Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Is Too Slow At Clearing Junkware From the Chrome Extension Store

Posted by timothy on from the imperfect-world dept.

Mark Wilson writes Malware is something computer users — and even mobile and tablet owners — are now more aware of than ever. That said, many people do not give a second thought to installing a browser extension to add new features to their most frequently used application. Despite the increased awareness, malware is not something a lot of web users think of in relation to extensions; but they should.

Since the beginning of 2015 — just over three months — Google has already received over 100,000 complaints from Chrome users about 'ad injectors' hidden in extensions. Security researchers have also discovered that a popular extension — Webpage Screenshot — includes code that could be used to send browsing history back to a remote server. Google is taking steps to clean up the extension store to try to prevent things like this happening, but security still needs to be tightened up.

45 comments

  1. Cleaning? Or Emptying? by sanf780 · · Score: 1

    It looks like the ones behind Nada software were right: the only bug free software is the most useless one.

  2. ABOLISH HANGOUTS AND GO BACK TO TALK by Anonymous Coward · · Score: 1

    Please reckon with your failure!!!!

  3. No worries, Chrome was a moonshot by Anonymous Coward · · Score: 0

    And all is forgiven, right?

  4. Buyer Beware by edibobb · · Score: 0

    Why do we need Google to be our App Nanny? The faster they remove bad stuff, the more false positives they get in their removal process, and independent developers will lose out in the process.

    1. Re:Buyer Beware by Voyager529 · · Score: 5, Informative

      Why do we need Google to be our App Nanny?

      Because they run the repository. It's not Google saying, "only these extensions may install", it's them having a centralized location for the ones they've approved.

      The faster they remove bad stuff, the more false positives they get in their removal process

      As long as the appeals process is clear and genuine false positives are handled in a timely manner, this isn't necessarily a bad thing.

      and independent developers will lose out in the process.

      Github, Sourceforge, and "a Godaddy domain with the free-tier hosting" will happily enable independent developers to avail their Chrome extensions for download. If that's not okay, Firefox still has a viable market share, even IE supports add-ons. Depending on 1.) Google, 2.) Chrome, and 3.) the first party Chrome repo to distribute one's browser extension seems foolish, especially when it's still perfectly viable to take any combination of those away from the equation and still get a browser extension into the hands of end users. When Chrome sections off the greater internet...then we can talk.

      Also, if I sound crabby and one sided about this, it's because half the users who have browser extensions have the malware-based ones that I need to remove because it keeps hijacking their search providers and home pages, injecting ads, and generally making a mess. I see this across every browser that supports extensions. While users should indeed be more vigilant about what they allow on their computer, I'll be okay with any measure to mitigate this problem that doesn't involve removing a manual override.

    2. Re:Buyer Beware by Anonymous Coward · · Score: 0

      Why do we need Google to be our App Nanny?

      Because this is supposed to be a curated extension repository, not github or just some random software repository that anybody can put anything on where nobody is responsible for it. Though they don't have a particularly good record on things like this.

    3. Re:Buyer Beware by Brulath · · Score: 2

      Because they run the repository. It's not Google saying, "only these extensions may install", it's them having a centralized location for the ones they've approved.

      Given you need to enable Developer Mode to install them from any source other than the Chrome extension store, they kind of are saying that.

    4. Re:Buyer Beware by slaker · · Score: 1

      There's a Windows tool called adwcleaner that takes less than five minutes to run and does a marvelous job of cleaning crap out of browser installations. It's usually the first step I take in cleaning off a Windows machine, but it works beautifully for getting irritating but not genuinely malicious stuff out of the way.

      I've actually made a document that I print out and hand to people whose machines I clean off. Probably 90% of the people I talk to have no idea that there's any such thing as a browser add-on or search extension.

      I've found that configuring Adblock+ with a decent set of subscription lists and Spybot's Immunizations (basically hosts file entries) do more to stop problems than probably any other steps I could take to stop problems on Windows machines.

      --
      -- I wanna decide who lives and who dies - Crow T. Robot, MST3K
    5. Re:Buyer Beware by kav2k · · Score: 1

      Not true.

      You need Developer mode to install "unpacked" extensions, which essentially means "in development", with no auto-update.

      On Windows, they disabled the ability to install packaged extensions from other sources, Developer mode or not. unless you have a domain-level enterprise policy to whitelist some.
      On other platforms, you're free to install extensions from any source.
      On any platform, you're free to install Chrome Apps from any source. The reasoning being that apps do not silently run in parallel and with access to your browsing.

  5. Yup... by Anonymous Coward · · Score: 0

    I've had to remove many of those from my brother's PC. All of them are something like "ad punisher", which makes you think it'd be an adblock... but no, it put ads in webpages instead. I'm questioning where he even got those extensions, quite frankly, because he also has the legit adblock extension... My guess is Facebook.

  6. CSI: Google by wonkey_monkey · · Score: 2

    Malware is something computer users are now more aware of than ever.

    You might say we're... *sunglasses* mal-aware of it.

    YEEEAAAAH!

