Re: Important notice: Blind Extra add-on is hereby blacklisted for all eternity due to security implications


 

Hi,
If the author is Soft Extra (Ahmed Star), then it would be advisable to remove it.
Cheers,
Joseph

-----Original Message-----
From: nvda@nvda.groups.io [mailto:nvda@nvda.groups.io] On Behalf Of Jim Hunt
Sent: Friday, November 11, 2016 1:00 PM
To: nvda@nvda.groups.io
Subject: Re: [nvda] Important notice: Blind Extra add-on is hereby blacklisted for all eternity due to security implications

Hi,
Oh boy, I don't have BlindExtra but I used GetExtra. Are there shady things in GetExtra too? Should I remove it?
Jim

On 11/11/16, Joseph Lee <joseph.lee22590@gmail.com> wrote:
To members of the NVDA community around the world:



Some of you may have heard of an add-on called Blind Extra which
supposedly allows easy access to additional software products. I'm
sorry to inform you that this add-on shall enter the Hall of
Blacklisted Add-ons with no chance of leaving that place for all eternity. Here's why:



A few days ago, I and Derek Riemer, another author of NVDA add-ons,
were alerted to two reports of Blind Extra add-on breaking numerous
security issues. One involved renaming files to something else without
the user noticing it, and the second was remote access where someone
gained access to a user's computer and sent Skype messages. Prior to
that, some users asked Derek and I to perform a scan of this add-on,
and another user told us that this add-on does odd things, including
suspicious activity and downloading files.



In case of the remote access incident, the user who was affected by
this alerted Derek and I to this issue on a Skype group. After some
exchanges where the hacker (under the ID of the affected user) wrote
messages that were quite suspicious, we determined that it is best to
blacklist this add-on which was partly responsible for this incident.



Thus, I would like to request the community do the following:



1. Remove Blind Extra immediately.

2. Keep Blind Extra in the list of blacklisted add-ons (this makes it
the second add-on to meet this fate, with the first being Instant
Translate; in case of Instant Translate, people report that the
situation has improved, but due to volatility of the services used,
it'll remain an add-on under our careful watch).

3. For resident NVDA community add-on reviewers: do not accept review
requests from the author of Blind Extra (we only know this person as
'Ahmed").



Also, I'd like to remind the community to be vigilant when installing
add-ons - add-ons can do amazing and powerful things, including what
you read above.



Thank you.

Cheers,

Joseph

Join nvda@nvda.groups.io to automatically receive all group messages.