67 comments

[ 2.8 ms ] story [ 54.8 ms ] thread
Oh, a free of cost vpn extension that requires access to all sites and data is somehow spyware, color me surprised.

With those extensions the user's data and internet are the product, most if not all are also selling residential IP access for scrapers, bots, etc.

Good thing Google is protecting users by taking down such harmful extensions as ublock origin instead.

I treat extensions like they're all capable of privileged local code execution. My selection is very vetted and very small.
(comment deleted)
Google needs to act on removing these extensions/doing more thorough code reviews. Reputability is everything, and they can be actually valuable (e.g. LastPass, my own extension Ward)

There has to be a better system. Maybe a public extension safety directory?

Is the use of WebAssembly going to make spotting these malicious extensions harder?
From my experience, Google does not do a thorough app review. Reviewers get maybe a few minutes to review and move on due to the volume of apps awaiting review.
I am surprised because google review team rejects half of my extensions and apps.

Sometimes things don't make sense to me, like how "Uber Driver app access background location and there is no way to change that from settings" - https://developer.apple.com/forums/thread/783227

The company behind this appears to be "real" and incorporated in Delaware.

> Urban Cyber Security INC

https://opencorporates.com/companies/us_de/5136044

https://www.urbancybersec.com/about-us/

I found two addresses:

> 1007 North Orange Street 4th floor Wilmington, DE 19801 US

> 510 5th Ave 3rd floor New York, NY 10036 United States

and even a phone number: +1 917-690-8380

https://www.manhattan-nyc.com/businesses/urban-cyber-securit...

They look really legitimate on the outside, to the point that there's a fair chance they're not aware what their extension is doing. Possibly they're "victim" of this as well.

What is the economic value of all these AI chat logs? I can see it useful for developing advertising profile. But I wonder if it's also just sold as training data for people try to build their own models?
I thought manifest v3 was supposed to make chrome extensions secure?
So much of what's aimed at nontechnical consumers these days is full of dishonesty and abuse. Microsoft kinda turned Windows into something like this, you need OneDrive "for your protection", new telemetry and ads with every update, etc.

In much of the physical world thankfully there's laws and pretty-effective enforcement against people clubbing you on the head and taking your stuff, retail stores selling fake products and empty boxes, etc.

But the tech world is this ever-boiling global cauldron of intangible software processes and code - hard to get a handle on what to even regulate. Wish people would just be decent to each other, and that that would be culturally valued over materialism and moneymaking by any possible means. Perhaps it'll make a comeback.

I don't understand why so many people are using / trusting VPNs

"Let us handle all your internet traffic.. you can trust us.. we're free!"

No thank you.

I'm glad the extension system isn't broken (e.g. extensions being hacked). This is just scammy extensions to begin with. I've been scared of extensions since they were first offered (I did like useing greasemonkey to customize everything back in the 2000's/2010's), but I can't resist privacy badger and Ublock Origin since they are open source (but even then it's still a risk).
Would using native AI apps only prevent this? I think so right?
There were these two people.

And um, a boy and a girl.

...

Anyway, the thing was that one day they started acting kinda funny. Kinda, weird.

They started being seen exchanging tokens of affection.

And it was rumoured they were engaging in...

I stick to extensions that Mozilla has manually vetted as part of the Firefox recommended extensions program.

> Firefox is committed to helping protect you against third-party software that may inadvertently compromise your data – or worse – breach your privacy with malicious intent. Before an extension receives Recommended status, it undergoes rigorous technical review by staff security experts.

https://support.mozilla.org/en-US/kb/recommended-extensions-...

I know that Google hates to pay human beings, but this is an area that needs human eyes on code, not just automated scans.

(comment deleted)
> A "Featured" badge from Google, meaning it had passed manual review and met what Google describes as "a high standard of user experience and design."

Trusting Google with your privacy is like putting the fox in charge of the henhouse.

8 million users on sketchy VPN extensions.

70 thousand users on what I would actually call "privacy" extensions.

Bit of a misleading title then.

> This means a human at Google reviewed Urban VPN Proxy and concluded it met their standards.

Or that the review happened before the code harvested all the LLM conversations and never got reviewed after it was updated.