With all do respect - I laugh every time a researcher thinks THEY found something... Sometimes they really do, but many times others have long before and just don't share the results...

Indeed, the plethora of vulnerability writeups online creates a din whose silence is utterly deafening.

"Let's now skip ahead a few years to the first research paper I ever worked on. With (who would later become) my PhD advisor, we found that most of the most popular Chrome extensions were vulnerable to a variety of attacks that could let us do very bad things. Over half of the extensions we studied were vulnerable to attack, impacting millions of users."

Lots of HN commenters are fans of popular browsers and "browser extensions". Maybe they just like the ones that are not vulnerable to a variety of attacks. Yeah, right. The idea that I never see in these published papers is that (a) the software being examined should henceforth not be distributed to the public. Or even that people should stop using this software. Instead I almost always see the idea that (b) the software should be "fixed".

The power of idea "(a)" is that it stops the problems for end users. It leaves nothing for "attackers". Ideally it stops bad programmers from distributing software to the public for commercial purposes.

Whereas idea "(b)" generally keeps these bad programmers doing what they do: writing bad software and profiting from it. It might temporarily embarass them but they will continue to distribute their bad sofware to the public, for profit. (And creating more "puzzles" for people like the author of the blog post. Arguably giving these "attackers" an interest in seeing more bad software distributed. Keep those puzzles coming.)

So what would you have us do? Should we simply ban writing software, because it might have vulnerabilities? People use browsers with extensions because they're useful; if you don't think utility has merit in the face of bugs then I can't see why you would allow internet connectivity at all.

(If you mean that we should ban specific extensions because they've had problems, I submit to you that all software has bugs and would ask, likewise, why the same rule should not ban all major browsers and OSs, which after all keep having vulnerabilities)

All software authors are not equal. All software is not equal. As with so many things in life, there is a quality spectrum.

The title of the post is super vague and tells nothing about the article itself

Don’t know - it was a very good read