huydotnet 18 hours ago

I came to the article hoping to see the list of affected extensions, so I can check if I ever installed any of them. All I get was a list of extension ID at the very bottom of the post. Is this some sort of security practice to not promoting malicious packages or something?

Reply View 4 replies
  • notepad0x90 18 hours ago

    you can search your file system for those extension id's , it will be a directory name.

    Reply View 0 replies
  • technion 18 hours ago

    Its more about the likely target audience: i can scan the whole enterprise and activate blocks with those ids.

    Reply View 1 reply
    • huydotnet 12 hours ago

      That's my first thought, but it would still be helpful to have a list of names, since many people has switched browsers many times in the past, or used many different devices personally.

      Reply View 0 replies
payphonefiend 19 hours ago

Painful read, this reads like it was written by AI.

Reply View 12 replies
gudzpoz 19 hours ago

The WeTab / Infinity team has responded to this [1] (in Chinese). Basically, they argue that:

- The Clean Master extension has long been sold, and the malicious updated was not pushed by them.

- The other two mentioned extensions are not at all malicious. They collect use info for extension opt-out-able features and analytics (using Google Analytics and Baidu Analytics).

- They are communicating with the extension stores to restore their extension.

Let's hope it's not an AI company making AI-generated accusations.

[1] https://mp.weixin.qq.com/s/E8YQLWZFM2J7r5DZNSl47w & https://www.v2ex.com/t/1176484

Reply View 2 replies
  • gkbrk 18 hours ago

    The first point isn't meaningful from a user's perspective.

    There's no difference between me trusting you and you pushing malware to me vs you selling your deploy access to a third party and the third party pushing malware to me.

    Especially if selling the extension doesn't remove the old one from the browser automatically and reset it's rating to 0, download count to 0 and remove all the comments/reviews.

    Reply View 1 reply
    • sionisrecur 16 hours ago

      I think in the chrome extension store you can't even change the email account attached to the extension. The only correct way to transfer an extension seems to be deleting it and having the new party create a new one.

      Reply View 0 replies
creatonez 5 hours ago

> Koi researchers have identified a threat actor we're calling ShadyPanda

Is it that hard to come up with a name that isn't a generic orientalist trope?

Reply View 0 replies
pogue 16 hours ago

So, has someone found or compiled a list of the actual extension names, not just IDs?

Reply View 0 replies
gnatman 16 hours ago

I was hoping to see a revenue estimate for injecting affiliate links on 4M browsers for 7 years… that must’ve been a lot of money!

Reply View 0 replies
ipnon 19 hours ago

The builtin JavaScript interpreter is such a devious touch. No one blinks an eye at several MBs of extension data. That’s plenty of room to store arbitrary runtimes in, and then all the default browser runtime protections are pointless.

Reply View 1 reply
  • chatmasta 18 hours ago

    The runtime protections aren’t pointless. The interpreter makes it difficult to inspect the malicious code during execution, but it doesn’t circumvent any sandboxing of the browser.

    Reply View 0 replies
badmonster 18 hours ago

Browser extensions are a fascinating attack vector because users grant them extraordinary privileges without understanding the risk. The 7-year persistence here is notable - malware that stays undetected that long usually means good operational security and slow, careful changes that don't trigger alarms.

Reply View 1 reply