The reporter's experience with reporting Chrome Web Store malware reflects mine: Nobody at Google cares about malware enough to stop distributing it when people report it. The "Report Abuse" button probably goes straight to an unmonitored spam folder.
Hint to anyone working on security at Google: It actually doesn't matter what obscure zero-days you discover and patch when you distribute malware directly that relies on supported functionality. There's no need to exploit security holes when malware is simply permitted as-is.
Shut the Chrome Web Store down until you're prepared to take it seriously.
I wouldn't be surprised if their staff have no tooling for looking at user reviews, period. The UI for looking at user reviews of your own stuff as a developer is really, really bad and I know that in the past other Google properties have had this issue - YouTube annotations were invisible to their trust and safety staff, for example.
As long as everyone keeps using Chrome and its Web Store Google won't change a thing. They don't exactly have a track record of listening to their users, to put it mildly.
AFAIK even Chromium won't let you install an extension directly from a website. You must download it, keep it somewhere, turn on dev mode, and "load unpacked extension". It wont sync across browsers, etc.
Compare this to Firefox which will sign your extension and let you distribute it directly through your website with a user-friendly experience.
Firefox is way behind Chrome on this front. You can't permanently install a private extension in the release version of Firefox, unless you upload the source code to their servers for signing, and the unlisted extension complies with their developer policy.
Mozilla's stance on extension signing is hostile to users, there are several extensions that got remotely blocked for loading code from Google Translate [1]. This is software that you privately install for your own use, and Mozilla blocks it remotely in your browser.
They've also rolled out the new version of Firefox for Android which only supports a couple of extensions that they have whitelisted. I can no longer use the extensions I have developed and published on Firefox Addons, and I can only imagine the grief it is causing for less technical users that have suddenly lost the productivity tools that they've relied on.
They've also disabled about:config in the new version of Firefox for Android, you can no longer configure the browser that way.
I agree with your perspective that the extension signing model is user-hostile, but under no circumstances should a signed extension be loading remote code, even if it's google translate. Maybe if the remote code is also signed and you're asserting that it matches a SHA256 hash... but at that point just bundle it into your extension.
If you allow loading remote code into an extension there's no point in signing or review or any other security measures because the extension is just malware waiting to happen.
If you absolutely must load remote code, load it in the page context where it doesn't have access to dangerous extension-only APIs. This is my PoV as someone who maintained a 100k-weekly-user Chrome extension for 3 years: I hate the Chrome Web Store but the 'no remote code' policy is correct and Mozilla is correct to also enforce it.
> You can't permanently install a private extension in the release version of Firefox
For what it's worth (admittedly not very much), you can build the release version of Firefox yourself while allowing extension sideloading without even changing any code, it's just the "MOZ_REQUIRE_SIGNING" option.
Obviously this is not a real possibility for everyone, but I do it for this and getting rid of Pocket, along with a few other small changes.
You can also just run the Developer release, which is mostly meant for authoring new extensions, but does respect the about:config flag to disable signature checking.
Mozilla is in a tough spot as a browser vendor, since a sizable portion of their userbase is actually well served by the restrictions. Happily it's also open source, allowing true power users to do what they want with minimal fuss.
I don't see how is Mozilla in a tough spot regarding user freedom, it's entirely possible to allow local extension installation and educate users about the associated risks, like other browsers do.
Most people can live with the restrictions you impose on them, but the restrictions can still be missguided or thoughtless.
> it's entirely possible to allow local extension installation and educate users about the associated risks, like other browsers do.
I think one of the issues is that users aren't the only ones that can install extensions locally. I think Mozilla even introduced this as a response to Microsoft pushing its own extensions into Firefox.
I don't like the restriction either, however most users are dealing with an actively hostile OS and any setting that could be set at runtime instead of compile time would just look like an open invitation to the OS.
> Nobody at Google cares about malware enough to stop distributing it when people report it.
