rebron
commented
4 years ago cc: @tomlowenthal Can you help with the labelling and triaging of this one?
Open smartfonreddit opened 4 years ago
rebron
commented
4 years ago cc: @tomlowenthal Can you help with the labelling and triaging of this one?
rebron
commented
4 years ago @smartfonreddit "A similar feature exists in another browser and it has been proven to be useful." Which browser and is it possible to post screenshots of the feature you're talking about?
smartfonreddit
commented
4 years ago Which browser and is it possible to post screenshots of the feature you're talking about?
Firefox's about:addons page has a feature that lets you uncheck the automatic addon update. When you click to manually check for updates, it shows which addons have a new version and lets you update them. https://i.imgur.com/fD02qzb.png
bevinhex
commented
4 years ago I really hope I can switch 'hate' into 'prefer' in this context, but it is so hard to say "I prefer not to have auto-update" than "I hate auto-updates"
shryder
commented
3 years ago Any updates?
joelgriffiths
commented
3 years ago This really needs to be an option. At the moment, there is a Metamask update that is blocking the entire wallet under some conditions, and the only solution is to roll back to 9.4.0 or lose access to to the entire wallet. I was shocked to find that there is no way to prevent Brave from automatically updating extensions.
Tectract
commented
3 years ago Automated updates are a virus. Literally a major security and stability threat. They should be disabled.
svan71
commented
3 years ago Auto updates need to have the option to disable. This is making me use Firefox and I really do not wish to do it.
perguto
commented
2 years ago This feature really needs to be added to Brave, but for the time being, you can disable automatic updates manually for each extension by moving the extension folder in ~\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Extensions\ somewhere else, choosing load unpacked on brave://extensions and selecting the folder with the version number.
fma1
commented
1 year ago This feature should really be added to Brave. At this point I've just removed write permissions from the Extensions folder. I'll update if it fails.
Saberdream
commented
1 year ago I agree with you fma1, I don't understand that a browser based on confidentiality and privacy like Brave does not have this option, on Firefox for example this option has always been offered as long as I can remember. Changing write permissions manually is clearly not a convenient solution.
raster21
commented
7 months ago Bumping this with an another anecdote from someone who could have benefitted from disabling auto-updates on extensions: https://twitter.com/sell9000/status/1777158691214569636
Tectract
commented
7 months ago Guys, this is really elevating now, and it seems that someone needs to file a CVE and we need to recommend that all users uninstall Brave until this CVE can be dealt with. The fact that the Brave AND Chrome devs are now completely ignoring a CRITICAL VULNERABILITY with users having their bank accounts wiped out, is a problem for me.
Tectract
commented
7 months ago CVE reported as CRITICAL HIGH IMPACT vulnerability to HackerOne:
https://hackerone.com/bugs?subject=user&report_id=2457734
Right now we are advising to uninstall Brave and/or not use ANY extensions until this CVE is patched. Brave needs to disable "unattended updates". Unnattended updates are a virus, guys.
Severity: Critical (10.0)
It's quite interesting to see how the Brave team responds to this. They just said that the bug report doesn't belong on HackerOne because it's a "known issue". So they knew about a critical vulnerability and their response has been... to do nothing so far??? Jesus if I was that guy who just lost $500k I might start considering whether Brave has some legal liability here...
diracdeltas
commented
7 months ago It's a "known issue" in the sense that it's already publicly posted here so there's no point in posting it on hackerone, which is for undisclosed security issues. I'm not implying anyone already saw this github issue who works at Brave.
Tectract
commented
7 months ago https://twitter.com/cryptospora_net/status/1778121026997534918
Maybe if Elon reposts it, they will start to care about user security and patching root exploits in their browser, lol.
Tectract
commented
7 months ago So HackerOne is the place where people are supposed to file bug reports to get bounties. In this case, instead of rewarding the people who REALIZED that this unnattended browser update issue is a CRITICAL CVE that has been open for 5 YEARS, and filed a bug report about it with bounty, they simply insta-closed the bug report. May I suggest there may be a culture issue at Brave and maybe at Chrome upstream also??? Maybe HackerOne didn't want people to see, in the bug reports area, that there is a critical CVE that has been known about for 5 years???
diracdeltas
commented
7 months ago If you really believe this is a critical CVE that is up to browsers to fix rather than extension authors, you should report this to Chrome. Then we can inherit their fix and many more users will be protected from what you believe to be a critical CVE.
