Quote:
Originally Posted by Killswitch
You're making a mountain out of a mole hill.
|
I disagree. I don’t think this was a molehill at all, and here’s why, purely on the technical side, not personalities.
Pheer's original release had three objectively serious issues:
1) It executed code pulled from a remote server using innerHTML.
In plain terms: if the file on that server was altered, the extension could run any JavaScript on users’ browsers with extension privileges. That’s not theoretical, that’s a textbook DOM-XSS vector as I pointed out earlier.
2) It ran on <all_urls>.
That means every site you visit including webmail, banking, admin panels, analytics, everything not just GFY. Even if the code didn’t abuse that access, the capability was there. Everyone here on GFY is checking their stats, their CCBill accounts, their Elevated-X dashboards, etc. All of this info would now be exploitable.
3) It requested broader permissions than needed.
Specifically permissions that allow visibility into tabs and browsing context, which is exactly what security reviews flag first.
To put this in non-technical terms:If you install software that can see everything you browse, and can run code delivered remotely, you don’t judge it by whether the author says “trust me”, you judge it by whether the design prevents abuse.
That’s not drama, that’s basic security hygiene. Pheer wants to be taken seriously as a coder for the GFY community? Great! But pointing out issues helps the community, not hurts it wouldn't you agree?
Cheers.