Onyx MCM Extension security concerns

Ajdin · Jan 4, 2017

Hi there,

When I was discussing the extension with the developers back when I was running the forum, I made it clear that all contents, resources and such will be hosted, owned and updated by MCM(myself) . This was more of a safety probation as I wanted to minimize every possible risk of damage being made. Wvisoecj and y0jJJyeDYzRTYomFX knew I wanted this and they agreed and understood.

After conducting some tests with the current extensions that's public and condemned by Mick and MC-Market, I noticed it loads external javascript. This is a HUGE security concern as you can do pretty much anything with Javascript. Steal sessions, read the contents of the forum and even go as far as stealing plain passwords. The external contents are being loaded from either Wvisoecj's or y0jJJyeDYzRTYomFX's website.

Nonetheless, I think the addon should be under Mick's Google account to prevent possible harmful code and that someone should read through all updates pushed out by the developers. Besides that, I think it's a pretty good idea to host all javascript on MC-Market itself to minimize the risk of any damage.

This is nothing personal towards y0jJJyeDYzRTYomFX and Wvisoecj however you can never be too secure nowadays. In fact, I hang out with these guys in Discord a lot, they are chill however I think Mick is simply unaware of the security holes he has opened.

Besides that, this makes current MCM's privacy policy completely invalid as there's a chance a 3rd party site(aka the extension developers) is tracking the users who are using the extension without it clearly being stated in the privacy policy.

Wake up Mick

Cal · Jan 4, 2017

Thanks for pointing this out!

Ajdin · Jan 4, 2017

Arian said:
just tried onyx and im wondering is it really worth having ?

It just makes the forum look a bit more modern-ish.

The only reason why I'm not using it yet is due to the things stated in the thread

1amDev · Jan 4, 2017

Hello all,

To ensure that there isn't a freak out and panic attack here on MCM, allow me to break down and explain exactly what BeBosny is trying to say here. I completely see his point and agree with him by the way.

Basically, when someone makes an extension (made in JavaScript) they can really do pretty much anything they want to with your browser (track history, embed ads, log keystrokes, etc). This is, of course, a huge security concern for anyone installing an extension anyways.

Now, I've know both Wvisoecj & y0jJJyeDYzRTYomFX (makers of the Onyx Extension) for a while. I talk to each of them daily and was part of the beta development/testing in the extension. I very highly doubt that these two would ever try to harm anyone on this forum or compromise their security.

BeBosny's whole point though is this: Mick did not even check over the extension before announcing it out the whole forum as the "Official MC-Market Theme Extension". He did not have a developer or anyone else with proper knowledge of programming check out the extension and make sure everything is safe. Even if he did go through those steps, the extension is hosted through Wvisoecj 's server; meaning that he can change the code of the extension and pose a huge security concern to members of the forum whenever he wants to and Chrome will automatically update the extension with the new external code.

This does concern me as I feel like Mick isn't properly maintaining user security here on the forums. But, I trust the users that made the extension so I use it myself.

I hope I cleared up confusion of others by this message.

Best regards,
Michael // 1amDev

lAkjtzAZ0 · Jan 4, 2017

Croc said:
Amen BeBosny! You show those peeps whose boss, no pun intended!

lol? Considering the fact that mick failed to do his own security checks and could have compromised mcm users due to his own mistakes, there's not much else ozair can do. When he made the extension he hosted it himself and continues to do so because well, that's how things work. Had a discussion between Mick and ozair taken place about this, I'm sure it would have been dealt with already. You can really blame ozair for anything and there's nothing to "show those peeps" because it's the only way to do it as of now.[DOUBLEPOST=1483520000][/DOUBLEPOST]also Croc , you're telling bebos to "show those peeps whose boss", yet aren't you hosting the javascript for the crappy safari port you did on your site? Totally not the same though

Wvisoecj · Jan 4, 2017

I will make a more detailed and thorough post when I can on my PC, but for now I will quickly go over big points that stick out here.

After conducting some tests with the current extensions that's public and condemned by Mick and MC-Market, I noticed it loads external javascript. This is a HUGE security concern as you can do pretty much anything with Javascript. Steal sessions, read the contents of the forum and even go as far as stealing plain passwords. The external contents are being loaded from either.

I have always been aware of the potential damage that can be cause from the extension. I have assessed every way to reduce that risk and have successfully done so. I will detail this in a later post.

Most importantly, onyx does NOT log your key strokes. All the code has been approved and only written by me.

Nonetheless, I think the addon should be under Mick's Google account to prevent possible harmful code and that someone should read through all updates pushed out by the developers. Besides that, I think it's a pretty good idea to host all javascript on MC-Market itself to minimize the risk of any damage.

The extension itself is uploaded by Mick. Google Extensions use a Private-Public key infrastructure which means only the person with the private key (Mick) can update the extension on the store. The JS is temporarily hosted by me until Mick's team can sort out the bigger issue switch the website.