    --
    systemd is Roko's Basilisk.
    1. Re:CSI: Google by zarthrag · · Score: 1

      You win.

      --
      Why can't all fpga/microcontroller manufacturers just release free optimizing compilers???
    2. Re:CSI: Google by Anonymous Coward · · Score: 0

      But if your here, then who's posting asinine one-liners on reddit?

  7. why do "tech savvy" install these again? by alen · · Score: 1

    it's an application you store all your passwords in and yet you install extensions coded by some anonymous stranger you have never met with a web based email address? and you wonder why things go wrong?

    1. Re: why do "tech savvy" install these again? by Anonymous Coward · · Score: 0

      Why would the "tech savvy" have the browser save passwords?

    2. Re: why do "tech savvy" install these again? by Anonymous Coward · · Score: 0

      Even if he doesn't, why would he trust unknown code running on his computer?

    3. Re: why do "tech savvy" install these again? by Blaskowicz · · Score: 1

      Because some of the tech savvies recommend it. It allows one strong password per service instead of a small handful weak crappola ones. Not sure what to do then if you use another browser or another profile, or an unsafe browser on a random someone else's computer.

    4. Re: why do "tech savvy" install these again? by hairyfeet · · Score: 1

      You use Chrome (or Dragon, or Chromodo, or Firefox or Palemoon, those are the ones I know about) and simply have it sync across your devices? Its a hell of a lot better than the users only having a single password for everywhere or having to constantly deal with "I forgot my password, help me".

      And please don't bring up password managers as I have yet to see one where the user can 1.- just start surfing without having to deal with the manager, 2.- have the manager sync every new password and password change automatically between devices, and 3.- Do all of this without the user needing to babysit the thing. Remember folks that users will only put up with a tiny amount of irritation before they say "fuck it" and just use a single password they can always remember, so if its that or save in the browser? then let 'em save in the browser.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    5. Re: why do "tech savvy" install these again? by slaker · · Score: 1

      Lastpass and Roboform both seem pretty straightforward to me. I'm not a daily user of either, but one or the other of them seem to solve problems for the people who couldn't remember more than one password unless they were tattooed on their forehead.

      --
      -- I wanna decide who lives and who dies - Crow T. Robot, MST3K
  8. A poorly-run "platform" just like Android/Play/etc by StandardCell · · Score: 0

    I don't know what it is about Google-run platforms that makes them so awful, but they seem to shovel on tons of features with a corporate agenda but without the ability to really understand the underlying user experience. I'm not an Apple fan myself, but at least their app store for a non-jailbroken iOS device is much much cleaner from a malware perspective than the equivalent Android app stores. We aren't even talking about the ever-present developer inconsistencies version-to-version in the Android platform, especially for DRM and media playback, which make life hell for developers.

    In the desktop browser environment where average users have no idea what the root of trust really is other than "oh it's Google so it's ok", the potential for malware intrusion is huge and there's no excuse for this nonsense. Google's leadership needs to crack their whip at their product management and get things back on track so they not only test add-ons but randomly audit code for backdoors on the Play store and for Chrome add-ons if they want to retain customers' trust.

  9. After writing a browser extension last year... by Scorpinox · · Score: 1

    Partway through writing a small browser extension last year, and realizing how much access they have to everything you look at, I stopped using all but a couple trusted browser extensions. Seriously, it was like 15 lines of code to take a screenshot of whatever page you're looking at and send it to a server every 2 seconds with no indication that anything is happening.

    Granted, you have to accept a permissions dialog, but most extensions ask for way too many permissions. That cloud-to-butt extension? It already has all the permissions it needs to send the text on every page to a database somewhere, and unless you carefully audit the source of every extension you install (obviously google isn't), you'd never notice, you're just trusting some extension author.

    1. Re:After writing a browser extension last year... by Anonymous Coward · · Score: 0

      Wow lol

  10. Junkware by Anonymous Coward · · Score: 0

    (points at junkware) Hideki!

  11. Blocking ads is a must by Anonymous Coward · · Score: 0

    Ad blocking is a must until all ads stop tracking of any kind. Just show the ad. Let alone malvertising like this.

    1. Re:Blocking ads is a must by The+New+Guy+2.0 · · Score: 1

      The puzzle from an ad buyer's point of view is trying to figure out who to serve their ads to... Television does this by putting together shows that appeal to different people, so sponsors can figure out who their product is for and match them up. Web ad services compile what you've looked at recently in order to show you offers that you're more likely to accept. Privacy is nice, but something's got to fuel commerce or there's nothing left to protect.

    2. Re:Blocking ads is a must by Anonymous Coward · · Score: 0

      Whatever happened to a time when everything costed? I miss those days. I miss when things had a price UPFRONT. I want to be a customer, not the product. I would gladly pay for access to sites I like. This notion of free lunch sucks.

  12. increased awareness? by Tailhook · · Score: 2

    At what point did these monkeys "increase" their "awareness" about anything that didn't involve some cultural grievance? The only reason they aren't still opening every single word doc they receive is because the MUAs impede them enough to allow laziness to dominate.

