Pages:
Author

Topic: BPIP and reading personal messages (Read 344 times)

copper member
Activity: 588
Merit: 926
August 21, 2023, 11:37:03 AM
#22
Another topic is trust on the Internet. OP, why do you think that someone should now assure you that this or that extension does not collect or, on the contrary, has the ability to see all your data when entering the site? I never refute the words suchmoon in the safety of its extension, and I myself use it very actively. However, only you, OP, are the owner of what you want to show on the internet. If you go back to those articles, sometimes fake extensions steal user data, including the user's entire surfing history, and cookies through which you can get to the user's passwords and easily read all personal information. Why can't the extension you installed do the same? You can believe the developers' words, but again, no one is obliged to reveal all the secrets to you, and only you can decide what you can show an extension that you are not the owner of. On the internet, it's good to be a skeptic.

What does this have to do with trust in the internet and in particular trust in the BPIP extension? Where did I say that I do not trust the BPIP extension? Where did I even mention trust? The topic was created not for that, but for the purpose of getting a specific technical answer to a specific technical question that I was interested in. I have received it. Thanks to suchmoon, Stalker22, TryNinja and SamReomo. I can safely close the topic. Thanks again to everyone (without exception) for your comments in this topic.

P.S. If anyone would be interested in continuing the discussion in this topic, message me in PM and I'll open it up.
legendary
Activity: 2072
Merit: 4265
✿♥‿♥✿
August 20, 2023, 02:16:14 AM
#21
Another topic is trust on the Internet. OP, why do you think that someone should now assure you that this or that extension does not collect or, on the contrary, has the ability to see all your data when entering the site? I never refute the words suchmoon in the safety of its extension, and I myself use it very actively. However, only you, OP, are the owner of what you want to show on the internet. If you go back to those articles, sometimes fake extensions steal user data, including the user's entire surfing history, and cookies through which you can get to the user's passwords and easily read all personal information. Why can't the extension you installed do the same? You can believe the developers' words, but again, no one is obliged to reveal all the secrets to you, and only you can decide what you can show an extension that you are not the owner of. On the internet, it's good to be a skeptic.
legendary
Activity: 1526
Merit: 1359
August 19, 2023, 03:18:24 PM
#20
Thank you for your comment. From our conversation, I realized that theoretically, if you modify the BPIP extension, it will be able to read any information on any open page. Accordingly, if a page with private messages is opened, the extension will be able to read what is written there. But if do not open the private messages page when the extension is running, it will not be able to read private messages. And the extension has no access to the encrypted database itself, where private messages of forum users are stored.

Speaking strictly theoretically, let us assume you have a malicious extension installed in your browser (I am not referring to the bpip.org extension here), and you access the bitcointalk.org forum using your credentials. At this point, an active session with the website is established, granting access to any forum page, including your private messages. The extension could theoretically exploit this active session to access your private messages in the background, all without you even noticing. Therefore, it is not necessary for you to open your private messages for a malicious extension to "read" them. And once again, this is unrelated to encrypted data in the database, as the entire process takes place within your browser.
hero member
Activity: 784
Merit: 672
Top Crypto Casino
August 19, 2023, 11:20:13 AM
#19
That's a possibly because the source code is open and anyone with programming knowledge can modify the code and redistribute the extension to the users. Those malicious actors won't be able to update the extension which was posted on chrome extension site by the original creator but they can create fake versions of the extension with same credentials.

So that would be someone creating a new, separate, malicious extension. I don't think this has anything to do with BPIP. Such a malicious person wouldn't even need our code - there is nothing special in it and it doesn't have anything that would help reading the PMs and/or sending them somewhere. But yes, if you install a random extension and grant it permissions to bitcointalk.org (or gmail, or your bank's website), chances are that bad things could happen.

I agree that the extension which a user downloads from an unknown source doesn't have anything to do with BPIP.ORG because that's would be the fault of the user who installs it without verifying the source. The BPIP.ORG provides a reputed extension as we all know and it would never do anything to read the PM's of a user.

There are chances that the malicious actors who may create a similar clone of BPIP extension with the same code but with additional permissions of reading someone's PM's but that thing doesn't have anything to do with BPIP.ORG and the user who installs such extensions should be responsible for any damages he/she receives by installing such extensions.

legendary
Activity: 3654
Merit: 8909
https://bpip.org
August 19, 2023, 07:20:13 AM
#18
Thank you for your comment. From our conversation, I realized that theoretically, if you modify the BPIP extension, it will be able to read any information on any open page. Accordingly, if a page with private messages is opened, the extension will be able to read what is written there. But if do not open the private messages page when the extension is running, it will not be able to read private messages. And the extension has no access to the encrypted database itself, where private messages of forum users are stored.

