Missing e is not the cause of recent account trouble some people are experiencing.
When logging in, some Missing e users are seeing the above screen, but it is also happening to people not using Missing e.
Sometimes, this can mean that your account has been accessed by someone without permission. Perhaps you have entered your password on a page that was actually intended to look like Tumblr, but was actually a phishing attack where someone uses a fake form to steal your password?
Change your password and keep it secure.
Above all, make sure that you only enter or change your password on a secure Tumblr page. Here is a Tumblr staff post on how to recognize secure Tumblr pages: http://staff.tumblr.com/post/15260097735/ev-cert
UPDATE:
As I find out more, it appears that the problem may not be compromised passwords but a bit of a mixup on Tumblr’s end.
UPDATE:
That link to a Tumblr tweet may point to removed tweet. Tumblr has since tweeted about this exact issue: https://twitter.com/tumblr/status/212702358604480513
Security and Permissions in ‘Missing e’
I think it would be helpful to post about the security and permissions warnings on the Missing e installer pages. To explain them, I’ll use the warnings on the Chrome Store installation page (although a lot of this applies to the Safari and Firefox versions of Missing e)
The warnings say: “This extension can access: * Your data on all websites * Your browsing history * Your list of installed apps, extensions, and themes.”
Your data on all websites
The Chrome Web Store Help says this:
This item can read every page that you visit — your bank, your web email, your Facebook page, and so on. Often, this kind of item needs to see all pages so that it can perform a limited task such as looking for RSS feeds that you might want to subscribe to.
In addition, the Chrome Web Store Help also says this:
Besides seeing all your pages, this item could use your credentials (cookies) to request your data from websites.
What Missing e uses this permission for:
The permissions information on the Chrome Web Store site tells you the most that an extension is capable of doing.
In order to load information from Tumblr pages, Missing e must ask to be able to read information from any web domain. This is because, otherwise, it would not be possible for Missing e to load timestamps for messages in your inbox, a special code for a post needed to reblog yourself and a post’s tags for the Better Reblogs reblog tags option, as well as a number of other things for Tumblr blogs that have custom domains (like this one: http://blog.missinge.infraware.ca).
As for using your credentials (cookies), this means that when Missing e accesses Tumblr in the background, it does so using the same credentials that your browser automatically uses every time you load a Tumblr page. This is automatic. If Missing e did not do so, it would not be able to access anything on your Tumblr. From Missing e’s perspective, it would be as if you were not logged into Tumblr. Let me stress that Missing e does not read your password, it only uses the credentials that tell Tumblr that you are currently logged in.
Just because an extension asks for these permissions does not mean it uses all of it!
Missing e does not access any data outside of www.tumblr.com, EXCEPT to get information from Tumblr-related pages and to check if there’s a new version of Missing e available.
Your browsing history
The Chrome Web Store Help says this:
This item could look at your browsing history. This warning is often a by-product of an item needing to open new tabs or windows.
What Missing e uses this permission for:
Pretty much exactly what that last bit from the Help says. Missing e uses this permission in order to open new tabs in your browser (for the Dash Links To Tabs feature, Reply Replies, Post Crushes, as well as opening the Missing e settings page).
I’m not entirely sure why opening tabs is linked to your browsing history, but that’s the way the browser is coded, I guess.
Your list of installed apps, extensions, and themes
The Chrome Web Store Help says this:
This item can read the list of themes, extensions, and apps that you have installed. It can’t install items, but it might enable, disable, uninstall, or launch items that you’ve installed.
This only applies to the Google Chrome version of Missing e. It checks if you have any of the my old userscripts (that were replaced by Missing e) and asks you if you want to disable them for compatibility. It will not disable anything without your okay.
You don’t have to take my word for it. The Missing e code is open source and freely-available to examine and download for yourself on github.
If you believe that Missing e steals your private information or does anything you do not expect and do not want, please let me know in my askbox so I can fix the problem if there is one, or give you information that may help your understanding of the extension.
(via missing-e)
[Technical] Settings Files: XML, PHP and Cleverness
While I was working on the upcoming feature for importing/exporting Missing e settings, I came upon some interesting technical challenges. In case you are interested in the nitty-gritty of web development, you may want to read on.
The problem is this: what’s the best way to export and import settings automatically?
File Format - XML
Missing e settings are exported in XML format. Basically, XML is a document format that looks similar to HTML, but allows you to create your own arbitrary tag names. So long as you follow a valid XML scheme, there are tools out there to automatically parse these kinds of files (read them into easily scannable data).
The Missing e settings files will look like this:
<?xml version="1.0"?>
<missing-e>
<setting>
<name>MissingE_timestamps_enabled</name>
<value>1</value>
</setting>
</missing-e>
For any setting you’ve manually changed, a **<setting> tag is emitted. Once in this format, the settings file is readable in just about any browser on any operating system!
Saving Your Settings
Okay, how do you save your settings? The problem is that the Missing e browser extension is written almost entirely in JavaScript. As a rule, JavaScript does not support reading or writing files on your computer. This is for the purpose of security. Can you imagine going to a website that can read anything from your hard drive or write anything to it? That would be immensely dangerous!
