Google just yesterday sent out an email cracking down on this. From the email:
To better protect users' browsing experience, the Quality Guideline changes clarify that an extension's purpose is to provide complimentary functionality for the browsing experience and should not seek to hijack a user's browsing or search experience. This update aims to ensure that users have full control over their browsing sessions, without any unwarranted interruptions or manipulations. By enforcing this policy, we strive to foster a safer and more enjoyable environment for all Chrome users, where their trust and satisfaction remain our top priorities. Together, we can create a web ecosystem that respects users' autonomy and offers seamless browsing experiences that truly enhance their lives.
Well, Google has been introducing policy changes meant to restrict abuse of extension privileges for quite a while. It won’t help however as long as they don’t manage to enforce the policies effectively. These extensions have been at it for at least two years. It was already against Google’s policies back then. Users flagged these extensions back then already. Yet they remained in Chrome Web Store.
Note that I found one similar extension that was removed in March this year. I have no idea why Google removed it (it cannot be user complains) or why they didn’t search Chrome Web Store for similar code.
Together, we can create a web ecosystem that respects users' autonomy
Maybe 20 years ago I would've believed that coming from Google, but no, it's clear they're going full authoritarian to get users under their control like the rest of Big Tech and using the classic "security" argument to do it.
I wonder what Bing has to do with it and whether or not MS is even aware of any of this or if it is 'at arms length'. For sure a great way to wreck your reputation, and likely you'll be blacklisted for life.
I get a cold sweat whenever I use Chrome Web Store. How do I know that what I'm downloading is legitimate and not malware that's been made to look like another well known extension? The download counts aren't useful in determining that either, it's just a number and who's to know that it hasn't been manipulated by bots? I'm wary of suggestions that Google could implement a meaningful review process. They claim to do that for ads, yet it's not unusual to see ads in search for software that's obviously malware.
I only use well known and very popular extensions. The security risk otherwise is just too big. Even those could have breaches but at least you would find out relatively quickly.
I think the major problem is that it is very difficult to view the source of an extension.
It should be just as easy as "view source" is for html pages. Require all extensions to use nicely formatted code with no minimalized javascript/css.
If you could look at the code, then for a lot of developers it would be easy to check if it looks reasonable or it looks like it sends browsing data to a server.
This will continue to get worse until Google takes security seriously on the Web Store. They don't meaningfully review uploads and they don't seem to staff it well in general - they take a very long time to process DMCA-related stuff, and when they do flag something for review (VERY rare) the review can take a very long time. Maybe it's unreasonable for me to expect them to invest money into running their "Store" but maintaining a reasonably popular extension for a while gave me a very low opinion of the whole service.
I always have gotten the impression that the Chrome Web Store is something they'd rather get rid of if extensions (especially ad blockers) weren't a necessary evil to maintain their market dominance in browsers. The install and update UX have always been kind of neglected and awkward, and the permissions model is bad. Manifest V3 "fixes" some of this, I guess.
As of today if I go to the chrome web store and try to install the recommended extensions on the front page, all of the ones I checked need to "read and change all my data on all websites" in order to do things like add a context menu option or run a connection speed test. There's no way for an ordinary user to tell the difference between "Chrome's permission model is garbage so every extension asks for this horrible permission" and "This extension is malicious and is actually going to read/change all my data"
> They don't meaningfully review uploads and they don't seem to staff it well in general
Well, yeah; it's Google. Their entire approach to anything resembling support is to automate everything that can be automated, and utterly ignore anything that can't be.
The Chrome Web Store isn't really a store... it's not like Chrome can (or does) charge for extensions. The only ones that are commercial that I'm aware of are tied to external systems (password managers, note taking, etc), and it's not like Google gets a cut from that.
So the store will always be a cost center with net-negative revenue. Knowing this, how could they realistically review anything manually? The only model that has had some success in this regard has been the Apple App Store, which routinely gets vilified for it's walled garden.
I'm not sure what the answer is here, but I'd pay extra for a more secure extension "store" for the (few) extensions that I use. Or pay more for the products I already pay for that provide extensions (1Password, Zotero, Pocket, etc...). But that would be a rounding error for Google's revenue, so I'm not holding my breath...
