Google just yesterday sent out an email cracking down on this. From the email:
To better protect users' browsing experience, the Quality Guideline changes clarify that an extension's purpose is to provide complimentary functionality for the browsing experience and should not seek to hijack a user's browsing or search experience. This update aims to ensure that users have full control over their browsing sessions, without any unwarranted interruptions or manipulations. By enforcing this policy, we strive to foster a safer and more enjoyable environment for all Chrome users, where their trust and satisfaction remain our top priorities. Together, we can create a web ecosystem that respects users' autonomy and offers seamless browsing experiences that truly enhance their lives.
Well, Google has been introducing policy changes meant to restrict abuse of extension privileges for quite a while. It won’t help however as long as they don’t manage to enforce the policies effectively. These extensions have been at it for at least two years. It was already against Google’s policies back then. Users flagged these extensions back then already. Yet they remained in Chrome Web Store.
Note that I found one similar extension that was removed in March this year. I have no idea why Google removed it (it cannot be user complains) or why they didn’t search Chrome Web Store for similar code.
Removing extensions used by 55 million users is weighed against the loss of functionality provided by those extensions. Maybe Google just doesn’t want to piss off 55 million users (actually a lot more since, as you say, your list of compromised extensions is not complete)
Yes, much better to let 55 million users blame the browser for redirecting search queries, excessive ads, erratic behavior and data leaks. :-)
Funny thing is: I can imagine Google being fine with everything on this list but the first point. When it comes to hijacking search, Google is absolutely no fun.
Together, we can create a web ecosystem that respects users' autonomy
Maybe 20 years ago I would've believed that coming from Google, but no, it's clear they're going full authoritarian to get users under their control like the rest of Big Tech and using the classic "security" argument to do it.
It is quizzical, isn't it? "Pervasive tracking of users goes against their autonomy". But what about when you do it? "We need to be able to keep the lights on, don't we? And anyways, users chose to visit our page, so they consented to any tracking" - how does any of that not apply to extensions the user installs?
The cognitive dissonance of being a company that makes all its money spying on users, has a profit motivation to prevent others from spying on users, and needing to pretend to take the moral high ground for PR reasons at the same time.
I wonder what Bing has to do with it and whether or not MS is even aware of any of this or if it is 'at arms length'. For sure a great way to wreck your reputation, and likely you'll be blacklisted for life.
I get a cold sweat whenever I use Chrome Web Store. How do I know that what I'm downloading is legitimate and not malware that's been made to look like another well known extension? The download counts aren't useful in determining that either, it's just a number and who's to know that it hasn't been manipulated by bots? I'm wary of suggestions that Google could implement a meaningful review process. They claim to do that for ads, yet it's not unusual to see ads in search for software that's obviously malware.
If they review that as fast as they close issues on bugzilla it can probably be years after an extension is highjacked and monetized while still being recommended.
I only use well known and very popular extensions. The security risk otherwise is just too big. Even those could have breaches but at least you would find out relatively quickly.
I think the major problem is that it is very difficult to view the source of an extension.
It should be just as easy as "view source" is for html pages. Require all extensions to use nicely formatted code with no minimalized javascript/css.
If you could look at the code, then for a lot of developers it would be easy to check if it looks reasonable or it looks like it sends browsing data to a server.
The Apple developer fee has little effect on malicious submissions, what it effectively does is preventing free (open source) software. You aren’t significantly safer, you are merely paying for software that would otherwise be available for free. Note that Google also has a developer fee for the Chrome Web Store, far more moderate however.
What helps is consistent human review, like Mozilla used to have it. But Google established that automated review should be enough, so there you are.
Peer review is the ultimate system here. Agreed so much.
Whats just so frigging sad is that Google rewrote the rules of extensions to require very static capabilities- they broke all the user scripting systems & broke so many interesting systems- because they said they want to secure the users. But the oversight & review has never been that great.
And ultimately, they are just not able to function as both an app store and a critical in depth reviewer. The roles conflict. They can't both make available and tell the truth. It's really the role of peers to really help surface & explain the depths of what extensions do.
> The App Store is full of scam, misleading, data stealing apps.
It’s not. There are certainly apps like that in there, and Apple should certainly be doing a better job removing them, but it’s simply not true that it’s full of them.
Why must everything be taken to such an extreme? It’s okay to tell people that it’s not as good as it’s cracked up to be without exaggerating things like this.
