Google Is Too Slow At Clearing Junkware From the Chrome Extension Store 45
Mark Wilson writes Malware is something computer users — and even mobile and tablet owners — are now more aware of than ever. That said, many people do not give a second thought to installing a browser extension to add new features to their most frequently used application. Despite the increased awareness, malware is not something a lot of web users think of in relation to extensions; but they should.
Since the beginning of 2015 — just over three months — Google has already received over 100,000 complaints from Chrome users about 'ad injectors' hidden in extensions. Security researchers have also discovered that a popular extension — Webpage Screenshot — includes code that could be used to send browsing history back to a remote server. Google is taking steps to clean up the extension store to try to prevent things like this happening, but security still needs to be tightened up.
Since the beginning of 2015 — just over three months — Google has already received over 100,000 complaints from Chrome users about 'ad injectors' hidden in extensions. Security researchers have also discovered that a popular extension — Webpage Screenshot — includes code that could be used to send browsing history back to a remote server. Google is taking steps to clean up the extension store to try to prevent things like this happening, but security still needs to be tightened up.
Cleaning? Or Emptying? (Score:1)
ABOLISH HANGOUTS AND GO BACK TO TALK (Score:1)
Please reckon with your failure!!!!
Buyer Beware (Score:1)
Re:Buyer Beware (Score:5, Informative)
Why do we need Google to be our App Nanny?
Because they run the repository. It's not Google saying, "only these extensions may install", it's them having a centralized location for the ones they've approved.
The faster they remove bad stuff, the more false positives they get in their removal process
As long as the appeals process is clear and genuine false positives are handled in a timely manner, this isn't necessarily a bad thing.
and independent developers will lose out in the process.
Github, Sourceforge, and "a Godaddy domain with the free-tier hosting" will happily enable independent developers to avail their Chrome extensions for download. If that's not okay, Firefox still has a viable market share, even IE supports add-ons. Depending on 1.) Google, 2.) Chrome, and 3.) the first party Chrome repo to distribute one's browser extension seems foolish, especially when it's still perfectly viable to take any combination of those away from the equation and still get a browser extension into the hands of end users. When Chrome sections off the greater internet...then we can talk.
Also, if I sound crabby and one sided about this, it's because half the users who have browser extensions have the malware-based ones that I need to remove because it keeps hijacking their search providers and home pages, injecting ads, and generally making a mess. I see this across every browser that supports extensions. While users should indeed be more vigilant about what they allow on their computer, I'll be okay with any measure to mitigate this problem that doesn't involve removing a manual override.
Chrome for Windows blocks non-Store extensions (Score:4, Informative)
It's not Google saying, "only these extensions may install"
Did you miss the Slashdot article titled Google Starts Blocking Extensions Not In the Chrome Web Store [slashdot.org] from May of last year?
Re: (Score:2)
Did you miss the Slashdot article titled Google Starts Blocking Extensions Not In the Chrome Web Store [slashdot.org] from May of last year?
You can still do it, but it is more complicated now. Google took this measure to prevent installers from bundling unapproved chrome extensions.
Windows Home blocks editing Group Policy (Score:2)
You can install non-Store extensions in Developer Mode, but Google Chrome will automatically uninstall them when you close and reopen Google Chrome. There exists a workaround [github.com], but this workaround requires editing Group Policy, and editing Group Policy appears to require a Pro version of Windows [google.com]. So you end up paying around $100 to Microsoft to have the ability to use a non-Store Chrome extension more than once.
Re: (Score:3)
Because they run the repository. It's not Google saying, "only these extensions may install", it's them having a centralized location for the ones they've approved.
Given you need to enable Developer Mode [lifehacker.com] to install them from any source other than the Chrome extension store, they kind of are saying that.
Re: (Score:2)
Not true.
You need Developer mode to install "unpacked" extensions, which essentially means "in development", with no auto-update.
On Windows, they disabled the ability to install packaged extensions from other sources, Developer mode or not. unless you have a domain-level enterprise policy to whitelist some.
On other platforms, you're free to install extensions from any source.
On any platform, you're free to install Chrome Apps from any source. The reasoning being that apps do not silently run in parallel and
Re: (Score:2)
There's a Windows tool called adwcleaner that takes less than five minutes to run and does a marvelous job of cleaning crap out of browser installations. It's usually the first step I take in cleaning off a Windows machine, but it works beautifully for getting irritating but not genuinely malicious stuff out of the way.
I've actually made a document that I print out and hand to people whose machines I clean off. Probably 90% of the people I talk to have no idea that there's any such thing as a browser add-on
CSI: Google (Score:3)
Malware is something computer users are now more aware of than ever.
You might say we're... *sunglasses* mal-aware of it.
YEEEAAAAH!
Re: (Score:2)
You win.
why do "tech savvy" install these again? (Score:2)
it's an application you store all your passwords in and yet you install extensions coded by some anonymous stranger you have never met with a web based email address? and you wonder why things go wrong?
Re: (Score:2)
Because some of the tech savvies recommend it. It allows one strong password per service instead of a small handful weak crappola ones. Not sure what to do then if you use another browser or another profile, or an unsafe browser on a random someone else's computer.
Re: (Score:2)
Re: (Score:2)
Lastpass and Roboform both seem pretty straightforward to me. I'm not a daily user of either, but one or the other of them seem to solve problems for the people who couldn't remember more than one password unless they were tattooed on their forehead.
A poorly-run "platform" just like Android/Play/etc (Score:1)
Re: (Score:2)
Perhaps the advantage found in the garden with lower walls is the ability to do something outside the plans of the people in charge of the platform. One of my biggest turn-offs with iOS is its keyboard. The screen doesn't change to indicate upper or lower case characters. I have no idea who thinks that's a good idea, but on iOS there wasn't until very recently any ability to charge that. In the Android world, there are of great on screen keyboards. The idea that someone might want something else was simply
After writing a browser extension last year... (Score:2)
Partway through writing a small browser extension last year, and realizing how much access they have to everything you look at, I stopped using all but a couple trusted browser extensions. Seriously, it was like 15 lines of code to take a screenshot of whatever page you're looking at and send it to a server every 2 seconds with no indication that anything is happening.
Granted, you have to accept a permissions dialog, but most extensions ask for way too many permissions. That cloud-to-butt extension? It al
Re: (Score:2)
The puzzle from an ad buyer's point of view is trying to figure out who to serve their ads to... Television does this by putting together shows that appeal to different people, so sponsors can figure out who their product is for and match them up. Web ad services compile what you've looked at recently in order to show you offers that you're more likely to accept. Privacy is nice, but something's got to fuel commerce or there's nothing left to protect.
increased awareness? (Score:3)
At what point did these monkeys "increase" their "awareness" about anything that didn't involve some cultural grievance? The only reason they aren't still opening every single word doc they receive is because the MUAs impede them enough to allow laziness to dominate.
Re: (Score:2)
Apple holds back apps until they're approved... Google is getting caught adding things they shouldn't have and people are complaining about slow takedowns.
Autoupdating is the biggest problem. (Score:5, Interesting)
The really bad thing about Chrome is the way it is impossible to stop extensions from automatically updating.
An extension can be perfectly good, when first installed, but if the author goes rogue, has a security breach or just sells the extension to a third party, there is no way to stop it from automatically updating.
Re: (Score:2)
I remember wondering if Windows Update can serve me malware ; not wondering if Android marketplace/Google Play does (in part because I don't use it), and now this.
Do I know that rogue "security updates" will not show up in a linux package manager? It's amazing that it doesn't happen, or perhaps it would require an especially motivated attacker and some cryptography flaw.
Re: (Score:3)
It could easily happen. You're effectively giving the entire Debian / Ubuntu / Redhat / SuSE development team root access on your servers.
Re: (Score:2)
Can Windows Update serve you malware? Yes [arstechnica.com].
Slow (Score:1)
They do not want feedback on scam- and malware (Score:2)
tried to report an extension once. No chance, without logging in to a google (plus?) account.
Your problem, google.