You are viewing a single comment's thread from:

RE: Steemit More Info 1.3 - Chrome Extension + Firefox Extension

in #steemdev7 years ago

The danger is not whether or not the extension has any vulnerabilities now (and it does, right now, as you pointed out, with iframes)—but whether or not it could be updated with malicious code in the future automatically. This is how browser extensions work.

Everyone who uses this is trusting their account safety to the safety of @armandocat’s extension update keys/password. If those get compromised, a malicious update could get pushed that takes over all the users of the formerly-safe extension.

I love the work that is being done here and I’d love to see most of it integrated into condenser - but I can’t say it’s safe to run any browser extensions that can alter content on steemit.com, regardless of audit, because it’s not.

7 years ago in #steemdev by
$6.62
  • Past Payouts $6.62
  • - Author $4.97
  • - Curators $1.65
16 votes
Reply 8
Sort:  
  • Trending
    • [-]
     7 years ago  

    It's funny to me that something like this is needed because STINC can't even get notifications on the site to work properly. No wonder they rely on the community for any real development... This is all beginner shit any developer, except those working for STINC, could implement.

    [-]
     7 years ago  

    the code that put iframe is the same there is in condenser, with the same security features.. So i guess, if there is a problem here, there is also in condenser.
    For what I see, everything works fine in both condenser and in the extension ;)
    If users prefer not to risk, just disable the markdown editor extension in the settings. Or trust youtube and others when you paste their links. I don't believe this is really a "security issue". People should hack into youtube and other big websites to take advantage of this...

    Regarding the password, I'm taking all the precaution possible ;) I have ALWAYS strong and different passwords in all my accounts.

    BTW, I always suggest to install the code manually by downloading from the repository.. that is the safest way to use this extension

    [-]
     7 years ago  

    I fully agree with you. That is why I tell users to install the source from github, which won't get updated automatically.

    Please remember that my audit is worthless if you keep auto update on. Be sure to install from source to be extra safe.

    $0.00
      Reply
      [-]
       7 years ago  

      What about just disabling the update from the addon? That's what I did and I didn't downloaded the update automatically. Could this be bypass or are people disabling the update safe from malicious update?

      $0.00
        Reply
        [-]
         7 years ago  

        That will work too. I know Firefox allows this but Chrome only allows all or no auto updates.

        [-]
         7 years ago  

        Indeed, you should add it to a "safety" section, in your post ;)

        $0.00
          Reply
          [-]
           7 years ago  

          I did :) @armandocat controls the post :)

          $0.00
            Reply
            [-]
             7 years ago  

            I would second that. Would love to see this code added to condenser. We'll done @armandocat.

            $0.00
              Reply