Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

可以解釋一下這件事嗎? #96

Open
zhtw2013 opened this issue May 8, 2018 · 21 comments

Comments

Projects
None yet
6 participants
@zhtw2013
Copy link

commented May 8, 2018

https://www.v2ex.com/t/452943#reply19

恶意扩展、恶意插件周知: baidudl

@Kyle-Kyle

This comment has been minimized.

Copy link
Owner

commented May 8, 2018

恶意扩展叫 baidudl: https://chrome.google.com/webstore/detail/baidudl/mccebkegnopjehbdbjbepjkoefnlkhef

原作者的扩展叫 baidu-dl (没有与 Facebook 相关的恶意代码): https://chrome.google.com/webstore/detail/baidu-dl/lflnkcmjnhfedgibjackiibmcdnnoadb

@zhtw2013

This comment has been minimized.

Copy link
Author

commented May 8, 2018

GitHub的歷史記錄來看,以前你提供的連結就是惡意套件 baidudl 的連結。
你怎麼解釋?

image

@Kyle-Kyle

This comment has been minimized.

Copy link
Owner

commented May 8, 2018

因为那个最早的那个扩展不是用我的账户开的。后来发生了别的事情。操作不了这个账户了。所以我发过通知用新的链接。

@zen9073

This comment has been minimized.

Copy link

commented May 8, 2018

一人饰双角?
左半红右半黑?

@Kyle-Kyle

This comment has been minimized.

Copy link
Owner

commented May 8, 2018

#71

@zhtw2013

This comment has been minimized.

Copy link
Author

commented May 8, 2018

既然如此,你爲何放任一個你不能控制的帳戶在Chrome商店更新擴展? 怎不舉報、投訴呢?
再來,Github頁面跟新的商店擴展頁面也都沒有公告提醒用戶另一個擴展不是你維護的,爲何?

@Kyle-Kyle

This comment has been minimized.

Copy link
Owner

commented May 8, 2018

issue #71 中我说明了这个情况。

@Kyle-Kyle

This comment has been minimized.

Copy link
Owner

commented May 8, 2018

我承认在提醒用户方面上我做的不好。我以为更新了链接就可以了。抱歉。

@Kyle-Kyle

This comment has been minimized.

Copy link
Owner

commented May 8, 2018

在issue #85 中我也提到过。没有在Readme中进行更新。抱歉。

@rexx0520

This comment has been minimized.

Copy link
Contributor

commented May 9, 2018

啊啊 問題發現了就好
那問題的解決方案呢...解除安裝鐵定是不夠的吧

@Kyle-Kyle

This comment has been minimized.

@Kyle-Kyle

This comment has been minimized.

Copy link
Owner

commented May 10, 2018

根据我对恶意插件reverse engineering的结果,以及结合相关论文中曝光的信息,恶意插件应该是偷取用户facebook的token来点赞的(卖赞)

@qwertccc

This comment has been minimized.

Copy link

commented May 11, 2018

清者自清吧,我一直在关注这个项目,来龙去脉我还是比较了解的

@zhtw2013

This comment has been minimized.

Copy link
Author

commented May 11, 2018

@qwertccc

那你要不要幫解釋一下連作者都解釋不清楚的事呢?

什麼特殊原因讓作者一聲不坑把擴展白白給人家?

作者沒解釋。

擴展被人拿走,但作者卻沒舉報將它下架,卻是自己把Github連結偷換成沒問題的版本,Why?

作者沒解釋

你要幫作者解釋一下嗎?

@Kyle-Kyle
最後我想問作者,你確實還掌握更新,
舊商店連結,你保證沒有惡意代碼的最後一版是幾版,是幾月的版本?

說實在的,這種事情最近太多了,都是擴展作者一聲不吭偷偷把擴展賣掉,
導致使用者資料外洩還不說,就怕baidudl也搞同樣的套路,希望你不是這樣啊。

@Kyle-Kyle

This comment has been minimized.

Copy link
Owner

commented May 11, 2018

@zhtw2013 请你不要针对其他人,这件事确实是我的失职。
旧商店链接最后一版干净版本应该是1.3.5(当时github版本为1.3.6)。现在恶意版本标注是1.4.3。
如果根据这个时间来看的话。肯定没有恶意代码的时间只能是1月份。
但是根据issue #85 来看,3月23号的时候干净插件版本有login requirement而恶意插件没有,即说明当时的恶意插件还处于1.3.x的版本。
而根据reverse engineering的结果。恶意插件应当是pull了1.4.2版本然后修改上传。再加上file stat汇报的结果表示恶意文件是在3月30号直接copy进插件的。我们有理由猜测在3月30号以前插件都应该是正常状态。

@zhtw2013

This comment has been minimized.

Copy link
Author

commented May 11, 2018

@Kyle-Kyle
針對他?突然一個人跳出來說他了解來龍去脈,那我當然要請他解釋一下啊,說不定他比作者本人更清楚呢。

了解,那我就放心了,我在推定的污染日期之前就停用這個擴展一陣子了。

@Kyle-Kyle Kyle-Kyle added the question label May 11, 2018

@fireattack

This comment has been minimized.

Copy link

commented May 22, 2018

还什么“后来发生了别的事情”……八成作者把extension卖给那些恶性公司了呗。

也别怪我乱猜,这种事发生无数次了,比较有名的有StylishYouTube Plus等等。一般这些公司买了之后先安稳一段时间,然后就开始更新恶性脚本然后窃用户信息了。

而且这种公司的开价是普通开发者无法拒绝的。

@Kyle-Kyle

This comment has been minimized.

Copy link
Owner

commented May 22, 2018

@fireattack 对于这点。我能说。我没有。

@fireattack

This comment has been minimized.

Copy link

commented May 22, 2018

那你倒是说说“早的那个扩展不是用我的账户开的。后来发生了别的事情”是啥呗。

号被盗了?你朋友捅你刀了?

@Kyle-Kyle

This comment has been minimized.

Copy link
Owner

commented May 22, 2018

@fireattack 抱歉。私人事件与项目无关。如果你要这么toxic的话。我拒绝继续回应。

@fireattack

This comment has been minimized.

Copy link

commented May 22, 2018

影响上万用户的恶性事件就成了“与项目无关”了?盗的既然会是FB的Oauth,那应该不是中国人干的了,不是你干的就是那个插件的account所有者卖的呗,对用户没区别。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.