I feel like "modifying extension code" is misunderstood in this context. I can't modify the code in your browser without you noticing. You can modify the code in your browser but then you would be reading your own PMs. Someone else can't modify the code in your browser to sneak into your PMs.

That's a possibly because the source code is open and anyone with programming knowledge can modify the code and redistribute the extension to the users. Those malicious actors won't be able to update the extension which was posted on chrome extension site by the original creator but they can create fake versions of the extension with same credentials.

So that would be someone creating a new, separate, malicious extension. I don't think this has anything to do with BPIP. Such a malicious person wouldn't even need our code - there is nothing special in it and it doesn't have anything that would help reading the PMs and/or sending them somewhere. But yes, if you install a random extension and grant it permissions to bitcointalk.org (or gmail, or your bank's website), chances are that bad things could happen.
copper member
Activity: 588
Merit: 926
August 19, 2023, 07:06:18 AM
#17
Sorry to be intrusive Smiley One last question on this theme and I'll get off your back. Is it possible to add code to an extension and still access private forum user message or is it a priori impossible without getting additional permissions from theymos?

What logfiles said. It is possible in theory but only if you install a new version of the extension. You can disable automatic updates and/or review the source code of any new version that gets installed so you (the user) can be in full control of this.

theymos doesn't get any say in this. It's entirely up to you, your browser, and the extensions you install in your browser.

(edit - spelling)

Thank you for your comment. From our conversation, I realized that theoretically, if you modify the BPIP extension, it will be able to read any information on any open page. Accordingly, if a page with private messages is opened, the extension will be able to read what is written there. But if do not open the private messages page when the extension is running, it will not be able to read private messages. And the extension has no access to the encrypted database itself, where private messages of forum users are stored.
hero member
Activity: 1442
Merit: 775
August 18, 2023, 11:18:11 PM
#16
That's a possibly because the source code is open and anyone with programming knowledge can modify the code and redistribute the extension to the users. Those malicious actors won't be able to update the extension which was posted on chrome extension site by the original creator but they can create fake versions of the extension with same credentials.
Have an open source extension is great as if you have coding knowledge, you can verify code but if you can not do code verification by yourself, you should not rely on other reviews and verification to use any extension.

If you are seriously worrying about something malicious behind extensions, just don't use any extension. Basically browsers provide us enough fundamental features to use. Don't require too much customized features while you are not a coder, don't have coding and security knowledge, then adding more risk on your devices.
hero member
Activity: 784
Merit: 672
Top Crypto Casino
August 18, 2023, 05:07:38 PM
#15
That's possible and can be done by a malicious actor who knows JavaScript programming.

Extensions are signed and tied to the author's account so only the author of the extension can update it. You're making it sound like anybody can do it. That's not correct. The "malicious actor" can change the code (on the actor's computer) but they won't be able to deploy it to other users.

Nah, you interpreted my words in a wrong way. I was not saying that the malicious actor would change it on a particular user's system, but it would change the code altogether and then upload the extension on another site or upload it on chrome's extension page from another account which is not the original account of the extension.

That's a possibly because the source code is open and anyone with programming knowledge can modify the code and redistribute the extension to the users. Those malicious actors won't be able to update the extension which was posted on chrome extension site by the original creator but they can create fake versions of the extension with same credentials.
legendary
Activity: 3654
Merit: 8909
https://bpip.org
August 18, 2023, 04:53:51 PM
#14
That's possible and can be done by a malicious actor who knows JavaScript programming.

Extensions are signed and tied to the author's account so only the author of the extension can update it. You're making it sound like anybody can do it. That's not correct. The "malicious actor" can change the code (on the actor's computer) but they won't be able to deploy it to other users.
hero member
Activity: 784
Merit: 672
Top Crypto Casino
August 18, 2023, 04:28:45 PM
#13
Can you answer me specifically, you can use the BPIP extension to read my private message. What permissions do I have to grant the extension to do this? I want to make sure that theymos words are not outdated and still valid. And to convince the esteemed Lucius of this.

I can't read your PMs. There is no code in the extension that would send the contents of PMs to me (or to anyone). It's as simple as that. This can be verified by anyone with some Javascript proficiency.

There are no additional permissions that could change this. As I mentioned, the extension already has full permission to access bitcointalk.org content in your browser but it only uses this permission for the narrow purposes it's designed for.

So the short answer is NO. Whether that will convince Lucius - I don't know.

Sorry to be intrusive Smiley One last question on this theme and I'll get off your back. Is it possible to add code to an extension and still access private forum user message or is it a priori impossible without getting additional permissions from theymos?

That's possible and can be done by a malicious actor who knows JavaScript programming. The malicious actor can change the code of the extension in a way that the extension will be able to collect the information about the private messages of a user. And, the malicious actor can do that without theymos's permission because in such cases the permission of the administrator isn't required.

