Wladimir Palant

@[email protected]
3.4K Followers
8 Following
5.9K Posts

Software developer and security researcher, browser extensions expert. / searchable

#infosec #cybersecurty #cryptography #privacy

Websitehttps://palant.info/
PronounsHe/him
Wladimir Palant11h ago
Show threadWladimir Palant11h ago
@Mossop
Wladimir Palant19h ago
Just wonderful… Hugo joined the AI slop club. Looks like I’ll need another solution for my blog.
hugo/AGENTS.md at 842d8f105256c5656e7895ee61fa5b2dfe90a9e3 · gohugoio/hugo

The world’s fastest framework for building websites. - gohugoio/hugo

GitHub
Wladimir Palant19h ago

If I were Google I would be monitoring ads on “shady” websites. Any browser extension advertised there is guaranteed to be malicious, and finding one helps exposing the entire network of extensions pushed by the actor.

But that’s of course assuming that Google wants to be proactive here. As things stand right now, I expect reports about such extensions to be dismissed as not actionable. Unless somebody does all the work of mapping the extension network and documenting malicious behavior.

Wladimir Palant6d ago

Looked for a solution to a problem, found somebody asking about the same thing online. The replies follow the typical open source playbook:

OP: How do I do A? (describes the issue in detail)

Commenter1: Here, read the manual. You do X.

OP: No, X is only applicable to another scenario, not the one I described.

Commenter2: You don’t do it like this, you do Y. See wiki.

OP: Yes, Y works for the scenarios that Y is meant for. But my scenario is different as I already said.

Commenter3: Maybe Z works?

OP: It looks like Z should work but it doesn’t. Here is what I tried.

Developer: You are correct, this is currently a limitation. In principle, we could fix that…

(Spoiler: It’s seven years later and they didn’t.)

Wladimir PalantApr 8
We are writing the year 2026. Vivaldi browser on Linux cannot deal with non-ASCII file names. Dragging such a file into Vivaldi will cause a crash. UTF-8 has only existed for 33 years. 🙃
Wladimir PalantMar 28

Supposedly, Chrome Web Store is hosting more than 200k browser extensions by now and adding 400-500 new ones every day. I wonder how many of these are malicious. 60%? 80? 90?

It’s definitely most them. My research has shown that malicious actors will spam Chrome Web Store with many very similar submissions. Since their goal is to direct attention away from legitimate add-ons offering the same functionality this strategy is unsurprising. The end result is that if Google ever succeeded removing malicious submissions they would be left with far fewer add-ons to manage.

One indicator is: Chrome Web Store only hosts somewhat more than 60k themes. Themes are much simpler to create than extensions, so one would expect there to be considerably more themes than extensions. That was definitely the case on Mozilla Add-ons back when “lightweight themes” were introduced – the number of available themes skyrocketed. Even now Mozilla Add-ons has more themes than extensions. But themes don’t allow extracting user data…

Wladimir PalantMar 28

RE: https://infosec.exchange/@WPalant/113232106425106704

There is an interesting back and forth on refoorest, the story I published 18 months ago. In the aftermath of my article they got pulled from Mozilla’s and Google’s add-on stores while Microsoft just didn’t react. Later they were reinstated – no idea what kind of changes they’ve implemented for that, I didn’t notice anything relevant. Now my attention was brought to the fact that Google and Microsoft disabled that extension as malware (Google back in October already, Microsoft a few weeks ago). Yet on a quick glance I still cannot see any problematic behavior beyond what I’ve documented originally. Well, maybe them advertising Polypoly search now (“the first search engine that rewards users with weekly prizes” – yes, totally not a scam).

Side note: Opera just pulled them immediately and never reinstated from what I can tell.

https://palant.info/2024/10/01/lies-damned-lies-and-impact-hero-refoorest-allcolibri/

#refoorest #ColibriHero #ImpactBro

Show threadWladimir PalantMar 28

All is done I think. This has been a ton of work but I’m now a proud owner of a Github account filled only with placeholder repositories. My 25 repositories (the ones that were worth migrating) live on Codeberg now.

On the bright side: the code adding blog comments to repository got quite a bit simpler, Github API is quite a mess when adding multiple files in a commit. The downside: Codeberg CI will only do Linux. So if I ever have to make a release for one of my Rust projects I’ll have to figure out how to cross-compile for Windows and MacOS.

Other than that migrating actions was fairly straightforward. You substitute ubuntu-latest for codeberg-tiny (or whichever size fits), update action locations and it works pretty much the same as on Github. Web hooks and static websites also work pretty much the same. Unexpectedly, the hard part here was migrating the releases – copying information manually for 35 releases in a repository is no fun. Well, that and updating links, turns out I have tons of them.

Deleting Github repositories and creating placeholder repositories instead destroyed some state unfortunately, issue reports in particular. Too bad but I really didn’t want to leave any data on Github.

Show threadWladimir PalantMar 27
Ok, the people have spoken. I’ll be looking into migrating my repos to Codeberg. I plan to remove all repositories on Github and to create archived placeholders in their place linking to the new location (I don’t want to leave any repository history there).
Wladimir PalantMar 27

So, where do the cool kids host their code these days? I went to GitLab and saw “Finally, AI for the entire software lifecycle” – ok, I guess this means no GitLab for me. Codeberg then? Or something else?

Note: no, I’m not self-hosting. Yes, I know how to do it, I’ve been doing it for a decade. But I still won’t.

#Github #GithubCopilot #GitLab