Wasn’t manifest v3 supposed to prevent dynamically loaded code? As the article says these extensions are featured but (I think) the latest update to v3 says: “In January 2023, use of Manifest V3 will become a prerequisite for the Featured badge in the Chrome Web Store.”
No. Manifest v3's main role was to cripple ad blockers... hence you're now seeing YouTube experiment with "anti-ad-blocker" popups warning users they wouldn't able to see the site.
They know they got people by the balls after they rolled out v3 earlier this year.
Every time I launch Chrome on one of my machines, it complains that an extension called "Privacy Test" has been disabled because of its dubiousness, reactivate/delete? I chose "Delete" every single time, and every single time, it comes back at the next Chrome restart. Apparently, it somehow managed to store itself into my Google account's sync data, because after several hours of googling apparently the only working way to get rid of it is to get a fresh Chrome install, not sync, then nuke all of the sync data.
If only there was a way to see what's actually in the sync data and manage it on a more fine-grained level instead of having only a single "delete all" button or, you know, maybe Chrome could actually just bloody uninstall the extension I ordered it to uninstall? Maybe by the next century the technology will actually be there.
You have malware... It's software on your PC which is installing this extension again every time it sees it not present. Creating a new Chrome profile probably just tricks it because it is still installing it into the old profile.
Okay so funny story: I once worked with a company with insane security rules. 2FA every time you log into any program on your computer. I had to get fingerprinted to get a company laptop. No installation privileges. it goes on and on. And I was just a consultant with no access to code or anything, this is just to be able to attend meetings and see google docs.
Chrome extensions? No limitations at all, not even checked, add whatever you want.
I make a lot of extensions, and I still don't know how the screening happens in the various stores. It's not working well, whatever it is. Part of the solution ought to require a submission in source format for easier screening, either by people or AI. (It can be obfuscated in-store if that's really what the developer wants.)
Mozilla and Opera require source code to be uploaded along with the extension, there is some human component involved in the review there. My understanding is that the human review got considerably less over time however. According to an email I received lately, Mozilla is reintroducing pre-publication review for popular extensions however.
I always thought it to be odd that Google doesn’t ask for extension source code, even when an extension is flagged for review. No idea what kind of review they can perform this way.
I don’t understand why there’s not an fdroid-like store for open source chrome extensions. All my most important extensions are open source. I try to find ones that are. But I’m not savvy enough to do checksums and all that so i just trust the deployed app is the same one on GitHub.
It’s easy: Google owns the browser, so they decide which websites are allowed to install extensions. And Google decided a while ago that the only way to ensure your safety is allowing only Chrome Web Store as installation source. That’s it, installing extensions from third-party sources is so awkward that nobody will do it. Besides, automatic updates wouldn’t work anyway.
Chrome really needs to introduce a extension denylist. The effect of malicious extensions would be less if you could exclude banking and other sensitive websites.
The current Allowlist is not sufficient because some extensions need to work across most sites.
thank god i switched to firefox, not that i think their extension security is any better (naturally skeptic, as i assume everyone else is on here)
i'm tired of google, the ad revenue model is a parasite on society. i just went to their office last week for some lame ass workshop. this company is rotting inside out. they do shitty software consulting now? obv yes their core technology is still incredibly valuable, but how have we not just rip that out of the company? (rhetorical) it's just an intuition, but i feel the end is neigh for google
>how have we not just rip that out of the company?
Because the US Gov wants it to stay alive and in business, google has so much users data collected and still counting, that no matter what, it will always be valuable to the gov.
I always get surprised when I see a tech fella is still using any google products like gmail or chrome despite the atrocity that company did (so is Facebook btw), I would understand your average user or your grandma using it, but any tech guy should abandon google as soon as they can.
It's not really better. There was a malware instagram downloader in the extension repo for months. It might even still be there. Extensions are fraught with this kind of stuff, and without some kind of automated screening, it's always going to be an arms race.
I don't get how one is supposed to stay secure with the current way extensions work:
all you have access to is a button that only installs and runs an extension, and
at any point of time, it may automatically update with malicious code after the author has agreed to transfer control to someone else for an enticing sum of money. It happened several times before.