My first thought to get around this was to generate the settings XML file and display it in a new tab or window. From there, you would select all and copy the text, then paste it into a new file or directly into some sort of input box in another browser.
This seemed like it had too many steps for my users, though. Too much to explain. I figured that there must be a better way. So, my next thought was to automatically generate the settings and put it directly into your system’s clipboard (as if you selected and copied it, without actually having to do so). I got as far as implementing it on Google Chrome. It worked! Still, it seemed like too much effort to have to paste it into a file and then save it.
Finally, I came up with a better way. While it isn’t possible to create a file in JavaScript or automatically bring up the Save As… box, there is another option. I created a server script at tools.missinge.infraware.ca to which Missing e could send data, and which would respond by displaying your settings as an XML file.
The script is a single, fairly short PHP file. Generating the XML is the easy part, really. The neat trick are these line at the beginning of the PHP code:
header("Content-Type: text/xml");
header("Content-Disposition: attachment; filename=missinge.xml");
These rewrite the headers (special bits of data that come along with responses when your browser asks the server for a web page) of the outputted page. The important one is Content-Disposition. You know how when you click on a web link to a program or a zip file or something else your browser isn’t used to view, and it automatically asks you if you want to save it to your computer or open it with another program? That’s exactly what the Content-Disposition header does. It tells your browser not to open the file itself, but instead ask if you want to save it to your computer. It even suggests a filename, so it automatically gets called missinge.xml!
On the Missing e settings page, there will be a special hidden tag called an IFRAME. You can’t see it, but it will be used to automatically load this server page, allowing the settings file to be saved to your computer without leaving the page or opening another tab or window.
Loading Your Settings
Well, that’s all well and good, but if saving your settings was hard, loading them is another thing entirely.
The first and simplest implementation I had was a simple HTML page with a big text box that you would paste the exported settings into. There would be code to read it in, parse the XML data and then use it to start applying changes to your settings. This is a lot more complex to implement than it sounds, and doesn’t make for an easy-to-use feature.
Later, when I was thinking about exporting the settings to your clipboard, I was also thinking of automatically retrieving them from the clipboard. Apparently, this is more difficult than exporting. Some users of the Chrome version of Missing e may have noticed a few days ago that an update of the extension asked for more permissions. This is because I accidentally left in a new permission requirement for reading the clipboard that I was playing around with. Turns out you don’t need more permissions to automatically copy to the clipboard, but you do need more to automatically paste from it.
Many users didn’t notice Chrome informing them that new permissions were required, so Chrome automatically disabled Missing e for those people! I realized very quickly that this would be a serious problem if I were to actually implement the import settings feature in this way.
Instead, I tried to think along the same lines as I did with that server-side PHP script I used for exporting settings. While I can’t read files from your computer or even use JavaScript to automatically receive files you’ve pointed at, I can upload the file you’ve selected to a server…. What good is that? Well, I added about 5 more lines to that PHP script I mentioned before to detect when a file was uploaded. If one is, all the script does is display the file it got back to you. Easy enough!
So, all you have to do to import your settings is to click a button, select the Missing e settings file in an Open File dialog box, and Missing e automatically uploads the file to tools.missinge.infraware.ca which just sends the file back to your browser. The Missing e code gets the document, then your web browser automatically parses the XML (there’s no need to write the code to do it, since most browsers can actually do this themselves with a loaded XML page) and I scan through it to get a list of all the setting names and values, which the Missing e background code uses to overwrite the existing settings.
Done and done.
Manually transferring your settings and actually copying and pasting things is for chumps, anyway.
Permissions request in ‘Missing e’ for Chrome
Note: This only pertains to users of Missing e for Google Chrome
Last night, when I uploaded the new version 2.2.10 of Missing e, I made a bit of a mistake.
I was toying with a feature that would allow you to export and import Missing e settings automatically. In doing so, I accidentally left in a new permission request for access to the “clipboard”. I’ve since removed that in version 2.2.11. All of the other permissions required by Missing e have not changed!
The permissions normally required by Missing e sound a little over-the-top, but this post will explain why they are needed and how Missing e uses them: Security and Permissions in ‘Missing e’
For anyone that updated last night, Missing e may have been automatically disabled if you did not tell Chrome it is allowed to have this new permission. You need to re-enable it. Here’s how:
- Go to the Chrome menu (click on the wrench icon at the top right of your browser)
- In the menu, go to Tools and click on Extensions
- In the page that comes up, find Missing e and make sure that “Enabled” is turned on
If you did not update last night, this will most likely not affect you!
Security and Permissions in ‘Missing e’
I think it would be helpful to post about the security and permissions warnings on the Missing e installer pages. To explain them, I’ll use the warnings on the Chrome Store installation page (although a lot of this applies to the Safari and Firefox versions of Missing e)
The warnings say: This extension can access:
- Your data on all websites
- Your tabs and browsing activity
- Your list of installed apps, extensions, and themes.
Your data on all websites
The Chrome Web Store Help says this:
This item can read every page that you visit — your bank, your web email, your Facebook page, and so on. Often, this kind of item needs to see all pages so that it can perform a limited task such as looking for RSS feeds that you might want to subscribe to.
In addition, the Chrome Web Store Help also says this:
Besides seeing all your pages, this item could use your credentials (cookies) to request your data from websites.
What Missing e uses this permission for:
The permissions information on the Chrome Web Store site tells you the most that an extension is capable of doing.
In order to load information from Tumblr pages, Missing e must ask to be able to read information from any web domain. This is because, otherwise, it would not be possible for Missing e to load timestamps, the magnifier feature, the Better Reblogs reblog tags option and a number of other things for Tumblr blogs that have custom domains (like this one: http://blog.missinge.infraware.ca).
As for using your credentials (cookies), this means that when Missing e accesses Tumblr in the background, it does so using the same credentials that your browser automatically uses every time you load a Tumblr page. This is automatic. If Missing e did not do so, it would not be able to access anything on your Tumblr. From Missing e’s perspective, it would be as if you were not logged into Tumblr. Let me stress that Missing e cannot read your password, it only uses the credentials that tell Tumblr that you are currently logged in.
Just because an extension asks for these permissions does not mean it uses all of it.
Missing e does not access any data outside of www.tumblr.com, EXCEPT to get information from Tumblr-related pages.
Your browsing history
The Chrome Web Store Help says this:
This item could look at your browsing history. This warning is often a by-product of an item needing to open new tabs or windows.
What Missing e uses this permission for:
Pretty much exactly what that last bit from the Help says. Missing e uses this permission in order to open new tabs in your browser (for the Dash Links To Tabs feature, as well as opening the Missing e settings page).
Your list of installed apps, extensions, and themes
The Chrome Web Store Help says this:
This item can read the list of themes, extensions, and apps that you have installed. It can’t install items, but it might enable, disable, uninstall, or launch items that you’ve installed.
This only applies to the Google Chrome version of Missing e. It checks if you have any of the my old userscripts (that were replaced by Missing e) and asks you if you want to disable them for compatibility.
You don’t have to take my word for it. The Missing e code is open source and freely-available to examine and download for yourself on github.
(via missing-e)
Security and Permissions in ‘Missing e’
I think it would be helpful to post about the security and permissions warnings on the Missing e installer pages. To explain them, I’ll use the warnings on the Chrome Store installation page (although a lot of this applies to the Safari and Firefox versions of Missing e)
The warnings say: “This extension can access: * Your data on all websites * Your browsing history * Your list of installed apps, extensions, and themes.”
Your data on all websites
The Chrome Web Store Help says this:
This item can read every page that you visit — your bank, your web email, your Facebook page, and so on. Often, this kind of item needs to see all pages so that it can perform a limited task such as looking for RSS feeds that you might want to subscribe to.
In addition, the Chrome Web Store Help also says this:
Besides seeing all your pages, this item could use your credentials (cookies) to request your data from websites.
What Missing e uses this permission for:
The permissions information on the Chrome Web Store site tells you the most that an extension is capable of doing.
In order to load information from Tumblr pages, Missing e must ask to be able to read information from any web domain. This is because, otherwise, it would not be possible for Missing e to load timestamps for messages in your inbox, a special code for a post needed to reblog yourself and a post’s tags for the Better Reblogs reblog tags option, as well as a number of other things for Tumblr blogs that have custom domains (like this one: http://blog.missinge.infraware.ca).
As for using your credentials (cookies), this means that when Missing e accesses Tumblr in the background, it does so using the same credentials that your browser automatically uses every time you load a Tumblr page. This is automatic. If Missing e did not do so, it would not be able to access anything on your Tumblr. From Missing e’s perspective, it would be as if you were not logged into Tumblr. Let me stress that Missing e does not read your password, it only uses the credentials that tell Tumblr that you are currently logged in.
Just because an extension asks for these permissions does not mean it uses all of it!
Missing e does not access any data outside of www.tumblr.com, EXCEPT to get information from Tumblr-related pages and to check if there’s a new version of Missing e available.
Your browsing history
The Chrome Web Store Help says this:
This item could look at your browsing history. This warning is often a by-product of an item needing to open new tabs or windows.
What Missing e uses this permission for:
Pretty much exactly what that last bit from the Help says. Missing e uses this permission in order to open new tabs in your browser (for the Dash Links To Tabs feature, Reply Replies, Post Crushes, as well as opening the Missing e settings page).
I’m not entirely sure why opening tabs is linked to your browsing history, but that’s the way the browser is coded, I guess.
Your list of installed apps, extensions, and themes
The Chrome Web Store Help says this:
This item can read the list of themes, extensions, and apps that you have installed. It can’t install items, but it might enable, disable, uninstall, or launch items that you’ve installed.
This only applies to the Google Chrome version of Missing e. It checks if you have any of the my old userscripts (that were replaced by Missing e) and asks you if you want to disable them for compatibility. It will not disable anything without your okay.
You don’t have to take my word for it. The Missing e code is open source and freely-available to examine and download for yourself on github.
