Wladimir Palant

@[email protected]
3.4K Followers
11 Following
5.9K Posts

Software developer and security researcher, browser extensions expert. / searchable

#infosec #cybersecurty #cryptography #privacy

Websitehttps://palant.info/
PronounsHe/him
Wladimir Palant1d ago

Supposedly, Chrome Web Store is hosting more than 200k browser extensions by now and adding 400-500 new ones every day. I wonder how many of these are malicious. 60%? 80? 90?

It’s definitely most them. My research has shown that malicious actors will spam Chrome Web Store with many very similar submissions. Since their goal is to direct attention away from legitimate add-ons offering the same functionality this strategy is unsurprising. The end result is that if Google ever succeeded removing malicious submissions they would be left with far fewer add-ons to manage.

One indicator is: Chrome Web Store only hosts somewhat more than 60k themes. Themes are much simpler to create than extensions, so one would expect there to be considerably more themes than extensions. That was definitely the case on Mozilla Add-ons back when “lightweight themes” were introduced – the number of available themes skyrocketed. Even now Mozilla Add-ons has more themes than extensions. But themes don’t allow extracting user data…

Wladimir Palant1d ago

RE: https://infosec.exchange/@WPalant/113232106425106704

There is an interesting back and forth on refoorest, the story I published 18 months ago. In the aftermath of my article they got pulled from Mozilla’s and Google’s add-on stores while Microsoft just didn’t react. Later they were reinstated – no idea what kind of changes they’ve implemented for that, I didn’t notice anything relevant. Now my attention was brought to the fact that Google and Microsoft disabled that extension as malware (Google back in October already, Microsoft a few weeks ago). Yet on a quick glance I still cannot see any problematic behavior beyond what I’ve documented originally. Well, maybe them advertising Polypoly search now (“the first search engine that rewards users with weekly prizes” – yes, totally not a scam).

Side note: Opera just pulled them immediately and never reinstated from what I can tell.

https://palant.info/2024/10/01/lies-damned-lies-and-impact-hero-refoorest-allcolibri/

#refoorest #ColibriHero #ImpactBro

Show threadWladimir Palant1d ago
@varx True. If there are forks then you’ve lost no matter what.
Show threadWladimir Palant2d ago
@varx Not really, I can reasonably expect Github to dispose of my repo then. Unreachable commits are an entirely different beast. From what I remember these stay around for at least 30 days, and Github has to actively prune them. I’m not sure they really do it for all repositories regularly, particularly the inactive ones…
Show threadWladimir Palant2d ago
@varx macOS is really taking pride in being the most developer-unfriendly platform there is… Yes, just not compiling for macOS is an option worth considering.
Show threadWladimir Palant2d ago
@varx It’s an option but repository contents don’t go away. It is up to Github to actually remove the commits which aren’t reachable via the UI.
Show threadWladimir Palant2d ago

All is done I think. This has been a ton of work but I’m now a proud owner of a Github account filled only with placeholder repositories. My 25 repositories (the ones that were worth migrating) live on Codeberg now.

On the bright side: the code adding blog comments to repository got quite a bit simpler, Github API is quite a mess when adding multiple files in a commit. The downside: Codeberg CI will only do Linux. So if I ever have to make a release for one of my Rust projects I’ll have to figure out how to cross-compile for Windows and MacOS.

Other than that migrating actions was fairly straightforward. You substitute ubuntu-latest for codeberg-tiny (or whichever size fits), update action locations and it works pretty much the same as on Github. Web hooks and static websites also work pretty much the same. Unexpectedly, the hard part here was migrating the releases – copying information manually for 35 releases in a repository is no fun. Well, that and updating links, turns out I have tons of them.

Deleting Github repositories and creating placeholder repositories instead destroyed some state unfortunately, issue reports in particular. Too bad but I really didn’t want to leave any data on Github.

Show threadWladimir Palant2d ago
Ok, the people have spoken. I’ll be looking into migrating my repos to Codeberg. I plan to remove all repositories on Github and to create archived placeholders in their place linking to the new location (I don’t want to leave any repository history there).
Show threadWladimir Palant2d ago
@freddy Luckily, I don’t have any private repos (not on Github at least). I have no problem self-hosting a few private repos if I need them.
Show threadWladimir Palant2d ago

@buherator Concerning Gitea I found https://about.gitea.com/resources/tutorials/gitea-mcp-server. This is not a core feature at the moment but I don’t really want to migrate to another service and have them start shoving this down everybody’s throat a few months later.

I cannot see any cloud offering for Forgejo.

Gitea MCP Server: A New Paradigm for AI-Driven Code Collaboration

Gitea - Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD