Important notice: Blind Extra add-on is hereby blacklisted for all eternity due to security implications


 

To members of the NVDA community around the world:

 

Some of you may have heard of an add-on called Blind Extra which supposedly allows easy access to additional software products. I’m sorry to inform you that this add-on shall enter the Hall of Blacklisted Add-ons with no chance of leaving that place for all eternity. Here’s why:

 

A few days ago, I and Derek Riemer, another author of NVDA add-ons, were alerted to two reports of Blind Extra add-on breaking numerous security issues. One involved renaming files to something else without the user noticing it, and the second was remote access where someone gained access to a user’s computer and sent Skype messages. Prior to that, some users asked Derek and I to perform a scan of this add-on, and another user told us that this add-on does odd things, including suspicious activity and downloading files.

 

In case of the remote access incident, the user who was affected by this alerted Derek and I to this issue on a Skype group. After some exchanges where the hacker (under the ID of the affected user) wrote messages that were quite suspicious, we determined that it is best to blacklist this add-on which was partly responsible for this incident.

 

Thus, I would like to request the community do the following:

 

1.       Remove Blind Extra immediately.

2.       Keep Blind Extra in the list of blacklisted add-ons (this makes it the second add-on to meet this fate, with the first being Instant Translate; in case of Instant Translate, people report that the situation has improved, but due to volatility of the services used, it’ll remain an add-on under our careful watch).

3.       For resident NVDA community add-on reviewers: do not accept review requests from the author of Blind Extra (we only know this person as ‘Ahmed”).

 

Also, I’d like to remind the community to be vigilant when installing add-ons – add-ons can do amazing and powerful things, including what you read above.

 

Thank you.

Cheers,

Joseph

Join nvda@nvda.groups.io to automatically receive all group messages.