←back to thread

Unknown Mozilla dev addon "Looking Glass 1.0.3" on browser

(support.mozilla.org)
757 points shak77 | 1 comments | 15 Dec 17 13:47 UTC | HN request time: 0s | source
Show context
pgl ◴[15 Dec 17 14:56 UTC] No.15932231[source]
Previously:

* https://news.ycombinator.com/item?id=15921134

This is a link to the GitHub issue:

* https://github.com/gregglind/addon-wr/issues/36

There are several scary things about this:

- Unknown Mozilla developers can distribute addons to users without their permission

- Mozilla developers can distribute addons to users without their knowledge

- Mozilla developers themselves don't realise the consequences of doing this

- Experiments are not explicitly enabled by users

- Opening the addons window reverts configuration changes which disable experiments

- The only way to properly disable this requires fairly arcane knowledge Firefox preferences (lockpref(), which I'd never heard of until today)

replies(4): >>15933319 #>>15933374 #>>15933569 #>>15934661 #
kbenson ◴[15 Dec 17 20:11 UTC] No.15934661[source]
> Unknown Mozilla developers can distribute addons to users without their permission

"In related news, unknown website developers can distribute programs and run them in your browser. Additionally, it's been determined that browsers sometimes download changed versions of themselves without your permission. Worst of all, we've determined that sometimes the program you download and run yourself on your computer does stuff it didn't say it would do!"

In all seriousness, I understand this is an important issue, and needs to be addressed, but we've obviously gotten to the point as a society recently where no news can't be played up for hype by pundits and commentators for their own benefit (and probably without realizing they are doing it in a lot of cases).

The whole way this is being presented (by many here, not to pick on the parent) as a new chunk of the sky falling is what I find really troublesome. No, chicken littles, the sky isn't falling, but there is some interesting shit going on up there that deserves a look.

I fail to see how getting half the people frothing at the mouth and the other half downplaying it just to try to keep some sanity in the discussion helps for a good outcome.

replies(1): >>15936197 #
bigbugbag ◴[15 Dec 17 23:30 UTC] No.15936197[source]
> "In related news, unknown website developers can distribute programs and run them in your browser. Additionally, it's been determined that browsers sometimes download changed versions of themselves without your permission. Worst of all, we've determined that sometimes the program you download and run yourself on your computer does stuff it didn't say it would do!"

No they can't, despite mozilla removing the option to prevent this, I have an extension preventing website to run code in my browser without my permission. it happens to be one of the most popular firefox extension: noscript. (also umatrix and request policy).

No the browsers do not download changed version of themselves, they do not have the administrative permissions required to install programs on my box. I get my update from the official distro repository on my terms.

I do not download and run programs, they come from the distro repository. This is a matter of trusting the package maintainers but up until now this has served many people well.

It seems you guessed wrong and it does not work the same for everybody, some of us have chosen to take the extra step required for this kind of misadventure to be unlikely.

replies(1): >>15936320 #
1. kbenson ◴[15 Dec 17 23:51 UTC] No.15936320[source]
> No they can't, despite mozilla removing the option to prevent this, I have an extension preventing website to run code in my browser without my permission. it happens to be one of the most popular firefox extension: noscript. (also umatrix and request policy).

You've conflated third party javascript with javascript in general. You can turn off javascript entirely, but unless you do so, that website is generally able to ship javascript to you as included scripts from the same domain or in a script section or inline with attribute handlers.

> No the browsers do not download changed version of themselves, they do not have the administrative permissions required to install programs on my box. I get my update from the official distro repository on my terms.

Yes, they very often do. Currently, they generally ask if you want to restart using the new version and give you that choice, but they are often downloading newer versions of themselves ahead of time to speed up this process.

Whether they have permissions depends entirely how you installed the application. If it wasn't installed globally, user permissions are all that is needed.

> I do not download and run programs, they come from the distro repository. This is a matter of trusting the package maintainers but up until now this has served many people well.

Good! I hope you've also never ever piped wget output to a shell for some application's quick installer. I also hope you've never installed any programming language module through that language's package manager and not your distro's package system, because those are notoriously bad at making sure there's not holes through which bad stuff can happen either.

Regardless, it's possible that the package you downloaded, no matter the source, can do something other than stated.

> It seems you guessed wrong and it does not work the same for everybody, some of us have chosen to take the extra step required for this kind of misadventure to be unlikely.

Actually, I don't think I guessed wrong because I wasn't guessing anything, and I never said it works the same for everybody. I believe, since I was careful to qualify my statements, that each is easily proven correct, and I've done so.