A user gives complete permission to an extension to access all the data of bitcointalk.org would know that he/she is willing to allow such extension to be installed on his browser which could theoretically access and read the data of bitcointalk.org on that user's browser where the extension is installed. Like @suchmoon clarified that people could look at the source code of the extension to verify that the extension is not collecting data of the user's PM's, and that's more than enough for us to know that there private messages of a user are in privacy of the user and they won't be shared by the extension. However, you should know that the extension can access the PM's and if someone add some code changes in the extension then in that case it may collect the private data of the user without anyone's permission.

legendary
Activity: 3654
Merit: 8909
https://bpip.org
August 18, 2023, 04:26:27 PM
#12
Sorry to be intrusive Smiley One last question on this theme and I'll get off your back. Is it possible to add code to an extension and still access private forum user message or is it a priori impossible without getting additional permissions from theymos?

What logfiles said. It is possible in theory but only if you install a new version of the extension. You can disable automatic updates and/or review the source code of any new version that gets installed so you (the user) can be in full control of this.

theymos doesn't get any say in this. It's entirely up to you, your browser, and the extensions you install in your browser.

(edit - spelling)
legendary
Activity: 1526
Merit: 1359
August 18, 2023, 04:23:37 PM
#11
Is it possible to add code to an extension and still access private forum user message or is it a priori impossible without getting additional permissions from theymos?

It seems you already got that answer in the previous comments.

Any browser extension can be designed to access the content of everything you do online, even private messages on the bitcointalk.org forum. Basically, whatever you see, the extension could see and potentially even more. But just to be clear, I'm not talking specifically about the BPIP extension; I mean any browser extension in general. And this has nothing to do with the fact that private messages are encrypted on the server.

So, it is important to be mindful of what you are adding to your browser. The silver lining is that all these extensions are open source, imo.
copper member
Activity: 2198
Merit: 1837
🌀 Cosmic Casino
August 18, 2023, 04:04:15 PM
#10
Sorry to be intrusive Smiley One last question on this theme and I'll get off your back. Is it possible to add code to an extension and still access private forum user message or is it a priori impossible without getting additional permissions from theymos?
It's possible to add code that would collect the page contents it accesses/reads including PMs if you are logged in and opened your messages and then send it over, but that would mean you would have to first update from the current extension version to the new version because the current version is not designed to do that.

Anyone who reviews the code before updating the extension would be able to see the changes. But I am not sure why you are so worried about this. There is already a warning regarding PM privacy and sending of sensitive information over the forum.
copper member
Activity: 588
Merit: 926
August 18, 2023, 03:23:29 PM
#9
Can you answer me specifically, you can use the BPIP extension to read my private message. What permissions do I have to grant the extension to do this? I want to make sure that theymos words are not outdated and still valid. And to convince the esteemed Lucius of this.

I can't read your PMs. There is no code in the extension that would send the contents of PMs to me (or to anyone). It's as simple as that. This can be verified by anyone with some Javascript proficiency.

There are no additional permissions that could change this. As I mentioned, the extension already has full permission to access bitcointalk.org content in your browser but it only uses this permission for the narrow purposes it's designed for.

So the short answer is NO. Whether that will convince Lucius - I don't know.

Sorry to be intrusive Smiley One last question on this theme and I'll get off your back. Is it possible to add code to an extension and still access private forum user message or is it a priori impossible without getting additional permissions from theymos?
legendary
Activity: 3654
Merit: 8909
https://bpip.org
August 18, 2023, 02:35:32 PM
#8
Can you answer me specifically, you can use the BPIP extension to read my private message. What permissions do I have to grant the extension to do this? I want to make sure that theymos words are not outdated and still valid. And to convince the esteemed Lucius of this.

I can't read your PMs. There is no code in the extension that would send the contents of PMs to me (or to anyone). It's as simple as that. This can be verified by anyone with some Javascript proficiency.

There are no additional permissions that could change this. As I mentioned, the extension already has full permission to access bitcointalk.org content in your browser but it only uses this permission for the narrow purposes it's designed for.

So the short answer is NO. Whether that will convince Lucius - I don't know.
copper member
Activity: 588
Merit: 926
August 18, 2023, 02:15:07 PM
#7
Thank you for your comments.  Here's the matter in a different way. I am primarily interested in the way the question is posed. When I wrote that private messages can be read only by those who have the key to decrypt the database (i.e. a rather limited number of people) and quoted the words of theymos, the esteemed Lucius responded by saying that I cannot read the forum and quoted the words of the esteemed suchmoon as a refutation of my words.

That is, it turns out that the esteemed Lucius is 100% sure that the BPIP extension can read private messages. That's what I propose to prove in practice the words of respected suchmoon, which are so zealously referred to by respected Lucius. Because a man should be responsible for his words. I think so.

