SOMEONE HIJACKED MEGA CHROME EXTENSION TO STEAL USERS PASSWORDS

>The permission was "read all data from all websites you visit" so I told it to fuck off and uninstalled Mega.
ublock origin requires the same permission fyi

>Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise. MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector.
Fuck you Chrome, once again.

uBO removes elements from the DOM, of course it needs that permission. A download helper extension for one specific site would not need it.

>never heard of mega extension before
bullet dodged

Will keep this in mind if an extension tries to request more permissions.

How does Jow Forums mitigate the risk with extensions like uBO?

>application needs the permissions to work
>this means they won't use it for anything bad

i'm not installing anything i can't or don't have time to thoroughly audit myself

You mean the NZ government?

uBO is open source

FUUUUUUUUUUUUUCK

Attached: 2018-09-05 13_43_17.png (454x330, 214K)

nice try NSA but I'm not falling for your tricks by installing jewblock origin and giving you to read my website data :^)

>tfw firefox

Attached: 1508296716599.png (1920x1080, 646K)

>jewblock
ublock.org

>installing retarded shit from a website
it's like you wanted it.

What does Poettering say to this?

Why use an extension when their software is universal and superior?

>I'd say this is an example of the great security it provides especially compared to the garbage full of holes that is Firefox.
lmao wut? did you think permission warning is solely a chrome thing?

instead of spouting bullshit, how about you read this?
ghacks.net/2018/07/10/look-up-all-domain-access-requests-of-firefox-extensions-before-installation/

>muh JOOS
github.com/gorhill/uBlock
Surely it's the NSA in here.

Why dont you just check the source code? You know what sourcode is right? It's foss.

That remark was not about permission warnings, but people calling Chrome insecure in this thread when Firefox has long been full of holes (it has significantly improved recently though)

>it's foss therefore it's safe no matter what
bet my ass both you retards used the prebuilt extension instead of actually building it yourself and the thought of a 3rd party tampering with it somewhere down the road didn't even cross your mind

You can bet all you like, doesn't mean my passwords have been tempered with.

I actually have the Motherload SWF on my computer. Big whoops, wanna fight about it? It is a good game.

what's the name of that game?

>can't download multi-gigabyte files from mega without their shitty extension

I sensed ulterior motives when I saw them try and force this shit in such a hamfisted way

Motherload

thanks

Being blind enough to not see:

>The company also said Google disallowed publishers to sign their Chrome extensions and instead is now relying solely on signing them automatically by Google after the extension is uploaded
Is this for real? That is the exact opposite that happens in Play Store. Is Chrome team made up by pajeets?

I have their application on my computer, but I always terminate the process before setting my firewall to passive. So they didn't get any data from me.

github.com/meganz
Also, what ulterior motives?

Go and watch the Vice documentary on Bangalore being the next Silicon Valley. They're literally everywhere in tech.

>How does Jow Forums mitigate the risk with extensions like uBO?
They don't. Probably most of uBO users aren't even aware of that.

You got served, courtersy of the botnet my dude.

Attached: 1533287230260.png (1000x1000, 109K)

>downloading files from mega in 2018

I didn’t realize so many poorfags still existed in Trump’s America. Or are you all underage b&? Pathetic.

blog.mozilla.org/addons/2018/02/01/understanding-extension-permission-requests/
tl;dr Common Sense 2018 Internet Suite

This is only relevant to cretins stupid enough to use password managers.

m8, you can unpack the prebuit extension (it's literally just a .zip) and compare it with the source code. since you're the one claiming ublock origin is unsafe, why not prove your claim?

inb4 google removes extensions :^)

>an unknown attacker managed to hack into MEGA's Google Chrome web store account
So, MEGA fucked up. They shouldn't be trying to shift the blame.
Unless it was some kind of retarded password recovery process Google uses...

does this include simply using the mega.nz site to download or only an explicit extension one has to install within the browser?

I only used chromium the other day to download larger files that could not be done in firefox but I did not use any extension, just the website it self. Either way that will be the last fucking time I use anything with connections to google, bloat piece of shit browser that took 5 hours to compile first time until i set jumbo-build use flag and still slow as shit.

>only an explicit extension one has to install within the browser?
this

I stupidly gave it access but also thought it was odd because other extensions ask for the same permissions and arent malicious

>"Please note that if you visited any site or made use of another extension that sends plain-text credentials through POST requests, either by direct form submission or through a background XMLHttpRequest process (MEGA is not one of them) while the trojaned extension was active, consider that your credentials were compromised on these sites and/or applications," the company said.

It looks like it only got your passwords if you logged into accounts after the update

So do we hope the current uBlock source code is legit, fork it and use it as a custom extension to prevent updates?

It's too hard to mitigate risk against attack vectors on a software's delivery system.

medium.com/@vesirin/how-i-gained-commit-access-to-homebrew-in-30-minutes-2ae314df03ab

medium.com/@h3rm4ns3c/how-i-gained-commit-access-to-all-jenkins-projects-in-30-minutes-and-how-security-warnings-to-the-96c421dad0c3

I'm confused. So if I have no saved passwords, am never logged into any accounts unless I'm using them, and only installed the fake update but not visiting any other websites I'm logged into, am I good to go? I'm also switching to Firefox because Google refusing to allow devs to sign their extensions is retarded

>Google refusing to allow devs to sign their extensions is retarded

Feels good being a Firefox user.

firefox gets worse every update. it's barely better than chrome now.

>firefox gets worse every update.
I disagree

>HTTPS Everywhere does too. Tons of extensions use this permission

>2018
>using Chrome

Attached: 1469248685727.gif (800x430, 897K)

>Mega
Honeypot

I agree

>Saw the permission prompt but declined it

Thank fuck, now also uninstalled the extension

Ah the memories. I used to play that game religiously.

didn't that one turn out to be a botnet too

>Bangalore
>pajeet

Unless I'm misinformed, SmartHTTPS is the botnet

What's wrong with quake?

boomer life sounds comfy

B-b-b-but Jow Forums told me Mozilla was evil and communist when they removed the option to install unsigned extensions from third parties and that the permissions of WebExtensions were a "meme" and thus totally unnecessary.

It's piss easy to abuse account recovery and gain access to a Google Account, its Googles fault no doute.

Attached: Boomer DmC Dante.jpg (906x725, 79K)

>using extensions beyond ad blockers

Attached: 1464884921833.gif (250x167, 999K)

>using Chrome at all

feels amazing

Attached: nice.gif (444x250, 3.04M)

>using chrome
I would unironically rather use Microsoft Edge at this point.

>chrome
if you use this shit you're a retard

>Google disallowed publishers to sign their Chrome extensions and instead is now relying solely on signing them automatically by Google after the extension is uploaded, which makes it easier for hackers to push new updates same as developers do.

These assholes just keep doing it

Just removing perfectly fine features for the sole reason of bullying and fucking with the end user

Security vulnerabilities you say? Fuck that as long as we get to feel like hot shit for making all our platforms unuseable and continue to take alternative services down

Words cannot express how much i hate nuJoogle

Attached: 1458564876823.jpg (900x2002, 827K)

>rather use Microsoft Edge at this point.
no

Ok, pajeet