pull down to refresh

50 sats \ 3 replies \ @optimism 20 Jul \ parent \ on: BAI: A simple Bitcoin Address Inspector served as browser extension bitdevs
this is not code from the BAI extension.
No, the code is a fake exploit I wrote in 5 minutes because I don't want to publish the real exploit but you can figure out what I mean. The BAI code that this would attack is what I linked on your repo.
Luckily, thanks to fetch, you don't seem to have a supply chain outside the browser itself at a glance so in this particular extension the only way to inject the exploit would be to either introduce a dependency in a PR on your repo and then attack that, or introduce the first 4 lines of the exploit in an obscured way directly into your codebase.
However, if you normalize people installing extensions then it will be more likely that they will install other extensions that may have a much more vulnerable supply chain and with vibe coding nowadays this risk becomes much larger. For example, I could create BAI++ which looks nicer and has the vulnerability and then, when I have 10k installs, I activate the exploit.
Because there is no protection against this (extensions ignore SCP) the only solution for the past decade has been to tell everyone to never use extensions, and it still is the only solution today.
write
preview
100 sats \ 2 replies \ @deSign_r OP 10h
It make totally sense. Well is a small extension I build and I trust there's no malicious code. Either way I'm just using it to check other people addresses. Your feedback on the idea and what other info could be shown will be appreciated.
reply
21 sats \ 1 reply \ @optimism 6h
Sorry to be negative. My feedback is: don't use extensions.
If you really want to pursue it - you probably will, I get it - please make sure you don't add any external dependencies and don't accept any pull requests where you don't know what every character in the new code does.
reply
100 sats \ 0 replies \ @deSign_r OP 4h
Thank you, I'll definitely! I much appreciate your feedback.
reply