> After I pay $99 for the subscription and share 30% of my revenue, I'm also expected to provide free work for a ~$3 trillion company.
Congrats! If you’re giving them 30% it means you must be earning over a million dollars a year through the App Store. People earning less than that only pay 15%.
Do an experiment: pick one category of apps, whatever category, and look at the top 10-20 apps in that category. Half of them will have misleading data disclosure (as in, they say they don't gather user data or don't track users, when in fact they do), fake reviews (easy to spot 5-star reviews with same/similar text), don't actually have the advertised functionality etc.
The same with search: do a keyword search on the App Store and see how many results actually match the query and how many are ads.
This is not just my opinion - it's fairly easy to find multiple security researchers documenting these cases.
I have spent countless hours (if not days) reporting apps to Apple - basically doing free work - when Apple touts their App Store security and review process.
Also, the parent comment I replied to mentioned the developer fees that make the App Store safer for users - that is what Apple marketing wants us to believe, the reality is very different though (and I say that with a heavy heart, as an iOS/macOS developer).
Apple could and should do better and, until they do, they have no right to pretend the App Store is safe.
I used Charles proxy (basically a "man-in-the-middle") to monitor the network requests and the data transmitted.
Also, some iOS apps support running on an Apple Silicon Mac (with M1/2) and, in a similar fashion, one can use various apps to block or inspect the network traffic.
Yes, it's a bit more work - hence my complaint about doing free work for a ~$3 trillion company - but I like to know what data the apps I'm running are sending home.
I know I'm a bit paranoid but hey, we all have issues, right ...right? :)
A million dollars in revenue (well, $700,000, right?) is a meaningless number in isolation. You have no idea what their costs are. For one thing, there’s the cost of search ads on the App Store, which you have to buy or else searches for your own app name will have your richest competitor on top. Thanks Apple. That’s courage.
As the developer - disclosure - of AKME, an iOS app that uses the OpenAI API, in a fairly private manner, I also noticed the myriad of apps that use misleading descriptions (as in, advertising the use of GPT-4, when, in fact, they use GPT-3.5 - ask me how I know), or don't actually use OpenAI at all (again, ask me how I know), buy reviews etc and charge user exorbitantly priced subscriptions.
Part of the generated profits are then invested in Search Ads, which pushes them to the top and trick more users into downloading ...rinse and repeat.
I made sure my app has no tracking, users that have an OpenAI account can use their own API key (via a Bring-Your-Own-Key model) while those that don't have one can buy in-app tokens (if I may say, decently priced, taking into account the "Apple tax") while also investing a lot of work into crafting dedicated prompts to improve the quality of answers.
That'd be a smart criminal. This is a rare variety because a smart person has a better concept of consequences and better ways of making money than crime.
> ... a smart person has a better concept of consequences and better ways of making money than crime
There are so many examples of smart people disregarding the potential consequences to their actions, I would not know where to start.
Also, are you suggesting that someone with the brains and means to create an app and publish it in an store, will not fathom that their identity must be protected if they were to commit a crime?
You seem to think that all smart people are automatically successful, well-adjusted, moral people. You also seem to be implying that poverty or a failed life is the only incentive to commit crime, which again, is simply not true.
Intelligence is not a guarantee for success, mental health, or pretty much anything other than intelligence itself.
And motivations for crime include money, power, sex, clout, or just a straight up uncontrollable urge to do something.
And there's plenty of evidence of people who are clearly smart pulling off crime on a huge scale for decades without getting caught. As for evidence of the ones who haven't, well, you're not gonna find that information in public...
See Bernie Madoff, Jeffrey Epstein, several serial killers. Many of these have actually been IQ tested as well.
The only reason Madoff was caught was because of the 2008 financial crisis. Otherwise he could have kept running his ponzi scheme indefinitely. He completely played the SEC whenever they came sniffing.
I wouldn't say poverty or failed life is an incentive to commit crime?
> And motivations for crime include money, power, sex, clout, or just a straight up uncontrollable urge to do something.
A true scotsm... uhhh true smart person knows it's not required to commit crime to achieve success. Unless we are talking about some third countries like China or Russia. Actually for these two soon identity/cc theft may be the only way people can even have a developer account because accepting money from them would/should put Tim Cook in jail.
This will continue to get worse until Google takes security seriously on the Web Store. They don't meaningfully review uploads and they don't seem to staff it well in general - they take a very long time to process DMCA-related stuff, and when they do flag something for review (VERY rare) the review can take a very long time. Maybe it's unreasonable for me to expect them to invest money into running their "Store" but maintaining a reasonably popular extension for a while gave me a very low opinion of the whole service.
I always have gotten the impression that the Chrome Web Store is something they'd rather get rid of if extensions (especially ad blockers) weren't a necessary evil to maintain their market dominance in browsers. The install and update UX have always been kind of neglected and awkward, and the permissions model is bad. Manifest V3 "fixes" some of this, I guess.
As of today if I go to the chrome web store and try to install the recommended extensions on the front page, all of the ones I checked need to "read and change all my data on all websites" in order to do things like add a context menu option or run a connection speed test. There's no way for an ordinary user to tell the difference between "Chrome's permission model is garbage so every extension asks for this horrible permission" and "This extension is malicious and is actually going to read/change all my data"
> They don't meaningfully review uploads and they don't seem to staff it well in general
Well, yeah; it's Google. Their entire approach to anything resembling support is to automate everything that can be automated, and utterly ignore anything that can't be.
The Chrome Web Store isn't really a store... it's not like Chrome can (or does) charge for extensions. The only ones that are commercial that I'm aware of are tied to external systems (password managers, note taking, etc), and it's not like Google gets a cut from that.
So the store will always be a cost center with net-negative revenue. Knowing this, how could they realistically review anything manually? The only model that has had some success in this regard has been the Apple App Store, which routinely gets vilified for it's walled garden.
I'm not sure what the answer is here, but I'd pay extra for a more secure extension "store" for the (few) extensions that I use. Or pay more for the products I already pay for that provide extensions (1Password, Zotero, Pocket, etc...). But that would be a rounding error for Google's revenue, so I'm not holding my breath...
I've been using Firefox since 1.0, yes. I still end up needing a Blink-based browser installed to do my day job and access government websites, though, which means Edge or Chrome.
Wasn’t manifest v3 supposed to prevent dynamically loaded code? As the article says these extensions are featured but (I think) the latest update to v3 says: “In January 2023, use of Manifest V3 will become a prerequisite for the Featured badge in the Chrome Web Store.”
No. Manifest v3's main role was to cripple ad blockers... hence you're now seeing YouTube experiment with "anti-ad-blocker" popups warning users they wouldn't able to see the site.
They know they got people by the balls after they rolled out v3 earlier this year.
Thing is, you can't load javascript code... But you can easily write a mini virtual machine to run any code you download from the web. And due to javascripts introspection abilities, that VM can (if the developer wishes) do anything.
The simplest javascript bytecode interpreter is probably only a few hundred bytes, which is easy to hide in a big extension.
Every time I launch Chrome on one of my machines, it complains that an extension called "Privacy Test" has been disabled because of its dubiousness, reactivate/delete? I chose "Delete" every single time, and every single time, it comes back at the next Chrome restart. Apparently, it somehow managed to store itself into my Google account's sync data, because after several hours of googling apparently the only working way to get rid of it is to get a fresh Chrome install, not sync, then nuke all of the sync data.
If only there was a way to see what's actually in the sync data and manage it on a more fine-grained level instead of having only a single "delete all" button or, you know, maybe Chrome could actually just bloody uninstall the extension I ordered it to uninstall? Maybe by the next century the technology will actually be there.
You have malware... It's software on your PC which is installing this extension again every time it sees it not present. Creating a new Chrome profile probably just tricks it because it is still installing it into the old profile.
Nope, it's not, because it persists between clean Windows installs. In fact, using the chrome://sync-internals/ from the sibling comment, I can see a "Click&Clean App" in my Apps (not Extensions!), which has id "pdabfienifkbhoihedcgeogidfmibmhp" which id, if you open it in Google Store, leads to [0], which is a page for the Privacy Test extension. And I can't delete it from my profile, because Chrome let's you manage only Extensions, not Apps!
Okay so funny story: I once worked with a company with insane security rules. 2FA every time you log into any program on your computer. I had to get fingerprinted to get a company laptop. No installation privileges. it goes on and on. And I was just a consultant with no access to code or anything, this is just to be able to attend meetings and see google docs.
Chrome extensions? No limitations at all, not even checked, add whatever you want.
