Very interesting article!

  • Plopp@lemmy.world
    link
    fedilink
    English
    arrow-up
    17
    arrow-down
    5
    ·
    4 months ago

    General infosec tip: keep your browser add-ons to the absolute minimum you can live with. Add-ons are attack vectors. The more you have - the more at risk you are. And only install the ones you have a reason to trust.

    • LainTrain@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      3
      ·
      4 months ago

      Nah, browsers are sandboxed to absolute shit it is such a pain in the ass to make an extension just to do a phishing attack or to buy the ownership of one to introduce malicious code.

      At most an extension with really broad permissions like read/write contents of any page (a fact that is made obvious upon installation) can replace a link to take you to a phishing page to harvest creds, but thanks to SSL and HTTPS it won’t even work without fifty some odd warnings

      • Plopp@lemmy.world
        link
        fedilink
        English
        arrow-up
        8
        arrow-down
        2
        ·
        4 months ago

        You live by that and I’ll live by the advice I’ve seen from infosec professionals that recommend as few add-ons as possible due to security concerns. But yes, browsers are getting more secure over time and that’s good.

        • LainTrain@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          4
          ·
          edit-2
          4 months ago

          I’m an cybersec MSc and an infosec professional.

          You obviously shouldn’t install closed source or otherwise shady extensions from dodgy authors you don’t know, but on the whole there is very little they can do that you should worry about.

          Most “advice” comes from people who want to sell you something and the infosec industry is mostly a scam to drain B2B procurement budgets plus a few gay furry researchers at defcon who are incomprehensible savants and actual malware authors who do something, unless they just write crappy .NET junk.

          Take for example an average “”“zero-day”“” in 2024: https://arstechnica.com/security/2024/07/threat-actors-exploited-windows-0-day-for-more-than-a-year-before-microsoft-fixed-it/

          This isn’t even a vulnerability. It’s just phishing that requires a user to have file extensions turned off, then download a dodgy as hell .PDF file that isn’t one due to hidden extension, which then uses a milquetoast .hta trojan downloader that only works if one has IE enabled on Windows AND opens the .pdf in MS Edge to pull in reverse shell code via probably psexec of some sort.

          There are so many steps one wonders why not just send a iamnotavirus.exe uac prompt and all to download, compile and run ransomware from vxunderground source code then and there.

          Worrying about stuff like this in browser is akin to using a VPN on public WiFi to avoid MITM attacks, there’s nothing wrong with it but there’s basically nothing to actually worry about there.

          • Plopp@lemmy.world
            link
            fedilink
            English
            arrow-up
            5
            ·
            4 months ago

            You obviously shouldn’t install closed source or otherwise shady extensions from dodgy authors you don’t know, but on the whole there is very little they can do that you should worry about.

            Sorry if I’m nitpicky or confused here. You just said it’s obvious that you shouldn’t install closed sourced or otherwise shady extensions. Do you think a normie knows and cares if an extension is open source? And how do they know if an extension is “shady”? And what about legit extensions that get bought by shady people and turned into shady ones long after they’ve been installed and the user base trusts it?

      • KubeRoot
        link
        fedilink
        English
        arrow-up
        2
        ·
        4 months ago

        I mean, couldn’t an addon just read the password you put into a login field, or send in a request, and send it off to their servers?

        • LainTrain@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          3
          ·
          4 months ago

          If an add-on is modifying contents of pages it shouldn’t or of the clipboard when it shouldn’t, you would have to give it explicit permission at install time, i.e. “This extension can: Read and Modify Data on all sites you visit: Read and Modify contents of the clipboard.”

          Obviously a simple URL redirector for wikipedia requesting access to this data is absurd and would be an immediate red flag. The reason this very thing doesn’t happen more often, is because frankly you’d have to be so computer illiterate to get to that stage that it is much easier to just phish you with basic Facebook profile info for much greater gains.

          This is also the reason most “hacks” nowadays are either supply-side or phishing, shit is just too secure, no fun. We should bring back ActiveX.

          • Plopp@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            arrow-down
            1
            ·
            4 months ago

            Obviously a simple URL redirector for wikipedia requesting access to this data is absurd and would be an immediate red flag.

            To you, yes it should be. But it does require knowledge about how websites and browsers work that most people don’t have. I’d be very surprised if 50% of people have any idea what those permissions actually do and what would be reasonable for different extensions to have.

            • LainTrain@lemmy.dbzer0.com
              link
              fedilink
              English
              arrow-up
              2
              ·
              4 months ago

              But installing few extensions doesn’t protect against it if the few extensions you install have scope and permissions to do bad things. It’s all worded in plain English, at some point you gotta just not use computers anymore if you can’t read.

              Even if it’s good advice for nan checking emails on IE6 on windows vista, it really shouldn’t be necessary for a Lemmy user.

              • Plopp@lemmy.world
                link
                fedilink
                English
                arrow-up
                2
                arrow-down
                1
                ·
                4 months ago

                Of course having fewer extensions installed doesn’t protect you from the ones that you have installed. But the fewer you have the smaller your attack surface is. And as a general tip, I think it’s a good one, even on Lemmy. Because I’m not going to assume people’s understanding of the web, browsers or permissions. And when it comes to the general population, a lack of understanding of an extension’s permissions has very little to do with ones ability to read.