    --
    Maw! Fire up the karma burner!
    1. Re:increased awareness? by The+New+Guy+2.0 · · Score: 1

      Apple holds back apps until they're approved... Google is getting caught adding things they shouldn't have and people are complaining about slow takedowns.

  13. Autoupdating is the biggest problem. by __Paul__ · · Score: 5, Interesting

    The really bad thing about Chrome is the way it is impossible to stop extensions from automatically updating.

    An extension can be perfectly good, when first installed, but if the author goes rogue, has a security breach or just sells the extension to a third party, there is no way to stop it from automatically updating.

    --
    worldmobilenet.com -- World Prepaid Wireless Internet plans
    1. Re:Autoupdating is the biggest problem. by Blaskowicz · · Score: 1

      I remember wondering if Windows Update can serve me malware ; not wondering if Android marketplace/Google Play does (in part because I don't use it), and now this.
      Do I know that rogue "security updates" will not show up in a linux package manager? It's amazing that it doesn't happen, or perhaps it would require an especially motivated attacker and some cryptography flaw.

    2. Re:Autoupdating is the biggest problem. by __Paul__ · · Score: 2

      It could easily happen. You're effectively giving the entire Debian / Ubuntu / Redhat / SuSE development team root access on your servers.

      --
      worldmobilenet.com -- World Prepaid Wireless Internet plans
    3. Re:Autoupdating is the biggest problem. by Dutch+Gun · · Score: 1

      Can Windows Update serve you malware? Yes.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    4. Re:Autoupdating is the biggest problem. by Anonymous Coward · · Score: 0

      Hosts file.

    5. Re:Autoupdating is the biggest problem. by Anonymous Coward · · Score: 0

      Don't tempt the apk.

  14. Solution: by Anonymous Coward · · Score: 0

    rm -rf /home/pub/chrome-extensions/

    Get rid of *all* Chrome extensions, aka "apps". Every single "app" is worthless.

  15. Chrome for Windows blocks non-Store extensions by tepples · · Score: 3, Informative

    It's not Google saying, "only these extensions may install"

    Did you miss the Slashdot article titled Google Starts Blocking Extensions Not In the Chrome Web Store from May of last year?

    1. Re:Chrome for Windows blocks non-Store extensions by GuB-42 · · Score: 1

      Did you miss the Slashdot article titled Google Starts Blocking Extensions Not In the Chrome Web Store from May of last year?

      You can still do it, but it is more complicated now. Google took this measure to prevent installers from bundling unapproved chrome extensions.

  16. Youtube downloader by Anonymous Coward · · Score: 0

    But they are very quick to remove any Youtube downloader.

  17. Re:A poorly-run "platform" just like Android/Play/ by Anonymous Coward · · Score: 0

    I don't know what it is about Google-run platforms that makes them so awful

    Because they don't run them with an iron fist like Apple does. That's a good thing for developers because it makes it easier and more flexible for them but it means that end users then need to be much more knowledgeable and careful of something they really shouldn't need to know about. So the question then becomes: Is the advantage worth the tradeoff? Well I see a lot of great developer/tech/admin tools that you can get on Android that you can't on iOS for example, but I don't see what the specific advantage is to the average end user. Sure you can pontificate about how free software and the open market could theoretically benefit users and how a walled garden approach could theoretically harm users but in practice neither of these things actually happen.

    Point is that with the walled garden approach most users can do everything they need to and not have to really worry about malware so since the non-walled-garden approach has the proven clear and obvious disadvantage of needing to be concerned about malware there needs to be some explicit tangible advantage to the user to outweigh that and Im not sure that exists.

  18. Re:A poorly-run "platform" just like Android/Play/ by slaker · · Score: 1

    Perhaps the advantage found in the garden with lower walls is the ability to do something outside the plans of the people in charge of the platform. One of my biggest turn-offs with iOS is its keyboard. The screen doesn't change to indicate upper or lower case characters. I have no idea who thinks that's a good idea, but on iOS there wasn't until very recently any ability to charge that. In the Android world, there are of great on screen keyboards. The idea that someone might want something else was simply outside Apple's vision.
    There are all kinds of tools that exist on Android because the whole thing is open to development. There are plenty of things that can't be done on iOS and Windows Mobile because no one considered the possibility that someone might want to do them. I believe that Android is the primary place where innovation is occurring in mobile devices at this point and most of that is because everything is open to be changed.

    --
    -- I wanna decide who lives and who dies - Crow T. Robot, MST3K
  19. Slow by bobmajdakjr · · Score: 1

    is still faster than Microsoft. The windows phone store is damn sad.

  20. They do not want feedback on scam- and malware by allo · · Score: 1

    tried to report an extension once. No chance, without logging in to a google (plus?) account.
    Your problem, google.

  21. Windows Home blocks editing Group Policy by tepples · · Score: 1

    You can install non-Store extensions in Developer Mode, but Google Chrome will automatically uninstall them when you close and reopen Google Chrome. There exists a workaround, but this workaround requires editing Group Policy, and editing Group Policy appears to require a Pro version of Windows. So you end up paying around $100 to Microsoft to have the ability to use a non-Store Chrome extension more than once.