I make a lot of extensions, and I still don't know how the screening happens in the various stores. It's not working well, whatever it is. Part of the solution ought to require a submission in source format for easier screening, either by people or AI. (It can be obfuscated in-store if that's really what the developer wants.)
Mozilla and Opera require source code to be uploaded along with the extension, there is some human component involved in the review there. My understanding is that the human review got considerably less over time however. According to an email I received lately, Mozilla is reintroducing pre-publication review for popular extensions however.
I always thought it to be odd that Google doesn’t ask for extension source code, even when an extension is flagged for review. No idea what kind of review they can perform this way.
Back when I reviewed add-ons for Mozilla Add-ons, I did in fact verify that the source code produced the same build result as the extension submitted. Was tricky occasionally but usually worked well.
I don’t understand why there’s not an fdroid-like store for open source chrome extensions. All my most important extensions are open source. I try to find ones that are. But I’m not savvy enough to do checksums and all that so i just trust the deployed app is the same one on GitHub.
It’s easy: Google owns the browser, so they decide which websites are allowed to install extensions. And Google decided a while ago that the only way to ensure your safety is allowing only Chrome Web Store as installation source. That’s it, installing extensions from third-party sources is so awkward that nobody will do it. Besides, automatic updates wouldn’t work anyway.
Chrome really needs to introduce a extension denylist. The effect of malicious extensions would be less if you could exclude banking and other sensitive websites.
The current Allowlist is not sufficient because some extensions need to work across most sites.
thank god i switched to firefox, not that i think their extension security is any better (naturally skeptic, as i assume everyone else is on here)
i'm tired of google, the ad revenue model is a parasite on society. i just went to their office last week for some lame ass workshop. this company is rotting inside out. they do shitty software consulting now? obv yes their core technology is still incredibly valuable, but how have we not just rip that out of the company? (rhetorical) it's just an intuition, but i feel the end is neigh for google
>how have we not just rip that out of the company?
Because the US Gov wants it to stay alive and in business, google has so much users data collected and still counting, that no matter what, it will always be valuable to the gov.
I always get surprised when I see a tech fella is still using any google products like gmail or chrome despite the atrocity that company did (so is Facebook btw), I would understand your average user or your grandma using it, but any tech guy should abandon google as soon as they can.
It's shocking how bad it's become. Every google search feels like a bunch of random noise and clickbait. SEO and walled communities killed google search. Just wish there was a search engine that would effectively find info across all these walled sites. So much useful info hidden in discord, facebook communities, and slack chats.
Google has gotten bad, but YouTube search is just...I don't even know how to describe it. They've decided that when you search for something, only the top 2 results should be related to your search, and after that it should just go back to listing things that are otherwise in your recommended feed (totally unrelated to your search query).
It's not really better. There was a malware instagram downloader in the extension repo for months. It might even still be there. Extensions are fraught with this kind of stuff, and without some kind of automated screening, it's always going to be an arms race.
I don't get how one is supposed to stay secure with the current way extensions work:
all you have access to is a button that only installs and runs an extension, and
at any point of time, it may automatically update with malicious code after the author has agreed to transfer control to someone else for an enticing sum of money. It happened several times before.
To fix this, I've made my own UserJS that changes the "install" button into "download CRX",
then I unpack the CRX file and remove the autoupdate URL from it so the code stays as it was when I last looked at it.
Sometimes the extension's job is not worth having an extra extension installed (each spawns its own separate background process) so I paste the code into a userscript or a conglomerate extension instead.
The chromium-based browser I use, Vivaldi, prevents injecting user scripts into "chrome.google.com" so I have to change the string in the browser binary to something like "chrame.google.com". Then it works.
1) Something something Bing. Here is one from two days ago - https://imgur.com/a/KOwLRIC
2) They want anonymized web browsing data.
Google just yesterday sent out an email cracking down on this. From the email:
To better protect users' browsing experience, the Quality Guideline changes clarify that an extension's purpose is to provide complimentary functionality for the browsing experience and should not seek to hijack a user's browsing or search experience. This update aims to ensure that users have full control over their browsing sessions, without any unwarranted interruptions or manipulations. By enforcing this policy, we strive to foster a safer and more enjoyable environment for all Chrome users, where their trust and satisfaction remain our top priorities. Together, we can create a web ecosystem that respects users' autonomy and offers seamless browsing experiences that truly enhance their lives.