7

I saw a recently added Firefox add-in specifically for Stack Overflow, to remove the side-bar links, but it seems suspicious to me.

Maybe I'm being over-paranoid but:

1. Excessive Permissions?

img

Mozilla's description of the permission level is:

Access your data for sites in the “named” domain: The extension could read the content of web pages you visit in the specified domain, as well as data you enter into those web pages, such as usernames and passwords.

Note that the add-in page only mentions S.O. while the add-in requests full permission for 7 sites (2 of them unknown).

2. Numbers don't add up:

How does an add-in have 480 Downloads from 21 Daily Users? ("9 users from 2017-02-02 [the add-in creation date] to 2017-11-17"), and from the same platforms over and over, always 1 to 2 downloads per day.

21 is the same number of users who gave the add-in a 5-Star rating without writing anything. The only other review say it doesn't work on the "Main SO Page"

3. Active on Stack Overflow??

Add-in Description: Removes sidebar links from StackOverflow. This means no Meta links, no related questions and mainly no hot network questions. I find these interesting, which distracts me at work. I wrote this to keep me focused.

He must be pretty active here if distraction is enough of a problem to write an add-on for it, right? Nope. His pages on Mozilla and SO and SE shows he's never asked/answered or done anything else. Join date? Jan 25 2017, just before the add-in was released.

4. Strange Example Screenshot

This is the screen shot used as an example with the add-in:

,,,was obviously taken from this odd question 1 minute after its last edit, but authored by a different (real) username, who's account was created 3 minutes prior, and has never posted since. *...not to mention, it's kind of a silly question for an app developer?)

Incidentally I would have invited him to this conversation, but there's nothing to ping him on, the profile URL is invalid, and the Mozilla page has no contact option.

Something about this make me not trust that add-in. On the other hand, I wonder how much damage could possibly be done with a Firefox add-in or a Stack Overflow password? (Can those add-ins be reverse compiled etc?)

I figured I should pass it on to y'all anyway...

6
  • 6
    Someone hasn't heard of userscripts...
    – BoltClock
    Commented May 15, 2018 at 6:28
  • 2
    Heck, you don't even need a userscript for this. Those links can be hidden with a Stylish rule. Even if an extension must be used, I don't know how extensions work now but I don't see why an extension needs that level of access just to hide some elements from the page.
    – BoltClock
    Commented May 15, 2018 at 6:29
  • 3
    Assuming that add-on needs access to the page DOM to remove / hide those unwanted containers explains why it needs access. And yes, with that it can inject anything it wants. It can flag/vote for you, scrape your PII and send it off somewhere. That goes for all add-ons in this genre.
    – rene
    Commented May 15, 2018 at 6:42
  • @BoltClock - on that tiopic, I just haven't had ads in the SO sidebar since I hit (whatever rep that was)... but suddenly I do. The setting is still correct in my profile. I realize it say "reduce" not "eliminate" ads... Do you know if something changed, or is it just my system? (I formatted last week so maybe its me)
    – ashleedawg
    Commented May 15, 2018 at 7:25
  • @rene - that's terrible! Is SO able to tell whether activity like that comes from me or an add-in? (Again, not that I have anything life threatening on here, but I also don't want anyone f'in with something I've put so much time into!)
    – ashleedawg
    Commented May 15, 2018 at 7:27
  • Remember that most users of Stack Exchange use it in its original purpose: They search for answers to their problems using the massive database. Just because they're not actively asking and answering doesn't mean they aren't active users.
    – pipe
    Commented May 15, 2018 at 9:59

2 Answers 2

Reset to default
12

The extension itself does not appear to be malicious. Really all it is besides the localization and icons is 2 files:

hide-sidebar.css:

#sidebar {
    display: none;
}

manifest.json (icons abridged):

{
    "manifest_version": 2,
    "name": "__MSG_extensionName__",
    "version": "1.4.0.0",
    "default_locale": "en_US",
    "description": "__MSG_extensionDescription__",
    "author": "Daniel Arthur Gallagher",
    "icons": {
        //...
    },
    "content_scripts": [
        {
            "matches": [
                "*://*.stackoverflow.com/questions/*",
                "*://*.stackexchange.com/questions/*",
                "*://serverfault.com/questions/*",
                "*://superuser.com/questions/*",
                "*://askubuntu.com/questions/*",
                "*://stackapps.com/questions/*",
                "*://mathoverflow.net/questions/*"
            ],
            "css": [
                "hide-sidebar.css"
            ]
        }
    ],
    "content_security_policy": "default-src 'none'; style-src 'self'; script-src 'self'; object-src 'none'",
    "developer": {
        "name": "Daniel Arthur Gallagher"
    },
    "permissions": []
}

Of course, the author could potentially update the extension later to do other things the current permissions allows them.