It seems to be a rather important bullet point every time they need a reason to cripple ad blockers even more. Google solving this issue is like Nestle solving world hunger: directly counterproductive to its main goals.
> It actually doesn't matter what obscure zero-days you discover and patch when you distribute malware directly that relies on supported functionality.
Zero-days are often used by state actors, so their impact is larger, but less visible.
In my understanding, state-level actors are not exactly notorious for using exploits for mass surveillance (they use a little bit less controversial means to achieve this), zero-day stuff is typically for single valuable targets. Or am I wrong?
As someone who's had difficulty publishing open-source software into the Google and Apple ecosystem I get super angry when bunch of malicious crap-ware is found.
Why do I have to go through a dozen iterations and emails and phone calls yet garbage seems to get through w/o issue.
Insert rant about their respective approval processes. I've read others on HN, so use one of them. The sentiment is the same.
The whole idea of these walled garden app stores is backwards and broken.
People often compare them with distribution repos but those are very different: you have app authors engaging with the community to get their app published where here you have the communities petitioning corporations to allow their app to be published.
Its funny how a single developer publishing so many crap extensions doesn't trigger a ban from google's automated bots, yet someone publishing a single legitimate extension will.
I would think a single extension publisher with over 100 extensions would be a giant red flag in itself.
But presumably an extension for wallpapers shouldn't be accepted: If you can get rid of an entire class of extension code by supporting wallpapers... let people set their new tab wallpaper, block all new tab extensions that say "wallpaper", and tada, entire vector for malware gone.
Extensions are a massive security vulnerability: They often have access to your web browsing activity, and they sit after TLS termination, inside your browser's trusted environment.
Browser extensions should be rejected by default, and have to constantly justify their existence. Pointless extensions (including "cloud to butt", sorry guys), should never have been accepted.
FWIW, front running[1] Google ads, and to a lesser extent Bing ads, is big money. At Blekko we ran into these people all the time.
What they wanted was to send the search query that the user had typed into Google to us, and have our advertising partners provide an Ad, and they would inject it ahead of Google's ads.
For which they would share the revenue that the Ad partner was paid 50/50 with us. And for this service they said our cut would be $10K - $20K per week.
The funny part was they required to be notified immediately if Google changed its page layout because, well they needed to blend in or the game was up. I wrote a grease monkey script to change the page background after ads had loaded on a Google search engine results page (SERP) and yup, you could see their ad sitting there.
Of course Google would catch on, especially when people complain that Google was showing them ads for inappropriate products or what not and Google would investigate and track down the front doing the injecting. The half life of these fronts seemed to be 6 months to a year depending on how greedy they got. The people behind the front would vanish and pop up under a new name somewhere else.
The sad thing, for me, is that when you put your infosec hat on you realize its super easy to phish an unsuspecting someone by sending fake mail from a friend for a cool backdrop or display toy. Once they are on the hook you can wait until they search for something on Google and inject a very nice result for them to click on that stops off at your drive by zero day site to pick up your payload and its off to the races.
[1] From the article -- "... then proceeded to quietly inject ads inside Google and Bing search results."
What floors is me is that Google is so lax on fixing the Chrome Web Store, when they're literally distributing things that hijack their primary business, search and ads.
How is Chrome Web Store malware not a five-alarm fire that sends Sundar Pichai down into the cubicle farm to find someone's head to stick on a pike? Like, this should be THE issue that Google cares about.
...And malware that hijacks your search engine on Chrome has been all but unpoliced for most of the past decade.
It is difficult to understand. I know that when I worked there the way advancement worked (the only way to get a raise) was that you shipped a "new" thing. People who just fixed bugs never got recognition company wide, but people who shipped a new thing FULL of bugs? They got to go up on stage with Larry and be held up as some who gets things done. (and get promoted)
That had started changing by 2010. They at least had an official way to recognize one person a quarter, if they were nominated, for doing solid infrastructure work.
> when people complain that Google was showing them ads for inappropriate products or what not and Google would investigate and track down the front doing the injecting
google listens to complaints? i suspect they discover these things internally, not from user reports.
The challenge of discovering it internally is you have to have the injector installed and it has to fire on queries.
I believe Google is sensitive to complaints here due to legal jeopardy. That I am aware of, Google has been forbidden from showing advertisements from Canadian pharmacy's and Payday Loan vendors. Both things which pay well for clicks and you're basic slimeball Adtech guy is going to inject into Google pages when they think they might get a click.
Chrome team has tried to make some changes to improve the situation, but browser extensions are still a perfect target for malware and abuse because of a structural problem:
Users install these (free) extensions on a whim, installation takes 2 clicks and seconds. They make a point-in-time decision: "I find this useful today, and I trust the extension is not malware today"
But what they are really saying is: "I trust the (changeable) owner of this extension with whatever data this extension has access to forever and ever" (Nobody uninstalls these extensions, and now Chrome will even sync your extensions when you buy a new device.)
It's the imbalance of that decision that is the problem, no amount of filtering and UI changes and API updates will fix that imbalance.
> Chrome team has tried to make some changes to improve the situation
The remote code execution ("RCE") capability requested by the extensions is programmatically detectable by simply looking up the `content_security_policy` key in their manifest (which is JSON format).
The extensions had the following `content_security_policy` in their manifest:
script-src 'self' https://fly-analytics.com;
The best change the CWS can do to improve the situation is to forbid RCE capability the first place -- such capability means that it's impossible to code review such extensions and conclude they are safe.
Mozilla's policy is no-RCE allowed. I didn't try but I believe Mozilla's extension validator would programmatically reject any extension which asks for RCE through a manifest's `content_security_policy`.
Won't help. You can always execute "code" if you try hard enough. Not all "code" is in the form of some JS file loaded into the extension context: it can be any custom sequence of instructions. There is no way to distinguish code from data.
The Chrome Web Store is grossly understaffed. Google as a whole relies too much on automated processes rather than humans, but this is particularly a problem in the Chrome Web Store, because Google requires every extension to be distributed via the Store, but they just don't have the staff to review every extension properly. There's no way Google can "curate" the volume they handle, especially with their limited staffing.
After a fraudulent DMCA notice took my extension down, when it came back up it was flagged for manual review for another month or two. The manual review on bug fixes and updates took about a week per upload, and that was before they further scaled back investment in the Web Store. It's neglected in every possible way.
More, actually. Some excerpts from https://blog.mozilla.org/firefox/firefox-recommended-extensi... : "Our team evaluates all content under consideration for the Recommended Extensions program.", "... subject to ongoing re-evaluations to ensure they continue ...", "... not only perform as they promise, but do so at an exceptional level. For instance, there may be many ad blockers out there, but not all ad blockers are equally effective.", (and last but not the least) "... undergo full code review by staff security experts ..."
> However, the vast majority of the malicious extensions (245 out of the 295 extensions) were simplistic utilities that had no other function than to apply a custom background for Chrome's "new tab" page.
So I have to make my own browser extensions just for one purpose, to set my own custom url for the newtab page. This is also a problem in firefox. It's quite unfortunate that browsers have moved so far from being user-agents, or at least somewhat attentive to the needs of more sophisticated users that instead of getting more robust tooling for user style sheets, custom javascript, apis to block or modify requests we are either forced into sketchy extensions that replicate the basic functionality or can't even do that because it's outright blocked.
Heck firefox has what seem to be perpetually unfixable bugs with bookmarklets not working on CSP[1] sites (for example github) which contradicts the spec and which never seem to be prioritized for being fixed.
Specs are wrong sometimes, and I think there's an argument to be made that the spec is wrong here. Firefox's policy re: bookmarklets on CSP sites is probably the best choice for protecting ordinary computer users, bookmarklets and javascript: urls are a common attack vector for targeting high-value websites like discord, slack and gmail (with the caveat that browsers have slowly locked down those attacks). Just open the developer console on discord sometime, they show an enormous message telling you not to paste stuff in there.
