Malware in open-source web extensions

Subscriptions are the lifeblood of LWN.net. If you appreciate this content and would like to see more of it, your subscription will help to ensure that LWN continues to thrive. Please visit this page to join up and keep LWN on the net.

On February 4, millions of browser tabs were suddenly terminated. Not everyone was surprised; the dozen people who spent the last four months waiting for this tragedy to occur watched in relief as the first in a rapid stream of GitHub comments began pouring in. The Great Suspender, a Chrome extension that suspended inactive tabs, with around two-million users, had been forcibly uninstalled because it contained malware. This was a serious problem for users, in part due to the difficulty in recovering the lost tabs, but the extension's malevolence had been painfully obvious to anyone who cared to investigate it.

This extension was compromised not because some cunning cracker had gotten into the build infrastructure or thanks to a failure to escape certain metacharacters. Instead it was due to an open question in free and open-source software communities: Who owns the code? The entire point of an open-source license is to divorce us from being restricted to one group controlling everything about the code. Rather, the code is owned by the community around it, as opposed to any one individual. However, that is only true in theory when it comes to many types of software.

Leave a Comment