To fix this, I've made my own UserJS that changes the "install" button into "download CRX",
then I unpack the CRX file and remove the autoupdate URL from it so the code stays as it was when I last looked at it.
Sometimes the extension's job is not worth having an extra extension installed (each spawns its own separate background process) so I paste the code into a userscript or a conglomerate extension instead.
The chromium-based browser I use, Vivaldi, prevents injecting user scripts into "chrome.google.com" so I have to change the string in the browser binary to something like "chrame.google.com". Then it works.
[+] [-] anilshanbhag|2 years ago|reply
1) Something something Bing. Here is one from two days ago - https://imgur.com/a/KOwLRIC
2) They want anonymized web browsing data.
Google just yesterday sent out an email cracking down on this. From the email:
To better protect users' browsing experience, the Quality Guideline changes clarify that an extension's purpose is to provide complimentary functionality for the browsing experience and should not seek to hijack a user's browsing or search experience. This update aims to ensure that users have full control over their browsing sessions, without any unwarranted interruptions or manipulations. By enforcing this policy, we strive to foster a safer and more enjoyable environment for all Chrome users, where their trust and satisfaction remain our top priorities. Together, we can create a web ecosystem that respects users' autonomy and offers seamless browsing experiences that truly enhance their lives.
[+] [-] palant|2 years ago|reply
Well, Google has been introducing policy changes meant to restrict abuse of extension privileges for quite a while. It won’t help however as long as they don’t manage to enforce the policies effectively. These extensions have been at it for at least two years. It was already against Google’s policies back then. Users flagged these extensions back then already. Yet they remained in Chrome Web Store.
Note that I found one similar extension that was removed in March this year. I have no idea why Google removed it (it cannot be user complains) or why they didn’t search Chrome Web Store for similar code.
[+] [-] userbinator|2 years ago|reply
Maybe 20 years ago I would've believed that coming from Google, but no, it's clear they're going full authoritarian to get users under their control like the rest of Big Tech and using the classic "security" argument to do it.
[+] [-] namaria|2 years ago|reply
What a horrible word soup of toxic corporate speak...
[+] [-] jacquesm|2 years ago|reply
[+] [-] NoZebra120vClip|2 years ago|reply
Did they really spell it that way? No monetization allowed?
[+] [-] aio2|2 years ago|reply
[+] [-] tjpnz|2 years ago|reply
[+] [-] mozball|2 years ago|reply
[+] [-] stjohnswarts|2 years ago|reply
[+] [-] silvestrov|2 years ago|reply
It should be just as easy as "view source" is for html pages. Require all extensions to use nicely formatted code with no minimalized javascript/css.
If you could look at the code, then for a lot of developers it would be easy to check if it looks reasonable or it looks like it sends browsing data to a server.
[+] [-] websap|2 years ago|reply
[+] [-] kevingadd|2 years ago|reply
I always have gotten the impression that the Chrome Web Store is something they'd rather get rid of if extensions (especially ad blockers) weren't a necessary evil to maintain their market dominance in browsers. The install and update UX have always been kind of neglected and awkward, and the permissions model is bad. Manifest V3 "fixes" some of this, I guess.
As of today if I go to the chrome web store and try to install the recommended extensions on the front page, all of the ones I checked need to "read and change all my data on all websites" in order to do things like add a context menu option or run a connection speed test. There's no way for an ordinary user to tell the difference between "Chrome's permission model is garbage so every extension asks for this horrible permission" and "This extension is malicious and is actually going to read/change all my data"
[+] [-] yjftsjthsd-h|2 years ago|reply
Well, yeah; it's Google. Their entire approach to anything resembling support is to automate everything that can be automated, and utterly ignore anything that can't be.
[+] [-] mbreese|2 years ago|reply
The Chrome Web Store isn't really a store... it's not like Chrome can (or does) charge for extensions. The only ones that are commercial that I'm aware of are tied to external systems (password managers, note taking, etc), and it's not like Google gets a cut from that.
So the store will always be a cost center with net-negative revenue. Knowing this, how could they realistically review anything manually? The only model that has had some success in this regard has been the Apple App Store, which routinely gets vilified for it's walled garden.