I do think it would be worthwhile to have some sort of power user mode to override that for bookmarklets, but I can understand not wanting to invest resources in building it.
Project Zero is about making their competitors look bad, not helping the public. There's a reason they went after Fortnite immediately upon announcing they wouldn't distribute through the Google Play Store: Project Zero's job there was protecting Google's 30% revenue cut.
There's nothing ironic when you understand the actual purpose, as opposed to what they claim it's about.
That makes no sense. The users who care about this are so much on the fringe that a single day's churn will probably wash them out.
No one in the real world cares about some random CVE. "REMOTE CODE EXPLOIT!", security experts yell, while the vast majority of people just continue installing Bonzi Buddy 4.0 : The Return of the Bonz.
"In a technical analysis shared with ZDNet, AdGuard said all extensions loaded malicious code from the fly-analytics.com domain, and then proceeded to quietly inject ads inside Google and Bing search results."
The original post has some details and recommendations:
What I don't quite understand is how do people make money from these things without getting caught? Is it not obvious where the money goes as people are getting paid from the fraud? Or is it more like no one cares?
Whilst I agree that this makes little to no difference to the average user, it is slightly different.
One can sue Google/MS. Google/MS likely already have all your data already while these randoms probably don't. Google/MS have security teams while whoever made these extensions probably doesn't.
A more interesting question would be, if these extension makers where as transparent as Google/MS, where sueable, and had decent security, would these extensions become okay.
The answer is obviously no, but I'm not sure why.
Google doesn't care about the rampant spam extensions on the Android store/Chrome extension store.
One of my co-workers reached out to me asking about a pop-up saying she needed to install a chrome extension. I looked it up and it's some adware extension. Has 30 "reviews" with 5 stars and it's obvious that they're all paid/bot reviews.
If you just search for any legitimate extension, you find so much junk. One well-known example: Search for uBlock Origin and you will find a sketchy one name "uBlock."
This seems something super easy to fix, but Google already has problems with apps on the Play Store, so not sure if I expect much better on the Web Store.
Google doesn't have to allow all transfers of extensions between different groups. The behavior of the new owner could have justified transferring it back.
As far as I can tell, Chris didn't immediately do anything that would have justified transferring it back either. Raymond was sick of dealing with low quality support requests, and so transferred the project to Chris. Over time, Raymond didn't like the direction Chris was taking the project, however, and started recommending his uBlock Origin fork for general consumption.
Regarding the question, I do not know either. I guess a lot of it falls on the user, and not much can be done about that.
Perhaps something like Mozilla's recommended extensions program (Apple already has to approve apps, so vetting is applied to Safari extensions, too) could be applied to the Chrome Web Store?
Solving the problem of shady extensions impersonating real extensions is pretty tricky. You could require trademark registration or something like that, or go with a first-come-first-serve policy, but those are both trivially exploited and raise the barrier to entry for small developers. The best you could do is just employ a bunch of very skilled review staff to look over individual extensions and try to figure out whether they are sketchy, but that is a difficult problem.
On the iOS and Android app stores, a not-uncommon problem is that shady actors will claim the name of an upcoming app or game before it releases on the store, which makes it hard for the actual product to get added when it launches. In some cases this has forced a developer to rename their title.
I do not have much experience, with app/extension regulation of course, but I can imagine how it can get extremely difficult. Especially when you have so many users and developers.
Even Apple's $99 fee does not prevent a ton of shady apps.
> shady actors will claim the name of an upcoming app
Huh, never heard of this. Do you have any links/readings about that?
Another story I don't have an easily accessible news link for: A chinese game studio launched US and Japanese versions of their title, and their original Japanese business partner registered the trademark themselves and tried to extort them with it. In the end they found a new partner and renamed the title (so it has a unique Japan-only name separate from the name used in other regions)
Interesting, thanks for sharing. I saw a tweet the other day about tricks to get around an app having the same name. Seems to be a somewhat common struggle.
