Hacker News new | past | comments | ask | show | jobs | submit login

Things have gotten bad enough that I've stopped using extensions that haven't been through a code vetting process.

> Recommended extensions differ from other extensions that are regularly reviewed by Firefox staff in that they are curated extensions that meet the highest standards of security, functionality, and user experience. Firefox staff thoroughly evaluate each extension before it receives Recommended status.

https://support.mozilla.org/en-US/kb/recommended-extensions-...

If your browser doesn't have a code vetting process for extensions, I'm not interested in your browser.




Mozilla's review process is much more strict than Chrome's: they required me to produce original source code for all libraries that I am using (like jquery), forced me to get rid of some leftover eval's in javascript, etc. I don't think they read all source code, but they definitely look for some patterns.


Did your extension go through the normal vetting process or the extended review necessary to become a recommended extension?


If by recommended you mean "featured" flag on Chrome webstore then I believe that happens automatically if the extension satisfies their "best practices" criteria.


I was referring to Mozilla's extended manual review process necessary to become one of their "Recommended" extensions.

https://support.mozilla.org/en-US/kb/recommended-extensions-...


What does that mean in reality? Pretty sure Chrome Web Store extensions are reviewed, but since they're all minified and obfuscated garbage, I wonder how easily malicious code could slip through. I'm surprised there hasn't been a mass cookie stealing attack yet.


CWS doesn't review every extension submission, at best they do some % of them along with anything that sets off red flags. Out of hundreds of times I pushed updates to my extension (~100k monthly users by the end) it was delayed for human review maybe... twice?


maybe its time for a LLM based security review open source framework. this could be adapted for extensions to see what information they'd be sending over.


that's scary.


That's why AMO requires extensions to be uploaded with their source code and disallows obfuscation.

They do allow minification for compression, and I don't know what stops someone from uploading different source code from the shipped addon.


> What does that mean in reality?

It means taking malware seriously, even if that means you have to pay human beings to vet code manually. I realize that Google wants to avoid paying human beings at all costs, but too bad.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: