Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Is Too Slow At Clearing Junkware From the Chrome Extension Store

Posted by timothy on from the imperfect-world dept.

Mark Wilson writes Malware is something computer users — and even mobile and tablet owners — are now more aware of than ever. That said, many people do not give a second thought to installing a browser extension to add new features to their most frequently used application. Despite the increased awareness, malware is not something a lot of web users think of in relation to extensions; but they should.

Since the beginning of 2015 — just over three months — Google has already received over 100,000 complaints from Chrome users about 'ad injectors' hidden in extensions. Security researchers have also discovered that a popular extension — Webpage Screenshot — includes code that could be used to send browsing history back to a remote server. Google is taking steps to clean up the extension store to try to prevent things like this happening, but security still needs to be tightened up.

26 of 45 comments (clear)

  1. Cleaning? Or Emptying? by sanf780 · · Score: 1

    It looks like the ones behind Nada software were right: the only bug free software is the most useless one.

  2. ABOLISH HANGOUTS AND GO BACK TO TALK by Anonymous Coward · · Score: 1

    Please reckon with your failure!!!!

  3. CSI: Google by wonkey_monkey · · Score: 2

    Malware is something computer users are now more aware of than ever.

    You might say we're... *sunglasses* mal-aware of it.

    YEEEAAAAH!

    --
    systemd is Roko's Basilisk.
    1. Re:CSI: Google by zarthrag · · Score: 1

      You win.

      --
      Why can't all fpga/microcontroller manufacturers just release free optimizing compilers???
  4. why do "tech savvy" install these again? by alen · · Score: 1

    it's an application you store all your passwords in and yet you install extensions coded by some anonymous stranger you have never met with a web based email address? and you wonder why things go wrong?

    1. Re: why do "tech savvy" install these again? by Blaskowicz · · Score: 1

      Because some of the tech savvies recommend it. It allows one strong password per service instead of a small handful weak crappola ones. Not sure what to do then if you use another browser or another profile, or an unsafe browser on a random someone else's computer.

    2. Re: why do "tech savvy" install these again? by hairyfeet · · Score: 1

      You use Chrome (or Dragon, or Chromodo, or Firefox or Palemoon, those are the ones I know about) and simply have it sync across your devices? Its a hell of a lot better than the users only having a single password for everywhere or having to constantly deal with "I forgot my password, help me".

      And please don't bring up password managers as I have yet to see one where the user can 1.- just start surfing without having to deal with the manager, 2.- have the manager sync every new password and password change automatically between devices, and 3.- Do all of this without the user needing to babysit the thing. Remember folks that users will only put up with a tiny amount of irritation before they say "fuck it" and just use a single password they can always remember, so if its that or save in the browser? then let 'em save in the browser.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    3. Re: why do "tech savvy" install these again? by slaker · · Score: 1

      Lastpass and Roboform both seem pretty straightforward to me. I'm not a daily user of either, but one or the other of them seem to solve problems for the people who couldn't remember more than one password unless they were tattooed on their forehead.

      --
      -- I wanna decide who lives and who dies - Crow T. Robot, MST3K
  5. After writing a browser extension last year... by Scorpinox · · Score: 1

    Partway through writing a small browser extension last year, and realizing how much access they have to everything you look at, I stopped using all but a couple trusted browser extensions. Seriously, it was like 15 lines of code to take a screenshot of whatever page you're looking at and send it to a server every 2 seconds with no indication that anything is happening.

    Granted, you have to accept a permissions dialog, but most extensions ask for way too many permissions. That cloud-to-butt extension? It already has all the permissions it needs to send the text on every page to a database somewhere, and unless you carefully audit the source of every extension you install (obviously google isn't), you'd never notice, you're just trusting some extension author.

  6. Re:Buyer Beware by Voyager529 · · Score: 5, Informative

    Why do we need Google to be our App Nanny?

    Because they run the repository. It's not Google saying, "only these extensions may install", it's them having a centralized location for the ones they've approved.

    The faster they remove bad stuff, the more false positives they get in their removal process

    As long as the appeals process is clear and genuine false positives are handled in a timely manner, this isn't necessarily a bad thing.

    and independent developers will lose out in the process.

    Github, Sourceforge, and "a Godaddy domain with the free-tier hosting" will happily enable independent developers to avail their Chrome extensions for download. If that's not okay, Firefox still has a viable market share, even IE supports add-ons. Depending on 1.) Google, 2.) Chrome, and 3.) the first party Chrome repo to distribute one's browser extension seems foolish, especially when it's still perfectly viable to take any combination of those away from the equation and still get a browser extension into the hands of end users. When Chrome sections off the greater internet...then we can talk.

    Also, if I sound crabby and one sided about this, it's because half the users who have browser extensions have the malware-based ones that I need to remove because it keeps hijacking their search providers and home pages, injecting ads, and generally making a mess. I see this across every browser that supports extensions. While users should indeed be more vigilant about what they allow on their computer, I'll be okay with any measure to mitigate this problem that doesn't involve removing a manual override.

  7. increased awareness? by Tailhook · · Score: 2

    At what point did these monkeys "increase" their "awareness" about anything that didn't involve some cultural grievance? The only reason they aren't still opening every single word doc they receive is because the MUAs impede them enough to allow laziness to dominate.

    --
    Maw! Fire up the karma burner!
    1. Re:increased awareness? by The+New+Guy+2.0 · · Score: 1

      Apple holds back apps until they're approved... Google is getting caught adding things they shouldn't have and people are complaining about slow takedowns.

  8. Autoupdating is the biggest problem. by __Paul__ · · Score: 5, Interesting

    The really bad thing about Chrome is the way it is impossible to stop extensions from automatically updating.

    An extension can be perfectly good, when first installed, but if the author goes rogue, has a security breach or just sells the extension to a third party, there is no way to stop it from automatically updating.

    --
    worldmobilenet.com -- World Prepaid Wireless Internet plans
    1. Re:Autoupdating is the biggest problem. by Blaskowicz · · Score: 1

      I remember wondering if Windows Update can serve me malware ; not wondering if Android marketplace/Google Play does (in part because I don't use it), and now this.
      Do I know that rogue "security updates" will not show up in a linux package manager? It's amazing that it doesn't happen, or perhaps it would require an especially motivated attacker and some cryptography flaw.

    2. Re:Autoupdating is the biggest problem. by __Paul__ · · Score: 2

      It could easily happen. You're effectively giving the entire Debian / Ubuntu / Redhat / SuSE development team root access on your servers.

      --
      worldmobilenet.com -- World Prepaid Wireless Internet plans
    3. Re:Autoupdating is the biggest problem. by Dutch+Gun · · Score: 1

      Can Windows Update serve you malware? Yes.

      --
      Irony: Agile development has too much intertia to be abandoned now.
  9. Re:Blocking ads is a must by The+New+Guy+2.0 · · Score: 1

    The puzzle from an ad buyer's point of view is trying to figure out who to serve their ads to... Television does this by putting together shows that appeal to different people, so sponsors can figure out who their product is for and match them up. Web ad services compile what you've looked at recently in order to show you offers that you're more likely to accept. Privacy is nice, but something's got to fuel commerce or there's nothing left to protect.

  10. Chrome for Windows blocks non-Store extensions by tepples · · Score: 3, Informative

    It's not Google saying, "only these extensions may install"

    Did you miss the Slashdot article titled Google Starts Blocking Extensions Not In the Chrome Web Store from May of last year?

    1. Re:Chrome for Windows blocks non-Store extensions by GuB-42 · · Score: 1

      Did you miss the Slashdot article titled Google Starts Blocking Extensions Not In the Chrome Web Store from May of last year?

      You can still do it, but it is more complicated now. Google took this measure to prevent installers from bundling unapproved chrome extensions.

  11. Re:Buyer Beware by Brulath · · Score: 2

    Because they run the repository. It's not Google saying, "only these extensions may install", it's them having a centralized location for the ones they've approved.

    Given you need to enable Developer Mode to install them from any source other than the Chrome extension store, they kind of are saying that.

  12. Re:Buyer Beware by slaker · · Score: 1

    There's a Windows tool called adwcleaner that takes less than five minutes to run and does a marvelous job of cleaning crap out of browser installations. It's usually the first step I take in cleaning off a Windows machine, but it works beautifully for getting irritating but not genuinely malicious stuff out of the way.

    I've actually made a document that I print out and hand to people whose machines I clean off. Probably 90% of the people I talk to have no idea that there's any such thing as a browser add-on or search extension.

    I've found that configuring Adblock+ with a decent set of subscription lists and Spybot's Immunizations (basically hosts file entries) do more to stop problems than probably any other steps I could take to stop problems on Windows machines.

    --
    -- I wanna decide who lives and who dies - Crow T. Robot, MST3K
  13. Re:A poorly-run "platform" just like Android/Play/ by slaker · · Score: 1

    Perhaps the advantage found in the garden with lower walls is the ability to do something outside the plans of the people in charge of the platform. One of my biggest turn-offs with iOS is its keyboard. The screen doesn't change to indicate upper or lower case characters. I have no idea who thinks that's a good idea, but on iOS there wasn't until very recently any ability to charge that. In the Android world, there are of great on screen keyboards. The idea that someone might want something else was simply outside Apple's vision.
    There are all kinds of tools that exist on Android because the whole thing is open to development. There are plenty of things that can't be done on iOS and Windows Mobile because no one considered the possibility that someone might want to do them. I believe that Android is the primary place where innovation is occurring in mobile devices at this point and most of that is because everything is open to be changed.

    --
    -- I wanna decide who lives and who dies - Crow T. Robot, MST3K
  14. Re:Buyer Beware by kav2k · · Score: 1

    Not true.

    You need Developer mode to install "unpacked" extensions, which essentially means "in development", with no auto-update.

    On Windows, they disabled the ability to install packaged extensions from other sources, Developer mode or not. unless you have a domain-level enterprise policy to whitelist some.
    On other platforms, you're free to install extensions from any source.
    On any platform, you're free to install Chrome Apps from any source. The reasoning being that apps do not silently run in parallel and with access to your browsing.

  15. Slow by bobmajdakjr · · Score: 1

    is still faster than Microsoft. The windows phone store is damn sad.

  16. They do not want feedback on scam- and malware by allo · · Score: 1

    tried to report an extension once. No chance, without logging in to a google (plus?) account.
    Your problem, google.

  17. Windows Home blocks editing Group Policy by tepples · · Score: 1

    You can install non-Store extensions in Developer Mode, but Google Chrome will automatically uninstall them when you close and reopen Google Chrome. There exists a workaround, but this workaround requires editing Group Policy, and editing Group Policy appears to require a Pro version of Windows. So you end up paying around $100 to Microsoft to have the ability to use a non-Store Chrome extension more than once.