Forum Discussion

josh_bodner's avatar
josh_bodner
Silver Contributor
Dec 16, 2020

Recent and upcoming changes to the Microsoft Edge Add-Ons store

Hello Insider Community,     We at Microsoft Edge team have revamped the product detail page on the Edge Add-ons website. From our research we gathered that users need more information to make a be...
Deleted's avatar
Deleted
Dec 16, 2020
That's awesome!! It would be nice if extensions when downloaded are scanned for viruses as well. Hope you can figure out a way to make sure the owner is acutallly the real owner. Like the fake vpn extenstions that you verfify them.
  • dragonwolf83's avatar
    dragonwolf83
    Brass Contributor
    Dec 16, 2020

    One of the biggest security issues lately is already trusted extensions selling to new developers that then use the installed base to install an updated extension with malicious code. See the Nano AdBlock as recent example which mainly affected if installed from Google Store.

     

    A couple of ideas on how to improve security for this attack vector:

    * Virus Scanning per Deleted suggestion

    * Code Scanning for any extension that seeks to detect F12 Developer Tools and flag it as suspicious. Add to AllowList if extension has provided reasonable explanation and make it a permission required for users to know/accept.

    * Let users know if an extension is sold and hands off access to a 3rd party. Users can then research and decide if they want to continue with extension.

     

    I think this is attack vector needs alot more discussion between Google, MS, and the community to find other ways to mitigate these issues. I don't think locking down extensions is the right answer. This is a trust issue to ensure users know about changes to an extension before or after they install it.

     

     

     

     

    • Deleted's avatar
      Deleted
      Dec 16, 2020
      Shouldn’t just scan when downloading but constantly. Like how windows defend dose it. Or every time there is a update, don’t know. Very tricky to keep the owners rights and stuff
      • HotCakeX's avatar
        HotCakeX
        MVP
        Dec 16, 2020

        Deleted 

        Deleted wrote:
        Shouldn’t just scan when downloading but constantly. Like how windows defend dose it. Or every time there is a update, don’t know. Very tricky to keep the owners rights and stuff

        I agree after each update the extension should be scanned. maybe the developer plays a good role for the first month and then turns malicious and slowly starts doing bad things.

        of course, there will be a prompt shown to the user whenever an extension asks for additional permissions but still the average users will just give the permission.

         

        and the VPN extensions, there are a lot of duplicates in Edge addons store. VPNs with different names but same UI, same servers, exactly same process.

    • Deleted's avatar
      Deleted
      Dec 16, 2020
      Yes I do ageee with you. You can’t lock down a extenstion. Yeah should implant those ideas.

Resources