In the meantime, we can offer people the following solutions to disable extension auto-updates in Brave:
https://stackoverflow.com/questions/62810224/how-to-disable-google-chrome-extension-autoupdate-in-2020 to disable specific extensions from autoupdating
Block go-updater.brave.com in DNS, for instance using /etc/hosts on macos/linux, to block all extension updates. https://www.baeldung.com/linux/etc-hosts-block-specific-websites
We will consider adding a more user-friendly option to disable extension updates, but this will take time and testing to make sure it doesn't break other security functionality, so it's not an immediate solution in any case to the wallet draining problem.
We will not be responding here further in the meantime except to clarify (1) or (2).
Tectract
commented
7 months ago I do indeed believe that this is a critical CVE. I will try making a bug report to Chrome and we will see how it goes :) As the OP mentioned, 5 years ago:
Brave could become the first Chromium-based browser to have this feature. It's in-line with the privacy-first mission and can be a great "marketing" point.
eabase
commented
5 months ago Brave is supposed to be privacy oriented, and instead you can get force-fed broken or possibly compromised extensions, and no way to disable extension updates, apart from blocking updates for the entire application via stupid Windows hacks.
I'm very disturbed about this. 👎
Description
As the Chrome extension store became popular, bad actors begun taking advantage of if by purchasing popular extensions then injecting them with malware. The bad actor updates the extension to add the malware, then pushes it to unsuspecting users. A web search will reveal many such instances.
As an extension user, getting malware is as simple as launching Brave. Brave downloads the latest infected version of the extension automatically.
The user has no tools to defend against this. Google does not vet extensions usually until it's too late. Only the basic malware gets caught by Google's extension scanner, not enough.
If the user had a way to at least delay the installation of extension updates, it would allow the security researches, including Google, to detect and remove the malicious extension before it's downloaded by the user. (personal experience)
Steps to Reproduce
Actual result:
Passwords and other data are stolen. Web search will reveal many such instances. For example, Amazon and other famous websites' passwords were stolen last year. Infected updates can install a keylogger, inject ads, inject remote code, steal browsing URLs etc.
Expected result:
An option to disable the automatic extension updates, or at least to delay them by a considerable time. Press a button to update extensions, or to see if updates are available. A similar feature exists in another browser and it has been proven to be useful.
Brave version (brave://version info)
all
Miscellaneous Information:
Brave could become the first Chromium-based browser to have this feature. It's in-line with the privacy-first mission and can be a great "marketing" point.
Thank You.
Some examples:
https://www.bleepingcomputer.com/news/security/eight-chrome-extensions-hijacked-to-deliver-malicious-code-to-4-8-million-users/
https://www.ghacks.net/2017/07/31/chrome-extension-copyfish-hijacked-remove-now/
https://www.bleepingcomputer.com/news/security/chrome-extension-with-100-000-users-caught-pushing-cryptocurrency-miner/
https://www.reddit.com/r/chrome/comments/7ibl97/the_dec_7_2017_version_of_text_link_extension/ https://www.bleepingcomputer.com/news/security/first-malicious-chrome-extensions-detected-using-session-replay-scripts/ https://www.bleepingcomputer.com/news/security/over-500-000-users-impacted-by-four-malicious-chrome-extensions/ https://www.reddit.com/r/firefox/comments/8jcubq/is_it_ok_for_addon_with_47k_users_to_inject/ https://www.reddit.com/r/firefox/comments/87a21e/hello_just_noticed_a_new_style_of_ads_when_using/ https://www.bleepingcomputer.com/news/security/chrome-extensions-android-and-ios-apps-caught-collecting-browsing-data/ https://www.reddit.com/r/chrome/comments/9d52q7/someone_hijacked_mega_chrome_extension_to_steal/ https://www.reddit.com/r/phishing/comments/9b315f/youtube_video_downloader_firefox_addon_injecting/ https://www.bleepingcomputer.com/news/security/mozilla-removes-23-firefox-add-ons-that-snooped-on-users/ https://www.hackread.com/android-apps-chrome-extensions-collect-facebook-data/
and more