6
  • How did you view it like that? I'm no web dev but I would've started there but couldn't see how to view an extension without installing. ... Also, good to hear it's safe, for now, thanks! But I gather from your final ominous comment that the permission is permanent regardless of update?
    – ashleedawg
    Commented May 15, 2018 at 7:11
  • 5
    @ashleedawg If you right-click on the install button, you can copy the URL to download the XPI from (you might also be able to save-as from that menu, not sure). Once you download it (you can open the downloads list and paste the link there to download, or use curl, or wget, or whatever), you just extract the XPI as a ZIP file.
    – Alexander O'Mara
    Commented May 15, 2018 at 7:15
  • good to know, thanks - I usually go through about:addons and I don't have that option there. Didn't think to try the link I included. :) Any thoughts on #2 in my Q? ~500 downloads = 20 users ..am I misunderstanding the stats?
    – ashleedawg
    Commented May 15, 2018 at 7:20
  • ...although the funny thing about the stats is as far as I can tell, the stats page is not shared by default for add-ins, the dev would have had to specifically chosen to make it public, I think? (An unlikely move if one were cheating the system somehow!)
    – ashleedawg
    Commented May 15, 2018 at 7:23
  • 1
    @ashleedawg If an update requires more permissions, you will be prompted before installing that update. Updates that use the same or lower permissions will not prompt a warning. The author could change the extension to do other things the permissions give them access to without warning.
    – Alexander O'Mara
    Commented May 15, 2018 at 7:23
  • That would be a good tactic for someone wanting to do bad things. Require more permissions than you need but do the correct thing. At a later date when lots of people are using it add in the malicious code that requires higher permissions. Since you already have the needed permissions no warning is given and the users don't know about the malicious code that is now in place.
    – Joe W
    Commented Jun 13, 2019 at 15:22
6

The list of sites is perfectly reasonable; it's pretty much the same as what e.g. my SOUP add-on uses. For various historical reasons, Stack Overflow, Super User, Server Fault, MathOverflow, Ask Ubuntu and Stack Apps are the only Stack Exchange sites with their own canonical domain names; everything else lives under stackexchange.com. So if you want your extension to run on all SE sites, those seven domains are what you need to match.

(However, the matches list quoted by Alexander O'Mara is slightly buggy, in that it won't match e.g. Meta Super User. For consistent behavior, all of the domain names really should be prefixed with *. to also match their meta sites — with the possible exception of stackapps.com, which doesn't have one.)

As for the "access your data" permissions, that's the permission you need to inject CSS or JavaScript code onto a site. The extension really cannot do what it does without it. However, it does carry a risk, insofar as a malicious extension author (or one who e.g. had their account compromised) could later update the extension to also inject something else, up to and including e.g. password-stealing JavaScript code, to the same sites without triggering any additional warning dialogs.

As for the user's activity, I can't really comment on that without further investigation. What you describe could be a sign that it might be a fake account created solely for a scam, but there could also be perfectly innocent explanations. In particular, quite a lot of people — indeed, probably most of the people who visit the site at all — use Stack Overflow simply as a place to look up existing answers without ever asking or answering questions of their own, or even creating an account.

And as for the question in the screenshot, it might just be a random new question the add-on author happened upon; it doesn't look particularly unusual to me, for a random SO question asked by a new user, and most new users create their account just before asking their first question because SO no longer lets people ask questions without an account.

Anyway, as Alexander O'Mara notes, what the extension actually does is just inject a single CSS rule to the page. If you'd rather not install a specific browser add-on written by some random person just for that, you could achieve the same effect by installing a user style manager such as Stylus (an open-source fork of Stylish with a stated emphasis on privacy) and adding #sidebar { display: none } as a custom user style there. Or you could even use Firefox's built-in user style sheet instead, and avoid the need for add-ons entirely.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .