You are viewing a single comment's thread from:

RE: Steemit More Info 1.3 - Chrome Extension + Firefox Extension

in #steemdev7 years ago

I have reviewed this extension for security and all possible issues I could find are fixed before the release. The post contains a summary of the review.

While I am pretty confident in my abilities I am not a perfect human being. So I put aside a safety deposit that will be used to reimburse users, should I ever miss a security issue in the extension and should they loose their funds or keys. I initially announced 100 STEEM but as @sneak rightfully said, that is not much. So I will start with 200 STEEM and add at least 100 STEEM to this deposit with each new review.

I am also offering a bounty for secondary reviews. Please provide your credentials and your review and tag me so I see it. I am offering at least 50 SBD for this cause. The community decides who is worthy of the bounty.

Please remember that my audit is worthless if you keep auto update on. Be sure to install from source to be extra safe.

Sort:  

The danger is not whether or not the extension has any vulnerabilities now (and it does, right now, as you pointed out, with iframes)—but whether or not it could be updated with malicious code in the future automatically. This is how browser extensions work.

Everyone who uses this is trusting their account safety to the safety of @armandocat’s extension update keys/password. If those get compromised, a malicious update could get pushed that takes over all the users of the formerly-safe extension.

I love the work that is being done here and I’d love to see most of it integrated into condenser - but I can’t say it’s safe to run any browser extensions that can alter content on steemit.com, regardless of audit, because it’s not.

It's funny to me that something like this is needed because STINC can't even get notifications on the site to work properly. No wonder they rely on the community for any real development... This is all beginner shit any developer, except those working for STINC, could implement.

the code that put iframe is the same there is in condenser, with the same security features.. So i guess, if there is a problem here, there is also in condenser.
For what I see, everything works fine in both condenser and in the extension ;)
If users prefer not to risk, just disable the markdown editor extension in the settings. Or trust youtube and others when you paste their links. I don't believe this is really a "security issue". People should hack into youtube and other big websites to take advantage of this...

Regarding the password, I'm taking all the precaution possible ;) I have ALWAYS strong and different passwords in all my accounts.

BTW, I always suggest to install the code manually by downloading from the repository.. that is the safest way to use this extension

I fully agree with you. That is why I tell users to install the source from github, which won't get updated automatically.

Please remember that my audit is worthless if you keep auto update on. Be sure to install from source to be extra safe.

What about just disabling the update from the addon? That's what I did and I didn't downloaded the update automatically. Could this be bypass or are people disabling the update safe from malicious update?

That will work too. I know Firefox allows this but Chrome only allows all or no auto updates.

Indeed, you should add it to a "safety" section, in your post ;)

I did :) @armandocat controls the post :)

I would second that. Would love to see this code added to condenser. We'll done @armandocat.

how about mobile app? do we already have a working repo for mobile? I just joined steemit and was looking for the mobile app. is that esteem? I also would like to contribute. maybe i have to look for the api.

From what I heard of @armandocat, there are plans for a mobile version of it.

esteem is one mobile app. I use the steemit.com website, others use steepshot or busy.org

What are your coding skills? What languages can you code in? I can refer you to the right people :)

Thanks for your commitment to the community and its safety, @reggaemuffin.

And thanks @armandocat for your continued work on this extension. The extension has most definitely helped me, newbie, understand better what I do here on Steemit. 🤘

Love to do a review. Very useful tool.

But I just got an error with download 1.3 from google chrome store and please read what I got

"An error has occurred Package is invalid. Details: 'Could not load background script 'background.js'.'."
Please check

I've got it too

I forgot to add a new file to the zip I published :(
Sorry about that, in 10-15 min the new version 1.3.1 should be available and work!

This is a reminder that the extension published on the stores could be different from what is in the repos. So installing from source, while less convenient is a lot safer.

Fully agree. Though that the repos might be the better place to get it.

Lesson learned and next time download from source

Excellent! This will help answer the question that pops in mind when seeing this : "It looks great, but is it safe ?" Thanks.

It will never be 'save' in the sense that security is an illusion, but my review already made it safer.

You're right 100% safe is not possible. But it is good to have at least a code review!

je ne comprend rien à ce site

Quel site, steemit ?
Si tu es nouveau sur steemit, je te conseille d'aller voir le compte de @roxane, elle a des super videos en français qui expliquent pas mal de concepts de steemit.