More malicious extensions in Chrome Web Store

I am the developer of Voice In (<a href="https:&#x2F;&#x2F;chrome.google.com&#x2F;webstore&#x2F;detail&#x2F;voice-in-speech-to-text-d&#x2F;pjnefijmagpdjfhhkpljicbbpicelgko?hl=en" rel="nofollow">https:&#x2F;&#x2F;chrome.google.com&#x2F;webstore&#x2F;detail&#x2F;voice-in-speech-to...</a>), a Chrome extension with 300k+ users. Every month, I have 2-3 folks reach out asking for one of two things:<p>1) Something something Bing. Here is one from two days ago - <a href="https:&#x2F;&#x2F;imgur.com&#x2F;a&#x2F;KOwLRIC" rel="nofollow">https:&#x2F;&#x2F;imgur.com&#x2F;a&#x2F;KOwLRIC</a><p>2) They want anonymized web browsing data.<p>Google just yesterday sent out an email cracking down on this. From the email:<p>To better protect users&#x27; browsing experience, the Quality Guideline changes clarify that an extension&#x27;s purpose is to provide complimentary functionality for the browsing experience and should not seek to hijack a user&#x27;s browsing or search experience. This update aims to ensure that users have full control over their browsing sessions, without any unwarranted interruptions or manipulations. By enforcing this policy, we strive to foster a safer and more enjoyable environment for all Chrome users, where their trust and satisfaction remain our top priorities. Together, we can create a web ecosystem that respects users&#x27; autonomy and offers seamless browsing experiences that truly enhance their lives.

I get a cold sweat whenever I use Chrome Web Store. How do I know that what I&#x27;m downloading is legitimate and not malware that&#x27;s been made to look like another well known extension? The download counts aren&#x27;t useful in determining that either, it&#x27;s just a number and who&#x27;s to know that it hasn&#x27;t been manipulated by bots? I&#x27;m wary of suggestions that Google could implement a meaningful review process. They claim to do that for ads, yet it&#x27;s not unusual to see ads in search for software that&#x27;s obviously malware.

This will continue to get worse until Google takes security seriously on the Web Store. They don&#x27;t meaningfully review uploads and they don&#x27;t seem to staff it well in general - they take a very long time to process DMCA-related stuff, and when they <i>do</i> flag something for review (VERY rare) the review can take a very long time. Maybe it&#x27;s unreasonable for me to expect them to invest money into running their &quot;Store&quot; but maintaining a reasonably popular extension for a while gave me a very low opinion of the whole service.<p>I always have gotten the impression that the Chrome Web Store is something they&#x27;d rather get rid of if extensions (especially ad blockers) weren&#x27;t a necessary evil to maintain their market dominance in browsers. The install and update UX have always been kind of neglected and awkward, and the permissions model is bad. Manifest V3 &quot;fixes&quot; some of this, I guess.<p>As of today if I go to the chrome web store and try to install the recommended extensions on the front page, all of the ones I checked need to &quot;read and change all my data on all websites&quot; in order to do things like add a context menu option or run a connection speed test. There&#x27;s no way for an ordinary user to tell the difference between &quot;Chrome&#x27;s permission model is garbage so every extension asks for this horrible permission&quot; and &quot;This extension is malicious and is actually going to read&#x2F;change all my data&quot;

Wasn’t manifest v3 supposed to prevent dynamically loaded code? As the article says these extensions are featured but (I think) the latest update to v3 says: “In January 2023, use of Manifest V3 will become a prerequisite for the Featured badge in the Chrome Web Store.”<p><a href="https:&#x2F;&#x2F;chromeos.dev&#x2F;en&#x2F;posts&#x2F;manifest-v-3-migration-timeline-update" rel="nofollow">https:&#x2F;&#x2F;chromeos.dev&#x2F;en&#x2F;posts&#x2F;manifest-v-3-migration-timelin...</a>

Every time I launch Chrome on one of my machines, it complains that an extension called &quot;Privacy Test&quot; has been disabled because of its dubiousness, reactivate&#x2F;delete? I chose &quot;Delete&quot; every single time, and every single time, it comes back at the next Chrome restart. Apparently, it somehow managed to store itself into my Google account&#x27;s sync data, because after several hours of googling apparently the only working way to get rid of it is to get a fresh Chrome install, <i>not</i> sync, then nuke all of the sync data.<p>If only there was a way to see what&#x27;s actually in the sync data and manage it on a more fine-grained level instead of having only a single &quot;delete all&quot; button or, you know, maybe Chrome could actually just bloody <i>uninstall</i> the extension I ordered it to uninstall? Maybe by the next century the technology will actually be there.

Okay so funny story: I once worked with a company with insane security rules. 2FA every time you log into any program on your computer. I had to get fingerprinted to get a company laptop. No installation privileges. it goes on and on. And I was just a consultant with no access to code or anything, this is just to be able to attend meetings and see google docs.<p>Chrome extensions? No limitations at all, not even checked, add whatever you want.<p>I thought that was pretty funny.

I make a lot of extensions, and I still don&#x27;t know how the screening happens in the various stores. It&#x27;s not working well, whatever it is. Part of the solution ought to require a submission in source format for easier screening, either by people or AI. (It can be obfuscated in-store if that&#x27;s really what the developer wants.)

I don’t understand why there’s not an fdroid-like store for open source chrome extensions. All my most important extensions are open source. I try to find ones that are. But I’m not savvy enough to do checksums and all that so i just trust the deployed app is the same one on GitHub.

Chrome really needs to introduce a extension denylist. The effect of malicious extensions would be less if you could exclude banking and other sensitive websites.<p>The current Allowlist is not sufficient because some extensions need to work across most sites.

&lt;&gt;&lt;&gt;incoming rant&lt;&gt;&lt;&gt;<p>thank god i switched to firefox, not that i think their extension security is any better (naturally skeptic, as i assume everyone else is on here)<p>i&#x27;m tired of google, the ad revenue model is a parasite on society. i just went to their office last week for some lame ass workshop. this company is rotting inside out. they do shitty software consulting now? obv yes their core technology is still incredibly valuable, but how have we not just rip that out of the company? (rhetorical) it&#x27;s just an intuition, but i feel the end is neigh for google<p>&#x2F;rant&#x2F;

I don&#x27;t get how one is supposed to stay secure with the current way extensions work: all you have access to is a button that only installs and runs an extension, and at any point of time, it may automatically update with malicious code after the author has agreed to transfer control to someone else for an enticing sum of money. It happened several times before.<p>To fix this, I&#x27;ve made my own UserJS that changes the &quot;install&quot; button into &quot;download CRX&quot;, then I unpack the CRX file and remove the autoupdate URL from it so the code stays as it was when I last looked at it. Sometimes the extension&#x27;s job is not worth having an extra extension installed (each spawns its own separate background process) so I paste the code into a userscript or a conglomerate extension instead.<p>The chromium-based browser I use, Vivaldi, prevents injecting user scripts into &quot;chrome.google.com&quot; so I have to change the string in the browser binary to something like &quot;chrame.google.com&quot;. Then it works.