...continued.
Also there's this:
Quote:
Originally Posted by Mindi
The code is 100% visible.
|
This is irrelevant.
Yes, we can see the code NOW, but but that doesn’t change the underlying problem. The exploit code is not coming from the extension itself, it’s being delivered from the server. Users have no visibility into what’s inside version.txt before it executes, and no browser gives any warning that an extension is about to run remotely supplied code. By the time anyone can “see” it, it has already run.
It's sneaker than a backdoor because a traditional extension backdoor:
1. Author pushes malicious update
2. Chrome Web Store review (takes hours/days)
3. Users install update
4. Evidence trail exists (update history, review logs)
This XSS backdoor:
1. Author edits one text file
2. Takes effect instantly
3. No Chrome review
4. No update required
5. No evidence (Mindi deletes the malicious version.txt after 5 minutes)
6. Impossible to prove it happened
Finally Pheer, a better response from you should have been something like "Thankyou for reporting this" (And sure you could have thrown some fun insults in towards me if you felt like it), but misleading technical rebuttals, Immediate personal attacks, Demands for censorship ("Will a mod finally ban..."), Deflection to unrelated grudges etc etc, aren't the way.