Kutt Extension has been flagged and disabled by Chrome Web Store

[adan89lion]

Description: Kutt Extension has been automatically disabled (and locked) on my Edge browser on macOS on July 10th, 2022. Its page on Chrome Web Store has also been removed. (I've attached the screenshot of the alert on Edge browser).

Device info:

• OS: macOS 12.4 (Build 21F79)
• Browser: Microsoft Edge 103.0.1264.51 (Official build) (x86_64)

[lukasgabriel]

I also noticed this yesterday on Edge.

The extension was also removed from the Firefox Addon Store: https://addons.mozilla.org/firefox/addon/kutt/

Can anyone provide info about whether this is a false positive and the extension can safely be re-enabled, or is there actually malware present? Is there any reason to also be worried about the main repo? I've shut down my self-hosted Kutt instance, just to be safe, until there's a response from the developers.

[moquito64]

Edge, Chrome, and Firefox all seem to have flagged this as containing malware. Hope we get more information soon. I have disabled this until further notice.

[hammady]

How is this report related to the kutt server itself? It seems to be a different repo. We need a prompt explanation in case the kutt server has serious security issues and must be taken down.

[imakiro]

No update on the rejection from stores, bugfix releases ?

[abhijithvijayan]

@poeti8 any ideas on what caused the rejection?

I will land a PR with all dependencies upgrade for the extension. Maybe that will help?

[Tnology]

Any update on this? I just got my selfhosted Kutt service up and running, and I'm super excited to use this (especially for custom domains like [my domain].com/apply alongside all of the other useful features).

[poeti8]

@abhijithvijayan This is the email I got from Firefox:

Details: 1) Extensions defining a content security policy that allows eval ('unsafe-eval') are generally not allowed for security and performance reasons. ‘eval’ is only necessary in rare cases. Please use a different method or explain why eval is required in your add-on.

• manifest.json line 45

In addition the following is required to complete the review:

1) This version contains minified, concatenated or otherwise machine-generated code. Please provide the original sources, together with instructions on how to generate the final XPI. Source code must be provided as an archive and uploaded using the source code upload field, which can be done during submission or on the version page in the developer hub.

Please read through the instructions at https://extensionworkshop.com/documentation/publish/source-code-submission/ .

And for Chrome:

[abhijithvijayan]

will migrate to v3 soon and we can go ahead with the release which would resolve this.

I will add the missing permission to the manifest as well so that this issue is rectified.

[poeti8]

@abhijithvijayan any updates on this?

[abhijithvijayan]

this is blocked on the migration of the plugin i wrote to support webpack 5. https://github.com/abhijithvijayan/wext-manifest-webpack-plugin

Webpack has introduced major breaking changes and deprecated APIs relied on by the plugin. Once I manage to get it migrated, I will pick this issue up.

[poeti8]

Can't we use something else for now? Or take another approach?

[lukasgabriel]

@poeti8 You can still use the plugin just fine.

[brianantonelli]

No, you can't use it just fine. It's missing from the store.

[poeti8]

You can use it if you have already installed it. I'll check with the issue myself soon, seems like @abhijithvijayan doesn't have free time.

[mtan93]

You can install manually by downloading the chrome.zip release, enable developer mode and drop the extracted folder into the chrome://extensions page.

[poeti8]

Kutt is now back on Chrome Web Store: https://chrome.google.com/webstore/detail/kutt/pklakpjfiegjacoppcodencchehlfnpd

Firefox review is still pending.

[Lancaban]

Any updates on this yet?

[poeti8]

Any updates on this yet?

For FireFox? I submitted many times but each time they respond with something weird that I don't know how to fix. I should try again soon.