Forum Discussion
josh_bodner
Microsoft
Dec 16, 2020Recent and upcoming changes to the Microsoft Edge Add-Ons store
Hello Insider Community, We at Microsoft Edge team have revamped the product detail page on the Edge Add-ons website. From our research we gathered that users need more information to make a be...
dragonwolf83
Dec 16, 2020Brass Contributor
One of the biggest security issues lately is already trusted extensions selling to new developers that then use the installed base to install an updated extension with malicious code. See the Nano AdBlock as recent example which mainly affected if installed from Google Store.
A couple of ideas on how to improve security for this attack vector:
* Virus Scanning per Deleted suggestion
* Code Scanning for any extension that seeks to detect F12 Developer Tools and flag it as suspicious. Add to AllowList if extension has provided reasonable explanation and make it a permission required for users to know/accept.
* Let users know if an extension is sold and hands off access to a 3rd party. Users can then research and decide if they want to continue with extension.
I think this is attack vector needs alot more discussion between Google, MS, and the community to find other ways to mitigate these issues. I don't think locking down extensions is the right answer. This is a trust issue to ensure users know about changes to an extension before or after they install it.
Deleted
Dec 16, 2020Yes I do ageee with you. You can’t lock down a extenstion. Yeah should implant those ideas.