Extensions at War

Sun, 03 May 2009 08:37:28 GMT
by pdp

Oh yes, the digital battlefield is taking unusual shapes. The latest manifestation of cyber warfare is a conflict between the Adblock Plus and the NoScript extensions. The story goes that NoScript used some JavaScript tactics and, of course, some obfuscations in order to cripple the Adblock Plus functionalities. This attack was a response to Adblock Plus blocking NoScript ads which you see when you upgrade the extension, which as you know happens quite regularly, don't know why.

The conflict seems to be resolved now to one degree or another but it is interesting to observe the whole situation and also draw important conclusions. Therefore, I've got several points I would like to bring to the table:

  1. More examples of similar nature will follow. Keep an eye on Facebook, Apple AppStore, Firefox and other platforms that allow 3rd-party components to be displayed, downloaded and executed.
  2. As I mentioned before, a malicious piece of JavaScript code (even an obvious obfuscation) can be quite easily smuggled into harmlessly looking Firefox extensions. If I may speculate, the situation is the same for other similar platforms.
  3. Unless platform vendors do something about it, they could become the next hot spot for all sorts of interesting malware.

It is also very interesting to see the extend to which extension developers will go in order to protect their userbase. After all, larger userbase equals more money. And with more people looking to quickly cache in, the battlefield is truly changing for better or worse.

Archived Comments

mindcorrosivemindcorrosive
True, Giorgio managed to piss both users and devs with this ill-thought attempt to fund the NoScript development. However, the offending whitelist filters and obfuscation have been removed completely from NoScript as of version 1.9.2.6, together with appologies from Giorgio. I seriously doubt that the NoScript team had any harmful intent with pushing the filters to the users, but the way they present it to the users was less than ideal. In fact, I would gladly accept the whitelist filters if I am informed *in advance* what are they doing, together with an option not to install them. As for sneaking malicious code, it's a danger on virtually any platform that allows outside outside addons/plugins. I'm not sure how Mozilla deals with the situation, but AFAIK the extensions undergo testing and control before their acceptance in the official addon repository. But it's virtually impossible to test every version of every addon for malicious activity. It's just a matter of trust, the same trust that one gives to their FOSS provider, distribution vendor, or ISP. There's always a possibility that someone will go rogue, with so many people on the chain. But at some point you need to trust someone to get things done. Otherwise, the alternative is a closed and isolated platform -- and that's not going to work (just look how much flak Apple accumulates on rejecting third-party iPhone apps).
pdppdp
I agree. Also, it is quite fascinating the way the whole situation spanned out. We live in very interesting times :)
rwizardrwizard
One would like to believe that Giorgio learned his lesson. But I notice that we are slowly but surely creeping back toward his "new nano-update every five minutes" behavior. A behavior many believe was intended to drive ad revenue. And I found his apology to sound more like "I am sorry everyone is mad at me, but I really was provoked by the other guy" than "I was wrong, and there can be no justification for what I did". So, while there isn't a comparable alternative, and we are stuck with NoScript for now, I really hope that someone will come along and give us another option. I think the only things Giorgio learned is that we can't really do without NoScript, and as long as he is just a little more careful, he can probably get away with a lot.