I think Mick is simply unaware of the security holes he has opened.

Mick has always been aware of the risk of me myself hosting the assets. I had explained to him from the beginning how the update system works, and the pros and cons of him hosting it himself vs me. We agreed that MCM should host it but due to a fast approaching deadline I was left to temporarily host it till other issues were ironed out.

Technically speaking, the only security risk is me going rouge and adding malicious code. No one else has access to update production code without my signatures. All communications are encrypted between extension and server with TLS so there can be no MITM attacks.

Personally I think this is just yet another attack on MCM/Mick by BeBosny. He has time and time again went after him, while I don't agree what happened during the "transfer of power" I don't believe it's right to bring me into it. I understand you're outlining the potential security risks that Mick "overlooked" but you've made it also sound like I have no idea what I'm doing..

Rest assured, we are moving all assets to official servers that I don't have control over as well as getting more developers to publicly approve the code.

The code has always been available on a private Gitlab server, which you can find here.

https://git.epic-services.com/onyx/resources/tree/bleeding-edge

rexs123 · Jan 4, 2017

You guys complain of a simple extension using external JavaScript files. But yet 90% of large extensions used by a lot of MCM users such as adblock or Gyazo all use "remotely hosted" JavaScript how can you insure that their hosting platform is secure enough to protect your data? What if those extensions have external JavaScript. Please look at the bigger picture here. BeBosy is just trying to fight against mick over the pettiness of this forums. Its immature and childish if you ask me. The people who think its such a big deal need to get over their egos and grow the fuck up.

Thanks,
Rexs123

MTG · Jan 4, 2017

Explodified said:
I will make a more detailed and thorough post when I can on my PC, but for now I will quickly go over big points that stick out here.

I have always been aware of the potential damage that can be cause from the extension. I have assessed every way to reduce that risk and have successfully done so. I will detail this in a later post.

Most importantly, onyx does NOT log your key strokes. All the code has been approved and only written by me.

The extension itself is uploaded by Mick. Google Extensions use a Private-Public key infrastructure which means only the person with the private key (Mick) can update the extension on the store. The JS is temporarily hosted by me until Mick's team can sort out the bigger issue switch the website.

Mick has always been aware of the risk of me myself hosting the assets. I had explained to him from the beginning how the update system works, and the pros and cons of him hosting it himself vs me. We agreed that MCM should host it but due to a fast approaching deadline I was left to temporarily host it till other issues were ironed out.

Technically speaking, the only security risk is me going rouge and adding malicious code. No one else has access to update production code without my signatures. All communications are encrypted between extension and server with TLS so there can be no MITM attacks.

Personally I think this is just yet another attack on MCM/Mick by BeBosny. He has time and time again went after him, while I don't agree what happened during the "transfer of power" I don't believe it's right to bring me into it. I understand you're outlining the potential security risks that Mick "overlooked" but you've made it also sound like I have no idea what I'm doing..

Rest assured, we are moving all assets to official servers that I don't have control over as well as getting more developers to publicly approve the code.

The code has always been available on a private Gitlab server, which you can find here.

https://git.epic-services.com/onyx/resources/tree/bleeding-edge

/*
* Dear person who found this.
* I worked really hard to getting this
* to fire instantly
* I would appreciate it if you would leave
* my work alone. Thank you

*/

Mick · Jan 4, 2017

Thanks for your expert input here Wvisoecj. As you have correctly pointed out, it is just another case of BeBosny continuing to stir up the community and talking about subjects he knows nothing about. If he genuinely was interested or cared for the community he would have contacted Wvisoecj on Discord or me through PMs. He could have asked about the situation and could have expressed his concerns in a private manner and yet he attempts to make a point without the facts - which is what he has been becoming known for recently.

BeBosny has made his intentions clear on the last line of his post, and he should consider the fact that now not only is he representing himself but also Anvilnode as he is the COO. If I hired BeBosny, I certainly wouldn't happy with the ruckus he has been causing on the same place we had been recruiting employees, it just reflects poorly on the host.

I find the very idea that we should be taking security advice in the first place from someone who uses passwords from jobs he does to hijack clients accounts confusing, to say the least. It's simply a case of having no morals and no idea.

BeBosny needs to stop.

BeBosny, if you feel the need to discuss this further then you can create a Support Request, like you should have in the first place.

Onyx MCM Extension security concerns

Ajdin

I used to be a big deal on here but now irrelevant

Cal

you invest in the divinity of the masterpiece

Ajdin

I used to be a big deal on here but now irrelevant

1amDev

Designer & Developer

lAkjtzAZ0

Wvisoecj

rexs123

Fullstack Software Engineer

MTG

愛

Mick

BuiltByBit Owner