295 spam extensions from probably the same developer is hardly newsworthy. Just look at the list rather than just reading the headline.
With that said after a fairly simple extension I had installed for many months upgraded itself automatically to replace links with "eco links" that supposedly helped the environment I stopped installing extensions that weren't ublock or from google themselves. I'm much more willing to install a random app on my windows machine than I am a random chrome extension, thats just how untrustworthy I find the chrome store to be.
I don't mean to sound like a curmudgeon but, except for officially supported developer plugins, I just don't get the need or desire for all this browser extension bling. (though I guess I might have downloaded an SSH extension for the browser in my chromebook at some point) I suspect it's an extension of my embrace of the Unix philosophy (simple tools) to GUI programs. Anyway, I'm certainly happy these bad actors were exposed.
But extensions do follow the Unix philosophy, if you look at them at a certain angle!
- The browser does one thing it does well, which is showing (running?) web pages.
- A typical extension does one thing (like annotating screenshots, or filtering trackers, or applying custom CSS), and does it hopefully well.
- You collect the extensions you want, and safely ignore the others; they compose without a hitch.
I run Firefox, and I run the following extensions, each doing its own narrow and separate thing:
- A password manager extension to fill in credentials.
- uMatrix for filtering out unneeded parts of Web pages (more for speed than for privacy).
- Stylus for custom CSS on certain sites.
- Foxy Gestures for mouse gestures.
- Markdown Here to render Markdown pieces of input controls to HTML (works great with Gmail or Jira).
Thank goodness I don't need to depend on whatever features the browser maker had time to provide to address similar needs, if any.
I wish the browser was even more like Emacs, where you have a barebones editor (or browser) and most of the UX around is provided by extensions. I see how it's a much more complex task in the browser environment due to security considerations, though.
This requires "change all data on the websites you visit", right?
When I get asked for this permission for utility function, I just refuse to install it. Only if I really trust the extension and know it needs that permission, is when I give it.
As for other extensions that asks for this permission, I keep wondering why don't they define domain whitelist where this extension applies...
There is a domain whitelist function, it's rarely used because the ergonomics of it are terrible. Adjusting the whitelist disables your extension silently instead of showing a new permission prompt.
I used the whitelist like a sensible developer and then when a website changed its URL my extension silently broke for 100k people. Not great.
Chrome has the windows popularity problem. I run into these extensions all the time but never with Firefox or classic edge. A lot of times they're sideloaded. They really should allow only extensions with a valid certificate so they can revoke them. They should also treat sideloaded extensions the same way they do sideloaded apps on android (explicit opt-in with warning).
Another reason why I really love Safari. It's so incredibly lightweight. The ability exists to install extensions, but no one makes them. Head in the sand security. I guess you could say my experience is handicapped without extensions and add-ons, but the performance and no-bullshit-factor is impossible to match.
> but the performance and no-bullshit-factor is impossible to match.
I'd say having ublock and some privacy blocker enabled boosts the standard browsing performance quite a bit. It's not really available in stock browsers.
Gigabit internet doesn't prevent a slow ad-injection script from reflowing everything on the page a second after you think it's done. + pihole can't block first-party content.
Hint to anyone working on security at Google: It actually doesn't matter what obscure zero-days you discover and patch when you distribute malware directly that relies on supported functionality. There's no need to exploit security holes when malware is simply permitted as-is.
Shut the Chrome Web Store down until you're prepared to take it seriously.
The “Report Abuse” link doesn't seem to produce results, obfuscated code doesn't seem to trigger red flags, and no one responds to user reviews.
[1]: https://www.eff.org/deeplinks/2019/07/googles-plans-chrome-e...
Or it might be that humans are just reviewing top N apps, sorted by number of reports.
Compare this to Firefox which will sign your extension and let you distribute it directly through your website with a user-friendly experience.
Mozilla's stance on extension signing is hostile to users, there are several extensions that got remotely blocked for loading code from Google Translate [1]. This is software that you privately install for your own use, and Mozilla blocks it remotely in your browser.
They've also rolled out the new version of Firefox for Android which only supports a couple of extensions that they have whitelisted. I can no longer use the extensions I have developed and published on Firefox Addons, and I can only imagine the grief it is causing for less technical users that have suddenly lost the productivity tools that they've relied on.
They've also disabled about:config in the new version of Firefox for Android, you can no longer configure the browser that way.
[1] https://www.jeremiahlee.com/posts/page-translator-is-dead/
If you allow loading remote code into an extension there's no point in signing or review or any other security measures because the extension is just malware waiting to happen.
If you absolutely must load remote code, load it in the page context where it doesn't have access to dangerous extension-only APIs. This is my PoV as someone who maintained a 100k-weekly-user Chrome extension for 3 years: I hate the Chrome Web Store but the 'no remote code' policy is correct and Mozilla is correct to also enforce it.
For what it's worth (admittedly not very much), you can build the release version of Firefox yourself while allowing extension sideloading without even changing any code, it's just the "MOZ_REQUIRE_SIGNING" option.
Obviously this is not a real possibility for everyone, but I do it for this and getting rid of Pocket, along with a few other small changes.
Mozilla is in a tough spot as a browser vendor, since a sizable portion of their userbase is actually well served by the restrictions. Happily it's also open source, allowing true power users to do what they want with minimal fuss.
Most people can live with the restrictions you impose on them, but the restrictions can still be missguided or thoughtless.
I think one of the issues is that users aren't the only ones that can install extensions locally. I think Mozilla even introduced this as a response to Microsoft pushing its own extensions into Firefox.
I don't like the restriction either, however most users are dealing with an actively hostile OS and any setting that could be set at runtime instead of compile time would just look like an open invitation to the OS.
That seems generous, I just assumed you were filling out a form that just deleted itself when you clicked send.
It seems to be a rather important bullet point every time they need a reason to cripple ad blockers even more. Google solving this issue is like Nestle solving world hunger: directly counterproductive to its main goals.
Zero-days are often used by state actors, so their impact is larger, but less visible.
In my understanding, state-level actors are not exactly notorious for using exploits for mass surveillance (they use a little bit less controversial means to achieve this), zero-day stuff is typically for single valuable targets. Or am I wrong?
Why do I have to go through a dozen iterations and emails and phone calls yet garbage seems to get through w/o issue.
Insert rant about their respective approval processes. I've read others on HN, so use one of them. The sentiment is the same.
People often compare them with distribution repos but those are very different: you have app authors engaging with the community to get their app published where here you have the communities petitioning corporations to allow their app to be published.
I would think a single extension publisher with over 100 extensions would be a giant red flag in itself.
The key to succeeding in the business is excelling at navigating the interface which gets you in, not your final product.
I because you probably make probably software with a real function and not just 'Wallpapers'
Extensions are a massive security vulnerability: They often have access to your web browsing activity, and they sit after TLS termination, inside your browser's trusted environment.
Browser extensions should be rejected by default, and have to constantly justify their existence. Pointless extensions (including "cloud to butt", sorry guys), should never have been accepted.
What they wanted was to send the search query that the user had typed into Google to us, and have our advertising partners provide an Ad, and they would inject it ahead of Google's ads.
For which they would share the revenue that the Ad partner was paid 50/50 with us. And for this service they said our cut would be $10K - $20K per week.
The funny part was they required to be notified immediately if Google changed its page layout because, well they needed to blend in or the game was up. I wrote a grease monkey script to change the page background after ads had loaded on a Google search engine results page (SERP) and yup, you could see their ad sitting there.
Of course Google would catch on, especially when people complain that Google was showing them ads for inappropriate products or what not and Google would investigate and track down the front doing the injecting. The half life of these fronts seemed to be 6 months to a year depending on how greedy they got. The people behind the front would vanish and pop up under a new name somewhere else.
