Everyone, please read:
Mindi/Pheer's original release (v1.6.5) had three concrete issues that matter to anyone installing browser extensions:
1) It ran on all websites, not just GFY
The extension’s content script was scoped to <all_urls>, meaning it executed on every site you visited including banking, email, shopping, admin panels, everything, not just GFY. Even though the feature was “forum blocking,” the code was active everywhere your browser went.
2) It requested the tabs permission
This permission allows an extension to see all open tabs and their URLs, not just the current page. It could see what sites you had open, even when you weren’t using the extension.
3) The update checker used unsafe HTML injection
The extension checked a remote text file on the author’s server to see if an update was available, then injected that value directly into the extension UI using innerHTML. This is a a very well-known DOM-based XSS vulnerability. If that remote file were altered (intentionally or by compromise), it could execute JavaScript inside the extension with extension-level privileges. A remote file controlled what code ran inside the extension popup. That is not safe, and it is a known attack pattern.
These issues were publicly pointed out, with specific code references. After I pointed all of this and more out in Pheer's code, he says he has issued a new version. What changed? I do not know. Is it fixed? I do not know. Will I check? No. This is up to MindiPheer to do. Will you trust him? Review everything he has said in this thread so far and decide for yourself.
This isn’t about drama or motive. It’s about process.
- MindiPheer's original version shipped over-scoped and unsafe
- His fixes came after I pointed out the problems. Twice.
- If you were an early adopter of MindiPheer's software, you were exposed to risk that should never have existed
“Built for the community” software should launch with minimum permissions, limited scope, and safe defaults, not require public review to reach that state.