install this and it doesn't trigger his alopecia'.
Rather, that was the problem. If you're looking for a use case for LLMs, look no further. We do actually have the capacity to build user-friendly stuff at a fraction of the time cost that we used to.
We can make the world a better place if we actually give a shit. Make things out in the open, for free, that benefit people who aren't in tech. Chip away at the monopolies by offering a competitive service because it's the right thing to do and history will vindicate you instead of trying to squeeze a buck out of each and every thing.
I'm not saying "don't do a thing for money". You need to do that. We all need to do that. But instead of your next binge watch or fiftieth foray into Zandronum on brutal difficulty, maybe badger your llm to do all the UX/UI tweaks you could never be assed to do for that app you made that one time, so real people can use it. I'm dead certain that there are folks reading this now who have VPN or privacy solutions they've cooked up that don't steal all your data and aren't going to cost you an arm and a leg. At the very least, someone reading this has a network plugin that can sniff for exfiltrated data to known compromised networks (including data brokers) - it's probably just finicky to install, highly technical, and delicate outside of your machine. Tell claude to package that shit so larry luddite can install it and reap the benefits without learning what a bash is or how to emacs.
[1] https://secureannex.com/blog/cyberhaven-extension-compromise.... [2] https://secureannex.com/blog/sclpfybn-moneitization-scheme/ (referenced in the article)
There are honest ways to make a living. In this case honest is “being transparent” about the way data is handled instead of using newspeak.
"Let us handle all your internet traffic.. you can trust us.. we're free!"
No thank you.
But considering those are browser extensions, I think they can just inspect any traffic they want on the client side (if they can get such broad permissions approved, which is probably not too hard).
That's why TLS exists, after all. All Internet traffic is wiretapped.
> That's why TLS exists, after all.
That protects you if you're using standard methods to connect. Installed software gets to bypass it.
But it's cumbersome.
> "Let us handle all your internet traffic.. you can trust us.. []"
TLS does not help, when most Internet traffic is passed through a single entity, which by default will use an edge TLS certificate and re-encrypt all data passing through, so will have decrypted plain text visibility to all data transmitted.
but other than that I would never trust anything other than Mullvad/IVPN/ProtonVPN
VPNs are just one example. How many chrome extensions do you have that you don't use all the time, like adblockers, cookie consent form handlers or dark mode?
And um, a boy and a girl.
...
Anyway, the thing was that one day they started acting kinda funny. Kinda, weird.
They started being seen exchanging tokens of affection.
And it was rumoured they were engaging in...
> Firefox is committed to helping protect you against third-party software that may inadvertently compromise your data – or worse – breach your privacy with malicious intent. Before an extension receives Recommended status, it undergoes rigorous technical review by staff security experts.
https://support.mozilla.org/en-US/kb/recommended-extensions-...
I know that Google hates to pay human beings, but this is an area that needs human eyes on code, not just automated scans.
I think we need both human review and for somebody to create an antivirus engine for code that's on par with the heuristics of good AV programs.
You could probably do even better than that since you could actually execute the code, whole or piecewise, with debugging, tracing, coverage testing, fuzzing and so on.
If you're feeling extra-paranoid, the XPI file can be unpacked (ZIP) and to check over the code for anything suspicious or unreasonably-complex, particularly if the browser-extension is supposed to be something simple like "move the up/down vote arrows further apart on HN". :P
While that doesn't solve the overall ecosystem issue, every little bit helps. You'll know it's time to run away if extensions become closed-source blobs.
> Before an extension receives Recommended status, it undergoes rigorous technical review by staff security experts.
https://support.mozilla.org/en-US/kb/recommended-extensions-...
Brave New World was apathy: the system was comfortable, Soma was freely available and there was a whole system to give disruptive elements comfortable but non disruptive engagement.
The protagonist in Brave New World spends a lot of time resenting the system but really he just resents his deformity, wanted what it denied him in society, and had no real higher criticisms of it beyond what he felt he couldn't have.
You might even imagine 1984's society evolving into Brave New World's as the mechanisms of oppression are gradually refined. Indeed, Aldous Huxley himself suggested as much in a letter to Orwell [1].
[1] https://gizmodo.com/read-aldous-huxleys-review-of-1984-he-se...
Bonus points if the government agency can leave most of the work to an ostensibly separate private company, while maintaining a "mutual understanding" of government favors for access.
Trusting Google with your privacy is like putting the fox in charge of the henhouse.
70 thousand users on what I would actually call "privacy" extensions.
Bit of a misleading title then.
Or that the review happened before the code harvested all the LLM conversations and never got reviewed after it was updated.
If you are not paying for the product, you are the product.
(Yes it really is AI-written / AI-assisted. If your AI detectors don’t go off when you read it you need to be retrained.)
The island states have been dethroned.
> The thought didn't let go. As a security researcher, I have the tools to answer that question.
What huh, no you don't! As a security researcher you should know better!
No. When you want to increase your security, you install fewer tools.
Each tool increases your exposure. Why is the security industry full of people who don't get this?
If you really are a security researcher then that's not true. You already know all this.
What we actually need is runtime permissions that fire when the extension tries to do something suspicious - like exfiltrating data to domains that aren't related to its stated function. iOS does this reasonably well for apps. Extensions should too.
The "Recommended" badge helps but it's a bandaid. If an extension needs "read and change all data on all websites" to work, maybe it shouldn't work.
Could one just feed the extension and a good prompt to claude to do this? Seems like automation CAN sniff this kind of stuff out pretty easily.
How is it possible to have extensions this egregiously malicious in the new system?
miladyincontrol•5h ago
With those extensions the user's data and internet are the product, most if not all are also selling residential IP access for scrapers, bots, etc.
Good thing Google is protecting users by taking down such harmful extensions as ublock origin instead.
SoftTalker•5h ago
fylo•5h ago
Retr0id•5h ago
DrewADesign•5h ago
bandrami•3h ago