The sad thing, for me, is that when you put your infosec hat on you realize its super easy to phish an unsuspecting someone by sending fake mail from a friend for a cool backdrop or display toy. Once they are on the hook you can wait until they search for something on Google and inject a very nice result for them to click on that stops off at your drive by zero day site to pick up your payload and its off to the races.
[1] From the article -- "... then proceeded to quietly inject ads inside Google and Bing search results."
How is Chrome Web Store malware not a five-alarm fire that sends Sundar Pichai down into the cubicle farm to find someone's head to stick on a pike? Like, this should be THE issue that Google cares about.
...And malware that hijacks your search engine on Chrome has been all but unpoliced for most of the past decade.
That had started changing by 2010. They at least had an official way to recognize one person a quarter, if they were nominated, for doing solid infrastructure work.
google listens to complaints? i suspect they discover these things internally, not from user reports.
I believe Google is sensitive to complaints here due to legal jeopardy. That I am aware of, Google has been forbidden from showing advertisements from Canadian pharmacy's and Payday Loan vendors. Both things which pay well for clicks and you're basic slimeball Adtech guy is going to inject into Google pages when they think they might get a click.
Users install these (free) extensions on a whim, installation takes 2 clicks and seconds. They make a point-in-time decision: "I find this useful today, and I trust the extension is not malware today"
But what they are really saying is: "I trust the (changeable) owner of this extension with whatever data this extension has access to forever and ever" (Nobody uninstalls these extensions, and now Chrome will even sync your extensions when you buy a new device.)
It's the imbalance of that decision that is the problem, no amount of filtering and UI changes and API updates will fix that imbalance.
The remote code execution ("RCE") capability requested by the extensions is programmatically detectable by simply looking up the `content_security_policy` key in their manifest (which is JSON format).
The extensions had the following `content_security_policy` in their manifest:
The best change the CWS can do to improve the situation is to forbid RCE capability the first place -- such capability means that it's impossible to code review such extensions and conclude they are safe.Mozilla's policy is no-RCE allowed. I didn't try but I believe Mozilla's extension validator would programmatically reject any extension which asks for RCE through a manifest's `content_security_policy`.
Then they can take whatever staff they have, and review them properly.
And accept the fallout of their staffing choice if it means drop in Chrome usage or whatever else.
They want to leave a gaping malware hole, it's time to hold them accountable dammit.
The solution is to actually delist any extension they can't adequately review.
That's basically what Firefox has done.
So I have to make my own browser extensions just for one purpose, to set my own custom url for the newtab page. This is also a problem in firefox. It's quite unfortunate that browsers have moved so far from being user-agents, or at least somewhat attentive to the needs of more sophisticated users that instead of getting more robust tooling for user style sheets, custom javascript, apis to block or modify requests we are either forced into sketchy extensions that replicate the basic functionality or can't even do that because it's outright blocked.
Heck firefox has what seem to be perpetually unfixable bugs with bookmarklets not working on CSP[1] sites (for example github) which contradicts the spec and which never seem to be prioritized for being fixed.
1: https://stackoverflow.com/questions/19822716/javascript-book...
I do think it would be worthwhile to have some sort of power user mode to override that for bookmarklets, but I can understand not wanting to invest resources in building it.
There's nothing ironic when you understand the actual purpose, as opposed to what they claim it's about.
No one in the real world cares about some random CVE. "REMOTE CODE EXPLOIT!", security experts yell, while the vast majority of people just continue installing Bonzi Buddy 4.0 : The Return of the Bonz.
The original post has some details and recommendations:
https://adguard.com/en/blog/fake-ad-blockers-part-3.html
What I don't quite understand is how do people make money from these things without getting caught? Is it not obvious where the money goes as people are getting paid from the fraud? Or is it more like no one cares?
I'm not sure it's illegal. And it's pretty clear Google doesn't care enough to review extensions.
analytic, adservice, pixel,doubleclick, googlead,facebook, applauncher, Xiaomi,track, taboola and outbrain.
This only applies to subdomains and domains(due to Https).
