Chrome's popular Web Developer plugin was briefly hijacked on
Wednesday when an attacker gained control of the author's Google
account and released a new version (0.49) which injected ads into web
pages of more than a million users who downloaded the update. The
version was quickly replaced with an uncompromised version (0.5) and
all users are urged to update immediately.
Lauren Weinstein has a broader warning:
While the browser firms work extensively to build top-notch security
and privacy controls into the browsers themselves, the unfortunate
fact is that these can be undermined by add-ons, some of which are
downright crooked, many more of which are sloppily written and poorly
maintained. Ironically, some of these add-on extensions and apps claim
to be providing more security, while actually undermining the
intrinsic security of the browsers themselves. Others (and this is an
extremely common scenario) claim to be providing additional search or
shopping functionalities, while actually only existing to silently
collect and sell user browsing activity data of all sorts.
Lauren also warns about sites that "push users very hard to install
these privacy-invasive, data sucking extensions" -- and believes
requests for permissions aren't a sufficient safeguard for most users.
"Expecting them to really understand what these permissions mean is
ludicrous. We're the software engineers and computer scientists --
most users aren't either of these. They have busy lives -- they expect
our stuff to just work, and not to screw them over."'
-- source: https://yro.slashdot.org/story/17/08/05/2122210
Dept. of Computer Science
University of Waikato, NZ
+64 (7) 858-5174