As others already pointed out, the extension has the permission to do it, which you grant to the extension when you install it. Something along the lines of "access any data on bitcointalk.org", meaning as you browse bitcointalk.org with your browser (logged in or not) the extension would have access to anything your browser downloads from bitcointalk.org. And the extension makes use of this permission to inject snippets of HTML - such as links to BPIP/loyce.club/ninjastic.space, merit counts, etc - into bitcointalk.org pages as you browse them. It does not collect your PMs though. You can verify that by looking at its source code, or you would have to trust the developers, which is what I was attempting to say in that post that Lucius quoted.

I don't know the full context that made you create this thread so let me point one other thing that is blatantly obvious but doesn't appear to be stated in that quote: the extension works only in the browser instance where it is installed and enabled. If you don't have it installed (as is the case for 99.9% users) then you don't have the above theoretical risk.

Thanks for the comment. I have your extension running and it has been granted all the permissions it requested.

Can you answer me specifically, you can use the BPIP extension to read my private message. What permissions do I have to grant the extension to do this? I want to make sure that theymos words are not outdated and still valid. And to convince the esteemed Lucius of this.
legendary
Activity: 3654
Merit: 8909
https://bpip.org
August 18, 2023, 02:08:32 PM
#6
Okay, let's do it that way. I registered an alternate account Light_Warrior (Alt) and sent a test message to that account. Let the reputable suchmoon read this message using his BPIP extension. I'll even allow him to post it here in this thread.

As others already pointed out, the extension has the permission to do it, which you grant to the extension when you install it. Something along the lines of "access any data on bitcointalk.org", meaning as you browse bitcointalk.org with your browser (logged in or not) the extension would have access to anything your browser downloads from bitcointalk.org. And the extension makes use of this permission to inject snippets of HTML - such as links to BPIP/loyce.club/ninjastic.space, merit counts, etc - into bitcointalk.org pages as you browse them. It does not collect your PMs though. You can verify that by looking at its source code, or you would have to trust the developers, which is what I was attempting to say in that post that Lucius quoted.

I don't know the full context that made you create this thread so let me point one other thing that is blatantly obvious but doesn't appear to be stated in that quote: the extension works only in the browser instance where it is installed and enabled. If you don't have it installed (as is the case for 99.9% users) then you don't have the above theoretical risk.
legendary
Activity: 1862
Merit: 5154
**In BTC since 2013**
August 18, 2023, 01:21:16 PM
#5
Okay, let's do it that way. I registered an alternate account Light_Warrior (Alt) and sent a test message to that account. Let the reputable suchmoon read this message using his BPIP extension. I'll even allow him to post it here in this thread.

Any extension of your browser (theoretically) can obtain data from the pages you visit, be it the BPIP or any other. Fortunately, the vast majority of extensions do not collect information beyond what has been programmed, which guarantees some "security".

The use of extensions should always be done with great care and attention, as there are many malicious extensions. This is clearly not the case with BPIP, which does not record any and all information that appears on the page.
legendary
Activity: 2758
Merit: 6830
August 18, 2023, 12:41:15 PM
#4
Okay, let's do it that way. I registered an alternate account Light_Warrior (Alt) and sent a test message to that account. Let the reputable suchmoon read this message using his BPIP extension. I'll even allow him to post it here in this thread.
That’s… not how this works.

“Theoretically” means the extension can naturally interact with the forum in any way IF, and only if, there is a code in there to specifically do that. Obviously there is nothing coded that says “if suchmoon clicks this button, the extension will read your DMs and send them over to him”. The thing is that there could be, which is why it’s theoretical.
hero member
Activity: 1428
Merit: 513
Payment Gateway Allows Recurring Payments
August 18, 2023, 11:18:03 AM
#3
IMO, this is what I understood from what Suchmoon said. The fact is that the extension can read all the data on the page you are viewing, but it only collects other forms of data, such as User IDs. It's not designed/modified to collect data from PMs

The good thing is the code is open source. Anyone with some technical knowledge can help review it.
I am new here you guys are senior, i always afraid to talk in between such topics but i am seeing this topic for quite some times, like many topics and threads i have read in these 2 days. Point is, dear logfiles, the meaning of suchmoon post is, these extensions have the capability to read and provide all the PMs but they do not do so because the setting is not set to show that data to public which means they could see them also.

The thing i am unable to understand is, when we try to send PM to someone we see a note at the bottom left corner that " Note: PM privacy is not guaranteed. Encrypt sensitive messages." Which is also a open indicator for everyone to be prepared for all types of security.

Which also means, these extensions have access to our PMs which i think should not have because i am ok with Administrators to have such access but not other members who are not even a part of the team of Theymos. TBH, if one do want to share someone a secret message they should avoid to send that directly instead do encryption or use TG to make discussions.
Pages:
Jump to: