alt Hacker NewsOver 15 years ago now, I had a popular chrome extension that did a very specific thing. I sold it for a few thousand bucks and moved on. It seemed a bit strange at the time, and I was very cautious in the sale, but sold it and moved on.
It's abundantly obvious to me now that bad actors are purchasing legitimate chrome extensions to add this functionality and earn money off the user's data (or even worse). I have seen multiple reports of this pattern.
Replies
15 years ago was probably this type of business in its very early stage. There is little that can be done about "selling" extensions. Chrome Web Store should have tighter checks and scans to minimize this type of data exfiltration.
> It seemed a bit strange at the time, and I was very cautious in the sale, but sold it and moved on.
What a mensch! I wonder how many other people your payday hurt.
It is a classic supply-chain attack. The same modality is used by gamers to sell off their high-level characters, and social media accounts do "switcheroos" on posts, Pages, and Groups all the time.
You know, a lot of consumer cybersecurity focuses on malware, browser security, LAN services, but I propose that the new frontier of breaches involves browser extensions, "cloud integrations", and "app access" granted from accounts.
If I gave permission for Joe Random Developer's app to read, write, and delete everything in Gmail and Google Drive, that just set me up for ransomware or worse. Without a trace on any local OS. A virus scanner will never catch such attacks. The "Security Checkup" processes are slow and arduous. I often find myself laboriously revoking access and signing out obsolete sessions, one by one by one. There has got to be a better way.