Re: Important notice: Blind Extra add-on is hereby blacklisted for all eternity due to security implications


Jim Hunt
 

Hi,
Oh boy, I don't have BlindExtra but I used GetExtra. Are there shady
things in GetExtra too? Should I remove it?
Jim

On 11/11/16, Joseph Lee <joseph.lee22590@gmail.com> wrote:
To members of the NVDA community around the world:



Some of you may have heard of an add-on called Blind Extra which supposedly
allows easy access to additional software products. I'm sorry to inform you
that this add-on shall enter the Hall of Blacklisted Add-ons with no chance
of leaving that place for all eternity. Here's why:



A few days ago, I and Derek Riemer, another author of NVDA add-ons, were
alerted to two reports of Blind Extra add-on breaking numerous security
issues. One involved renaming files to something else without the user
noticing it, and the second was remote access where someone gained access
to
a user's computer and sent Skype messages. Prior to that, some users asked
Derek and I to perform a scan of this add-on, and another user told us that
this add-on does odd things, including suspicious activity and downloading
files.



In case of the remote access incident, the user who was affected by this
alerted Derek and I to this issue on a Skype group. After some exchanges
where the hacker (under the ID of the affected user) wrote messages that
were quite suspicious, we determined that it is best to blacklist this
add-on which was partly responsible for this incident.



Thus, I would like to request the community do the following:



1. Remove Blind Extra immediately.

2. Keep Blind Extra in the list of blacklisted add-ons (this makes it
the second add-on to meet this fate, with the first being Instant
Translate;
in case of Instant Translate, people report that the situation has
improved,
but due to volatility of the services used, it'll remain an add-on under
our
careful watch).

3. For resident NVDA community add-on reviewers: do not accept review
requests from the author of Blind Extra (we only know this person as
'Ahmed").



Also, I'd like to remind the community to be vigilant when installing
add-ons - add-ons can do amazing and powerful things, including what you
read above.



Thank you.

Cheers,

Joseph

Join nvda@nvda.groups.io to automatically receive all group messages.