• earthworm@sh.itjust.worksEnglish
    28·
    21 hours ago

    TL;Dr: Browser extensions are malware sleeper agents.

    The systemic problem isn’t just one malicious actor. It’s that the security model incentivizes this behavior:

    1. Build something legitimate
    2. Pass review and gain trust signals (installs, reviews, verified badges)
    3. Collect large user base
    4. Weaponize via update
    5. Profit before detection

    ShadyPanda proved this works. And now every sophisticated threat actor knows the playbook.

    • vacuumflower@lemmy.sdf.orgEnglish
      2·
      15 hours ago

      So, asking the past defenders of such a situation again, was XUL really worse or is it in effect the same?

      Except XUL also allowed such customization that very rarely an extension would become as popular as they become now. Fragmentation as a defense.

      (That refers to the discussions about Firefox dropping XUL in the past, killing many-many good extensions and ways to make them and alternative browsers built on XULRunner.)