> extensions could just load external scripts and there's no way you could tell ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		g947o 16 days ago \| parent \| context \| favorite \| on: 8M users' AI conversations sold for profit by "pri... > extensions could just load external scripts and there's no way you could tell what they were actually doing. I do think security researchers would be able to figure out what scripts are downloaded and run. Regardless, none of this seems to matter to end users whether the script is in the extension or external.

reddozen 16 days ago | [–]

nothing stopping server side logic: if request.ip != myvictim, serve no malicious payload.

johncolanduoni 16 days ago | [–]

Even if the extension isn’t malicious, it creates a new attack vector that can affect users. If whatever URL the script is remotely loaded from is compromised, now all users of that extension are vulnerable.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact