Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

One approach would be to intercept your own traffic with Fiddler as a proxy for a few hours after installing and look for any nefarious requests. This is a pretty effective way to run a basic security audit.


Only effective against ones that don’t have activation criteria.


Usually the activation criteria will be "Contact this server and see what it tells me to do".

An extension developer ought to know the exact purpose of every network request their extension makes, so inspecting network logs is indeed a good plan.

Just remember there are ways to detect if the developer tools panel is open...


> Usually the activation criteria will be "Contact this server and see what it tells me to do".

Right, but it could be set up to only do that starting six months after installation or something.


Yep, but it's a good start. Why I called it a "basic audit".




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: