Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Google Security Software

Google Is Too Slow At Clearing Junkware From the Chrome Extension Store 45

Mark Wilson writes Malware is something computer users — and even mobile and tablet owners — are now more aware of than ever. That said, many people do not give a second thought to installing a browser extension to add new features to their most frequently used application. Despite the increased awareness, malware is not something a lot of web users think of in relation to extensions; but they should.

Since the beginning of 2015 — just over three months — Google has already received over 100,000 complaints from Chrome users about 'ad injectors' hidden in extensions. Security researchers have also discovered that a popular extension — Webpage Screenshot — includes code that could be used to send browsing history back to a remote server. Google is taking steps to clean up the extension store to try to prevent things like this happening, but security still needs to be tightened up.
This discussion has been archived. No new comments can be posted.

Google Is Too Slow At Clearing Junkware From the Chrome Extension Store

Comments Filter:
  • It looks like the ones behind Nada software were right: the only bug free software is the most useless one.
  • by Anonymous Coward

    Please reckon with your failure!!!!

  • Why do we need Google to be our App Nanny? The faster they remove bad stuff, the more false positives they get in their removal process, and independent developers will lose out in the process.
    • Re:Buyer Beware (Score:5, Informative)

      by Voyager529 ( 1363959 ) <voyager529@DALIyahoo.com minus painter> on Thursday April 09, 2015 @05:34PM (#49442263)

      Why do we need Google to be our App Nanny?

      Because they run the repository. It's not Google saying, "only these extensions may install", it's them having a centralized location for the ones they've approved.

      The faster they remove bad stuff, the more false positives they get in their removal process

      As long as the appeals process is clear and genuine false positives are handled in a timely manner, this isn't necessarily a bad thing.

      and independent developers will lose out in the process.

      Github, Sourceforge, and "a Godaddy domain with the free-tier hosting" will happily enable independent developers to avail their Chrome extensions for download. If that's not okay, Firefox still has a viable market share, even IE supports add-ons. Depending on 1.) Google, 2.) Chrome, and 3.) the first party Chrome repo to distribute one's browser extension seems foolish, especially when it's still perfectly viable to take any combination of those away from the equation and still get a browser extension into the hands of end users. When Chrome sections off the greater internet...then we can talk.

      Also, if I sound crabby and one sided about this, it's because half the users who have browser extensions have the malware-based ones that I need to remove because it keeps hijacking their search providers and home pages, injecting ads, and generally making a mess. I see this across every browser that supports extensions. While users should indeed be more vigilant about what they allow on their computer, I'll be okay with any measure to mitigate this problem that doesn't involve removing a manual override.

      • It's not Google saying, "only these extensions may install"

        Did you miss the Slashdot article titled Google Starts Blocking Extensions Not In the Chrome Web Store [slashdot.org] from May of last year?

      • Because they run the repository. It's not Google saying, "only these extensions may install", it's them having a centralized location for the ones they've approved.

        Given you need to enable Developer Mode [lifehacker.com] to install them from any source other than the Chrome extension store, they kind of are saying that.

        • by kav2k ( 1545689 )

          Not true.

          You need Developer mode to install "unpacked" extensions, which essentially means "in development", with no auto-update.

          On Windows, they disabled the ability to install packaged extensions from other sources, Developer mode or not. unless you have a domain-level enterprise policy to whitelist some.
          On other platforms, you're free to install extensions from any source.
          On any platform, you're free to install Chrome Apps from any source. The reasoning being that apps do not silently run in parallel and

      • by slaker ( 53818 )

        There's a Windows tool called adwcleaner that takes less than five minutes to run and does a marvelous job of cleaning crap out of browser installations. It's usually the first step I take in cleaning off a Windows machine, but it works beautifully for getting irritating but not genuinely malicious stuff out of the way.

        I've actually made a document that I print out and hand to people whose machines I clean off. Probably 90% of the people I talk to have no idea that there's any such thing as a browser add-on

  • by wonkey_monkey ( 2592601 ) on Thursday April 09, 2015 @05:05PM (#49442061) Homepage

    Malware is something computer users are now more aware of than ever.

    You might say we're... *sunglasses* mal-aware of it.


  • it's an application you store all your passwords in and yet you install extensions coded by some anonymous stranger you have never met with a web based email address? and you wonder why things go wrong?

  • I don't know what it is about Google-run platforms that makes them so awful, but they seem to shovel on tons of features with a corporate agenda but without the ability to really understand the underlying user experience. I'm not an Apple fan myself, but at least their app store for a non-jailbroken iOS device is much much cleaner from a malware perspective than the equivalent Android app stores. We aren't even talking about the ever-present developer inconsistencies version-to-version in the Android plat
  • Partway through writing a small browser extension last year, and realizing how much access they have to everything you look at, I stopped using all but a couple trusted browser extensions. Seriously, it was like 15 lines of code to take a screenshot of whatever page you're looking at and send it to a server every 2 seconds with no indication that anything is happening.

    Granted, you have to accept a permissions dialog, but most extensions ask for way too many permissions. That cloud-to-butt extension? It al

  • by Tailhook ( 98486 ) on Thursday April 09, 2015 @05:38PM (#49442301)

    At what point did these monkeys "increase" their "awareness" about anything that didn't involve some cultural grievance? The only reason they aren't still opening every single word doc they receive is because the MUAs impede them enough to allow laziness to dominate.

    • Apple holds back apps until they're approved... Google is getting caught adding things they shouldn't have and people are complaining about slow takedowns.

  • by __Paul__ ( 1570 ) on Thursday April 09, 2015 @05:46PM (#49442399) Homepage

    The really bad thing about Chrome is the way it is impossible to stop extensions from automatically updating.

    An extension can be perfectly good, when first installed, but if the author goes rogue, has a security breach or just sells the extension to a third party, there is no way to stop it from automatically updating.

    • I remember wondering if Windows Update can serve me malware ; not wondering if Android marketplace/Google Play does (in part because I don't use it), and now this.
      Do I know that rogue "security updates" will not show up in a linux package manager? It's amazing that it doesn't happen, or perhaps it would require an especially motivated attacker and some cryptography flaw.

      • by __Paul__ ( 1570 )

        It could easily happen. You're effectively giving the entire Debian / Ubuntu / Redhat / SuSE development team root access on your servers.

      • Can Windows Update serve you malware? Yes [arstechnica.com].

  • is still faster than Microsoft. The windows phone store is damn sad.
  • tried to report an extension once. No chance, without logging in to a google (plus?) account.
    Your problem, google.

The earth is like a tiny grain of sand, only much, much heavier.