Code Verify: An open source browser extension for verifying code authenticity

I think that that is supposed to prepare web apps for verification in the browser, in order to not allow them to run or connect to a remote server unless they are confirmed to be not tampered with, and that the main goal of this is to disallow usage of websites and related services unless ads are served. An adblock-blocker in the browser, sold as a security feature that protects against no real threats.<p>I refuse to believe that rouge browser extensions and userscripts are such a big problem that Meta decides to invest in security against those attack vectors.

(2022)<p><a href="https:&#x2F;&#x2F;github.com&#x2F;facebookincubator&#x2F;meta-code-verify">https:&#x2F;&#x2F;github.com&#x2F;facebookincubator&#x2F;meta-code-verify</a> is the goods, and is MIT<p><a href="https:&#x2F;&#x2F;github.com&#x2F;facebookincubator&#x2F;meta-code-verify#installation">https:&#x2F;&#x2F;github.com&#x2F;facebookincubator&#x2F;meta-code-verify#instal...</a> says Safari support is &quot;coming soon&quot; (from 2022) so I guess they think those users don&#x27;t need to &quot;verify[..] the integrity of a web page.&quot;

Makes sense at a technical level, but the threat this is meant to mitigate (FB&#x27;s servers&#x2F;TLS certs get compromised and start serving you malicious JS scripts, a browser extension pings Cloudflare and sees that the hash is incorrect) is a little too far fetched. For example wouldn&#x27;t the attacker also be able to update the expected hash on Cloudflare&#x27;s side, considering they have already compromised FB&#x27;s servers?

The hashes are checked against an endpoint hosted by Cloudflare. So technically Cloudflare or anyone able to MitM traffic to them (which would be anyone in a position to MitM Facebook as well) can still do evil things.<p>I haven&#x27;t ripped apart the extension yet, but there is no mention of cryptographically verifying the response from Cloudflare.<p>Edit: looks like they are checking for a number of ad blocking extensions and mark it as &quot;At Risk&quot; if detected.<p>Edit 2: Oh boy, I hope this is covered by their bug bounty program.

Problem with this approach at present is that many other browser extensions installed (not just extensions that have something to do with the FB site) will cause a false negative verification result. This is because they inject code into every JS file loaded.

I&#x27;ve already had to &quot;crack&quot; web apps with my MITM proxy to force them to behave, but in the past there haven&#x27;t been many. This is an escalation that is not surprising, and the reason why we must strongly oppose remote attestation if we are to continue to have freedom and control over our computing environments.<p>They are 100% using &quot;open source&quot; as a distraction here. The fact that you can see the source is irrelevant for the purpose they are trying to use this for.

I don&#x27;t want to run &quot;authentic&quot; instagram which doesn&#x27;t even let me zoom the page.. That&#x27;s why I&#x27;m running the modified version and I won&#x27;t give it up without a (technical) fight

Wait, what even is the threat model here? I can&#x27;t come up with many scenarios in which this makes sense

For those who haven&#x27;t heard of it before, a sentence from the article explaining what it is<p>&gt; With Code Verify, you can confirm that your Instagram Web code hasn’t been tampered with or altered, and that your Instagram Web experience is the same as everyone else’s.