reply on: BAI: A simple Bitcoin Address Inspector served as browser extension \ stacker news ~bitdevs

pull down to refresh

100 sats \ 4 replies \ @deSign_r OP 20 Jul \ parent \ on: BAI: A simple Bitcoin Address Inspector served as browser extension bitdevs

String.prototype.replace_ = String.prototype.replace
String.prototype.replace = function (pattern, fn) { 
  return String.prototype.replace_.call(this, pattern, match => fn("lulz")) 
}
"abc".replace(/a/, match => "<strong>" + match + "</strong>")
// Expected: '<strong>a</strong>bc'
// Actual: '<strong>lulz</strong>bc'

Thanks for sharing your experience with browser extension, this is the first time I'm dealing with it... naively! I see the problem... but this is not code from the BAI extension.

I've shared the code, is open source in github, people can check the extension source before installing it.

Or are you saying that the extension itself could be a vector attack for other scripts and attackers to be used with malicious intentions?

50 sats \ 3 replies \ @optimism 20 Jul

this is not code from the BAI extension.

No, the code is a fake exploit I wrote in 5 minutes because I don't want to publish the real exploit but you can figure out what I mean. The BAI code that this would attack is what I linked on your repo.

Luckily, thanks to fetch, you don't seem to have a supply chain outside the browser itself at a glance so in this particular extension the only way to inject the exploit would be to either introduce a dependency in a PR on your repo and then attack that, or introduce the first 4 lines of the exploit in an obscured way directly into your codebase.

However, if you normalize people installing extensions then it will be more likely that they will install other extensions that may have a much more vulnerable supply chain and with vibe coding nowadays this risk becomes much larger. For example, I could create BAI++ which looks nicer and has the vulnerability and then, when I have 10k installs, I activate the exploit.

Because there is no protection against this (extensions ignore SCP) the only solution for the past decade has been to tell everyone to never use extensions, and it still is the only solution today.

100 sats \ 2 replies \ @deSign_r OP 11h

It make totally sense. Well is a small extension I build and I trust there's no malicious code. Either way I'm just using it to check other people addresses. Your feedback on the idea and what other info could be shown will be appreciated.

21 sats \ 1 reply \ @optimism 7h

Sorry to be negative. My feedback is: don't use extensions.

If you really want to pursue it - you probably will, I get it - please make sure you don't add any external dependencies and don't accept any pull requests where you don't know what every character in the new code does.

100 sats \ 0 replies \ @deSign_r OP 4h

Thank you, I'll definitely! I much appreciate your feedback.