Quote:
Originally Posted by Mindi
Re: 2MuchMark's Security Analysis
The innerHTML issue in the version checker was a valid technical point. Fixed in v1.7.0, pushed today:
Security Hardening:
// 1. Strip everything except digits and dots
latestVersion = latestVersion.trim().replace(/[^0-9.]/g, '');
// 2. Validate format - only accepts patterns like 1.7.0
if (!/^\d+\.\d+(\.\d+)?$/.test(latestVersion)) return;
// 3. Use textContent instead of innerHTML - nothing executes even if above failed
span.textContent = `Update available: v${newVersion}`;
Permission Changes:
- Removed <all_urls> - now restricted to forum URL patterns only
- Removed tabs permission
Code is at https://webigniter.com/tango-down for anyone to verify.
Now let's talk about what this was actually about :
A real security researcher concerned about protecting users would have done responsible disclosure - contacted me privately so it could be fixed before anyone was at risk. Instead, 2MuchMark posted detailed exploit code publicly while calling it a "backdoor" and "RAT." That's not security research. That's a hit piece with technical words sprinkled in.
And notice how fris - someone who actually looked at the code - said "nothing malicious." Killswitch, who wrote the original version this was based on, defended it. The only people screaming "backdoor" are the same people who've been stalking me for months.
TheLegacy - the guy who needed Mark Prince to loan him a fake job title for his LinkedIn to speak at AVN - is suddenly an authority on code integrity. The same guy who teams up with Mark Osterholt to stalk my family. Real credible sources you've got there.
Here's the difference between me and you: when someone points out a legitimate issue, I fix it. Same day. v1.7.0 is live with triple-layer input sanitization, safe DOM methods, and tightened permissions. This was fixed within 15 minutes of me becoming aware of it, and under 2 hours of Mark posting it.
What did you do? Posted exploit code hoping to scare people away from a free tool that lets them block harassers like you.
Thanks for the free QA.
Right-click, goodbye  (except on a mobile fucking browser  ) |
1) This was not responsible disclosure territory. Responsible disclosure applies when:
- The researcher has privileged access, or
- The software is not yet being promoted for public installation.
This extension was actively promoted to the GFY community, with repeated calls to install it immediately. Once software is being encouraged for public adoption, public review is appropriate, especially for browser extensions.
2) The issues are real, not hypothetical. Your software, executed remote, unsanitized data via innerHTML, ran on <all_urls> including banking, email, and admin panels, requested tabs permission without functional necessity.
Those are objective facts, MindiPheer. Calling that out is not a “hit piece,” it’s a simple, basic extension security review.
3) The fixes you claim you made prove my point. You say you removed <all_url> and ,tabs, replaced innerHTML, added strict sanitization etc and if you did this, fantastic, good for you. But these weren’t cosmetic changes, they were structural risk reductions. Again, good for you if you actually did this. If there was “nothing to worry about,” none of that would have been necessary.
4) Public exploit examples are standard practice, Showing how an issue could be abused is how severity is established. That’s how Chrome extension reviews, bug bounties, and security advisories work. It’s not fear-mongering; it’s clarity.
5) The current version appears materially safer if you are telling the truth to the GFY Community about it.
That’s it MindiPheer. No vendetta. No stalking. No drama. Just standards.