I'm not sure what the answer is here, but I'd pay extra for a more secure extension "store" for the (few) extensions that I use. Or pay more for the products I already pay for that provide extensions (1Password, Zotero, Pocket, etc...). But that would be a rounding error for Google's revenue, so I'm not holding my breath...
[+] [-] tyingq|2 years ago|reply
[+] [-] Larrikin|2 years ago|reply
[+] [-] lewantmontreal|2 years ago|reply
https://chromeos.dev/en/posts/manifest-v-3-migration-timelin...
[+] [-] aa_is_op|2 years ago|reply
They know they got people by the balls after they rolled out v3 earlier this year.
[+] [-] palant|2 years ago|reply
Migration to Manifest V3 has been postponed, all these extensions (like most extensions in Chrome Web Store) are using Manifest V2.
Note that the changes in Manifest V3 are meant to prevent security vulnerabilities. Outright malicious extensions will always find a way.
[+] [-] mnoorenberghe|2 years ago|reply
[+] [-] rektide|2 years ago|reply
Disclaimer, I filed this issue. https://github.com/w3c/webextensions/issues/139
[+] [-] Joker_vD|2 years ago|reply
If only there was a way to see what's actually in the sync data and manage it on a more fine-grained level instead of having only a single "delete all" button or, you know, maybe Chrome could actually just bloody uninstall the extension I ordered it to uninstall? Maybe by the next century the technology will actually be there.
[+] [-] londons_explore|2 years ago|reply
See here: https://support.google.com/chrome/thread/169489366/privacy-t...
[+] [-] lima|2 years ago|reply
[+] [-] cm2012|2 years ago|reply
Chrome extensions? No limitations at all, not even checked, add whatever you want.
I thought that was pretty funny.
[+] [-] ibejoeb|2 years ago|reply
[+] [-] palant|2 years ago|reply
Mozilla and Opera require source code to be uploaded along with the extension, there is some human component involved in the review there. My understanding is that the human review got considerably less over time however. According to an email I received lately, Mozilla is reintroducing pre-publication review for popular extensions however.
I always thought it to be odd that Google doesn’t ask for extension source code, even when an extension is flagged for review. No idea what kind of review they can perform this way.
[+] [-] moneywoes|2 years ago|reply
[+] [-] zenapollo|2 years ago|reply
[+] [-] palant|2 years ago|reply
It’s easy: Google owns the browser, so they decide which websites are allowed to install extensions. And Google decided a while ago that the only way to ensure your safety is allowing only Chrome Web Store as installation source. That’s it, installing extensions from third-party sources is so awkward that nobody will do it. Besides, automatic updates wouldn’t work anyway.
[+] [-] almenon|2 years ago|reply
The current Allowlist is not sufficient because some extensions need to work across most sites.
[+] [-] munro|2 years ago|reply
thank god i switched to firefox, not that i think their extension security is any better (naturally skeptic, as i assume everyone else is on here)
i'm tired of google, the ad revenue model is a parasite on society. i just went to their office last week for some lame ass workshop. this company is rotting inside out. they do shitty software consulting now? obv yes their core technology is still incredibly valuable, but how have we not just rip that out of the company? (rhetorical) it's just an intuition, but i feel the end is neigh for google
/rant/
[+] [-] AHOHA|2 years ago|reply
I always get surprised when I see a tech fella is still using any google products like gmail or chrome despite the atrocity that company did (so is Facebook btw), I would understand your average user or your grandma using it, but any tech guy should abandon google as soon as they can.
[+] [-] ant6n|2 years ago|reply
[+] [-] ibejoeb|2 years ago|reply
[+] [-] winwhiz|2 years ago|reply
[+] [-] unknown|2 years ago|reply
[deleted]
[+] [-] Grom_PE|2 years ago|reply
To fix this, I've made my own UserJS that changes the "install" button into "download CRX", then I unpack the CRX file and remove the autoupdate URL from it so the code stays as it was when I last looked at it. Sometimes the extension's job is not worth having an extra extension installed (each spawns its own separate background process) so I paste the code into a userscript or a conglomerate extension instead.
The chromium-based browser I use, Vivaldi, prevents injecting user scripts into "chrome.google.com" so I have to change the string in the browser binary to something like "chrame.google.com". Then it works.
[+] [-] unknown|2 years ago|reply
[deleted]