Google Temporarily Suspends Developers' Ability To Publish or Update Their Extensions On Chrome Web Store After Detecting 'At Scale' Fraudulent Transactions

An anonymous reader writes: The Google security team has indefinitely suspended the publishing or updating of any commercial Chrome extensions on the official Chrome Web Store following a spike in the number of paid extensions engaging in fraudulent transactions. Google said the wave of fraudulent transactions began earlier this month. Google engineers described the fraudulent transactions as happening "at scale."

"This is a temporary measure meant to stem this influx as we look for long-term solutions to address the broader pattern of abuse," said Simeon Vincent, Developer Advocate for Chrome Extensions at Google. The ban on publishing or updating impacts all paid extensions. This includes Chrome extensions that require paying a fee before installing, extensions that work based on monthly subscriptions, or Chrome extensions that use one-time in-app purchases to get access to various features. Existing commercial extensions are still available for download via the official Chrome Web Store, however, extension developers can't push new updates.

Extensions are a bad idea.

[jellomizer]

Either implement the feature in your browser or not.

Extensions are always opening the door on a relatively secure browser to security problems.

Re:

[110010001000]

I don't mind extensions, but I limit them to "known good ones" (a.k.a source code available). You never know what maniac might take over and start pushing malware. I do wonder though who actually intentionally pays for an extension.

Follow the money

[shanen]

If I ever had a mod point to give (which I don't), I'd give you a positive one for that comment, even though I disagree with your definition of "known good ones". There's no way to know what the source code is unless you can trace the entire provenance of the extension you are installing. I believe this is the proper citation for the infamous Ken Thompson hack: https://www.win.tue.nl/~aeb/li... [win.tue.nl]

Actually, even if you have the source code, it doesn't matter unless you actually read and fully understand it. The

Re:

[Aighearach]

If I ever had a mod point to give (which I don't)

You have to have good enough Karma to get mod points. Try trolling less.

Public masturbation of 97333

[shanen]

Z^-1

Re:

[slack_justyb]

I don't mind extensions, but I limit them to "known good ones" (a.k.a source code available).

That is a large task. Knowing the ins and outs of any extension is taking on typically a large source code base. If you're able to digest the tome of source that usually follows an extension, more power to you. But knowing the ins and outs and keeping up with all of the updates along the way. That's just not a possibility for a vast majority of end users.

Re:

[ftobin]

Having one team try to develop everything a large, non-modular blob is a massive security risk. Do you want your OS maker to build your web browser? Any process you run in your OS is an "extension" of the OS.

Slashdot malware warning

[Malays Bowman]

There is currently a rogue ad or some other process that is redirecting Chrome users away from the normal Slashdot page. I have it blocked so it only goes to 127.0.0.1.

Re:Slashdot malware warning

[110010001000]

127.0.0.1 is my IP address! Stop sending me your crap.

Re:

[Malays Bowman]

I use multiple browsers, but yes I needed to warn about this because someone might end up getting whatever malware that the rogue process is trying to get on a /. user's machine.

  Of course Chrome does not have any way to stop this, as there are no extensions at all for Chrome to stop this behavior, and the built in functions that is supposed to protect users from this are as worthless as teats on a bull.

Fraud?

[smi.james.th]

I wonder what kind of fraud this is. My credit card was hit for two $91 payments towards the end of December, saying "GOOGLE Chrome" in the reference. I cancelled the card, reported the fraud and was refunded, but I was quite curious as to how the transactions came about. TFA is sparse on details though.

Re:

[whodat54321]

Yes, some fraud (because Google's security is fairly lax until it gets a significant number of complaints or gets pressured by credit card companies) is involved, but the principal driver seems to be the escalating wars on ad-blockers that is beginning to hurt their business model. Freeware/community software (ex: uBlock origin) seems to be left alone, but they'll find a way to shut them down too, if they get too much of a critical mass.

Re: Fraud?

[Malays Boweman]

Google needs to be attacking the shitware ad companies that force users to use Ublock Origin. Too bad we can't surf the web anymore without using a 'condom'. >:(

Re: Fraud?

[Malays Boweman]

I wonder how much it will cost Google when one of their server farms go down after being attacked by a botnet filled with infected machines?