So adservice.google.com is blocked but google.com/adservice is allowed.
My browser (firefox) has DNS over HTTPS built in. So every request goes to cloudflare-dns.com.
My router only sees these requests when I use Firefox - mozilla.cloudflare-dns.com
I use uBlock Origin in Firefox. So I can control whatever I want within the browser.
This a very good approach to adblock on a whole network.
This is what Google and Bing do already, it's imperceptible to the average user.
Are these 3rd party ad extensions any worse than Google or Microsoft? They all vacuum up your data and show your ads.
A more interesting question would be, if these extension makers where as transparent as Google/MS, where sueable, and had decent security, would these extensions become okay. The answer is obviously no, but I'm not sure why.
One of my co-workers reached out to me asking about a pop-up saying she needed to install a chrome extension. I looked it up and it's some adware extension. Has 30 "reviews" with 5 stars and it's obvious that they're all paid/bot reviews.
This seems something super easy to fix, but Google already has problems with apps on the Play Store, so not sure if I expect much better on the Web Store.
At this point, uBlock is sketchy while uBlock Origin is well respected, but it seems hard to come up with a rule that would justify banning uBlock?
More context on how things were around the time of the initial transfer: https://github.com/gorhill/uBlock/issues/38#issuecomment-918...
Regarding the question, I do not know either. I guess a lot of it falls on the user, and not much can be done about that.
Perhaps something like Mozilla's recommended extensions program (Apple already has to approve apps, so vetting is applied to Safari extensions, too) could be applied to the Chrome Web Store?
On the iOS and Android app stores, a not-uncommon problem is that shady actors will claim the name of an upcoming app or game before it releases on the store, which makes it hard for the actual product to get added when it launches. In some cases this has forced a developer to rename their title.
Even Apple's $99 fee does not prevent a ton of shady apps.
> shady actors will claim the name of an upcoming app
Huh, never heard of this. Do you have any links/readings about that?
Another story I don't have an easily accessible news link for: A chinese game studio launched US and Japanese versions of their title, and their original Japanese business partner registered the trademark themselves and tried to extort them with it. In the end they found a new partner and renamed the title (so it has a unique Japan-only name separate from the name used in other regions)
With that said after a fairly simple extension I had installed for many months upgraded itself automatically to replace links with "eco links" that supposedly helped the environment I stopped installing extensions that weren't ublock or from google themselves. I'm much more willing to install a random app on my windows machine than I am a random chrome extension, thats just how untrustworthy I find the chrome store to be.
- The browser does one thing it does well, which is showing (running?) web pages.
- A typical extension does one thing (like annotating screenshots, or filtering trackers, or applying custom CSS), and does it hopefully well.
- You collect the extensions you want, and safely ignore the others; they compose without a hitch.
I run Firefox, and I run the following extensions, each doing its own narrow and separate thing:
- A password manager extension to fill in credentials.
- uMatrix for filtering out unneeded parts of Web pages (more for speed than for privacy).
- Stylus for custom CSS on certain sites.
- Foxy Gestures for mouse gestures.
- Markdown Here to render Markdown pieces of input controls to HTML (works great with Gmail or Jira).
Thank goodness I don't need to depend on whatever features the browser maker had time to provide to address similar needs, if any.
I wish the browser was even more like Emacs, where you have a barebones editor (or browser) and most of the UX around is provided by extensions. I see how it's a much more complex task in the browser environment due to security considerations, though.
- Decentraleyes -- Local cache and forced used of common CDN scripts.
When I get asked for this permission for utility function, I just refuse to install it. Only if I really trust the extension and know it needs that permission, is when I give it.
As for other extensions that asks for this permission, I keep wondering why don't they define domain whitelist where this extension applies...
I used the whitelist like a sensible developer and then when a website changed its URL my extension silently broke for 100k people. Not great.
I'd say having ublock and some privacy blocker enabled boosts the standard browsing performance quite a bit. It's not really available in stock browsers.