Re: "Backdoor" Accusations
Let me address these claims with actual facts and code.
The "backdoor" is a version checker. Here's the entire function:
Code:
function checkForUpdates(currentVersion) {
fetch('https://webigniter.com/downloads/tango-down-version.txt')
.then(response => response.text())
.then(latestVersion => {
latestVersion = latestVersion.trim();
if (compareVersions(latestVersion, currentVersion) > 0) {
showUpdateNotice(latestVersion);
}
});
}
It fetches a text file containing 1.6.5, compares version numbers, and shows "Update available" if there's a new version. That's it.
Zero data is sent FROM your browser TO my server. Ever.
The "XSS vulnerability" argument is absurd. The claim is that I could replace my version.txt with malicious JavaScript. By that logic:
- Every Chrome extension is a "backdoor" because developers could push malicious updates
- Every website is a "backdoor" because owners control their servers
- Every piece of software ever written is a "backdoor"
This isn't a vulnerability. It's "the developer controls their own server." Shocking.
The code is 100% visible. Unlike compiled software, Chrome extensions are just JavaScript files. Anyone can right-click, inspect, and read every line. There's nothing hidden. The "backdoor" is 33 lines of readable update-checking code that Mark apparently couldn't understand.
The GitHub links are irrelevant misdirection. Random OWASP cheat sheets and unrelated XSS examples don't prove anything about my code. It's the forum equivalent of throwing around big words hoping nobody checks.
If Mark Prince is a "longtime programmer," he should know the difference between a version checker and a RAT. The extension is open for anyone to inspect. I'd encourage people to actually read the code instead of taking accusations from someone with an obvious agenda at face value.