Wladimir Palant

@[email protected]
3.4K Followers
11 Following
5.9K Posts

Software developer and security researcher, browser extensions expert. / searchable

#infosec #cybersecurty #cryptography #privacy

Websitehttps://palant.info/
PronounsHe/him
Wladimir Palant3m ago

Supposedly, Chrome Web Store is hosting more than 200k browser extensions by now and adding 400-500 new ones every day. I wonder how many of these are malicious. 60%? 80? 90?

It’s definitely most them. My research has shown that malicious actors will spam Chrome Web Store with many very similar submissions. Since their goal is to direct attention away from legitimate add-ons offering the same functionality this strategy is unsurprising. The end result is that if Google ever succeeded removing malicious submissions they would be left with far fewer add-ons to manage.

One indicator is: Chrome Web Store only hosts somewhat more than 60k themes. Themes are much simpler to create than extensions, so one would expect there to be considerably more themes than extensions. That was definitely the case on Mozilla Add-ons back when “lightweight themes” were introduced – the number of available themes skyrocketed. Even now Mozilla Add-ons has more themes than extensions. But themes don’t allow extracting user data…

Wladimir Palant3h ago

RE: https://infosec.exchange/@WPalant/113232106425106704

There is an interesting back and forth on refoorest, the story I published 18 months ago. In the aftermath of my article they got pulled from Mozilla’s and Google’s add-on stores while Microsoft just didn’t react. Later they were reinstated – no idea what kind of changes they’ve implemented for that, I didn’t notice anything relevant. Now my attention was brought to the fact that Google and Microsoft disabled that extension as malware (Google back in October already, Microsoft a few weeks ago). Yet on a quick glance I still cannot see any problematic behavior beyond what I’ve documented originally. Well, maybe them advertising Polypoly search now (“the first search engine that rewards users with weekly prizes” – yes, totally not a scam).

Side note: Opera just pulled them immediately and never reinstated from what I can tell.

https://palant.info/2024/10/01/lies-damned-lies-and-impact-hero-refoorest-allcolibri/

#refoorest #ColibriHero #ImpactBro

Show threadWladimir Palant17h ago

All is done I think. This has been a ton of work but I’m now a proud owner of a Github account filled only with placeholder repositories. My 25 repositories (the ones that were worth migrating) live on Codeberg now.

On the bright side: the code adding blog comments to repository got quite a bit simpler, Github API is quite a mess when adding multiple files in a commit. The downside: Codeberg CI will only do Linux. So if I ever have to make a release for one of my Rust projects I’ll have to figure out how to cross-compile for Windows and MacOS.

Other than that migrating actions was fairly straightforward. You substitute ubuntu-latest for codeberg-tiny (or whichever size fits), update action locations and it works pretty much the same as on Github. Web hooks and static websites also work pretty much the same. Unexpectedly, the hard part here was migrating the releases – copying information manually for 35 releases in a repository is no fun. Well, that and updating links, turns out I have tons of them.

Deleting Github repositories and creating placeholder repositories instead destroyed some state unfortunately, issue reports in particular. Too bad but I really didn’t want to leave any data on Github.

Show threadWladimir Palant1d ago
Ok, the people have spoken. I’ll be looking into migrating my repos to Codeberg. I plan to remove all repositories on Github and to create archived placeholders in their place linking to the new location (I don’t want to leave any repository history there).
Wladimir Palant1d ago

So, where do the cool kids host their code these days? I went to GitLab and saw “Finally, AI for the entire software lifecycle” – ok, I guess this means no GitLab for me. Codeberg then? Or something else?

Note: no, I’m not self-hosting. Yes, I know how to do it, I’ve been doing it for a decade. But I still won’t.

#Github #GithubCopilot #GitLab

Wladimir Palant3d ago
It will be interesting to see in the next few years where the password G7$kL9#mQ2&xP4!w (or its hashes 585f7f8f66d6889fc04d59aaa8e150ff, df7b517033e720bf7cbea9388b197c291b007baf or 5191007431772ee3f1caa9311288da07335a8523cda2593fe03714f807be2833) will end up.
Wladimir PalantMar 17

Looks like the Karma connection I’ve been writing about is still quite busy, and Google is still far too inconsistent with taking down their extensions: https://www.xda-developers.com/google-featuring-chrome-extension-months-malicious/

And once again this article shows: people expect that “Featured” badge on extensions to mean something. But it really doesn’t.

Google kept featuring this Chrome extension for months after it turned malicious

How can an extension change hands with no oversight?

XDA
Wladimir PalantMar 15
Chimera LinuxMar 8
reminder that LLMs/"AI" are always unethical and we have project-wide policy against their usage
Wladimir PalantMar 14

Gotta love it how the Internet Archive managed to capture the state of the internet so perfectly, here the Netscape Bug Report Form from 1999: https://web.archive.org/web/19990222143253/http://help.netscape.com/forms/bug-client.html

You would put your email address into the form in the ad frame, right?

Wladimir PalantMar 14
Frederik Braun �Mar 14

This is just to say that Meta/Instagram are wrong in deprecating encrypted direct messages. This change is setting a dangerous precedent. DMs need to be private (and therefore encrypted).

We should not let them get away with it, otherwise more apps and platforms will follow.