Google purges bad extensions from Chrome

This is fantastic news.<p>The Quick Note Chrome extension from Diigo (now removed) submits every URL visited to a third-party server and those URLs are then crawled the next day.<p>We just switched our 25 member customer service team to Chromeboxes and were very concerned to find soon after that an EC2-based crawler was querying private URLs of our platform.<p>Because the Chrome Web Store had not banned bad actors like Diigo, we now blacklisted all Chrome extensions except for a very small number that I personally approve. Rather than feeling that ChromeOS was improving our security, we had our chief software architect spend most of the weekend figuring out who was targeting our platform. (All queries received 404 errors, but we remained concerned whether the rogue extension could read the submitted form credentials or the cookie store to get access.)<p>Rogue extensions are wasting a huge amount of time and destroying trust in the Chrome platform. Here&#x27;s some more detail on similar stories about Diigo:<p><a href="https:&#x2F;&#x2F;chrisa.wordpress.com&#x2F;2014&#x2F;08&#x2F;25&#x2F;chrome-extensions-going-rogue&#x2F;" rel="nofollow">https:&#x2F;&#x2F;chrisa.wordpress.com&#x2F;2014&#x2F;08&#x2F;25&#x2F;chrome-extensions-go...</a> <a href="https:&#x2F;&#x2F;mig5.net&#x2F;content&#x2F;awesome-screenshot-and-niki-bot" rel="nofollow">https:&#x2F;&#x2F;mig5.net&#x2F;content&#x2F;awesome-screenshot-and-niki-bot</a><p>I am thrilled to see Google finally acting to restore trust in their platform.<p>Update: Google removed Diigo Quick Note, but still has Awesome Screenshot &lt;<a href="https:&#x2F;&#x2F;chrome.google.com&#x2F;webstore&#x2F;search&#x2F;diigo?hl=en-US&gt;" rel="nofollow">https:&#x2F;&#x2F;chrome.google.com&#x2F;webstore&#x2F;search&#x2F;diigo?hl=en-US&gt;</a> which captures the identical data and sells it to third party crawlers.

&quot;This extension will have access to your browsing history and private data on all websites&quot;.<p>Which is usually accompanied by the developer apologising and explaining they have to declare this in order to provide the extension&#x27;s core functionality. Users then learn to ignore these warnings, malicious extensions ensue.<p>I&#x27;m glad Google is taking malicious extensions seriously, but purging is a difficult semi-manual effort when extensions can update any time. A lot more effective would be to bake security into the whole model. Extensions shouldn&#x27;t need to see your entire browsing history on all sites just to enhance some links or do syntax highlighting.<p>It should also be possible to request permissions on demand, and for certain URLs, instead of blanket-consenting before the extension is even installed. I know these things are a trade-off with simplicity, but should at least be there for orgs and individuals who want to take advantage of them.

Just FYI, there are many cases of malware (presumably browser extensions) targeting online bankings in Indonesia recently. The typical flow is like this:<p><pre><code> 1. The user logs in to his&#x2F;her online banking website. 2. The malware gets triggered and phones home with user&#x27;s credentials. 3. The bad guy logs in using user&#x27;s credentials in own computer. 4. The bad guy initiates bank transfer from user&#x27;s account to his account. 4. The bad guy is presented with &quot;enter auth code&quot; to confirm the transaction. 5. The malware pops up &quot;Verify your auth code&quot; into user&#x27;s computer. 6. Thinking &quot;it must be new method from my bank&quot;, user types his&#x2F;her auth code. 7. The auth code gets sent to the bad guy, allowing him to complete transaction. 8. Profit. </code></pre> Even tech savvy people can be a victim if he&#x27;s being careless.

&gt; <i>&quot;You would expect that an extension that injects or replaces advertisements is malicious, but then you have AdBlock that creates an ad-free browsing experience and is technically very similar.&quot;</i><p>AdBlock is very clear in what it does and users install it because they want to block ads, whereas users are usually not aware when an extension injects ads. As a note, the Awesome Screenshot extension for Firefox asks you if you want ads injected, probably because of Mozilla&#x27;s review process, whereas the Chrome version does not.<p>It&#x27;s one thing for websites to be ripped of the opportunity to make money from your eyeballs, with your consent, it&#x27;s quite another for those same websites to generate money unknowingly for an obscure third-party. We are probably talking about copyright infringement done for commercial for-profit reasons.<p>Google is annoying me lately. I now use Firefox on my Android and I do that because AdBlock Plus and uBlock are working on it, whereas Chrome for Android still doesn&#x27;t have plugins, probably because they don&#x27;t want ad blockers in it.

Does anyone know where one could find a list of offending plugins? I tried, but came up empty handed.

Should say &quot;Google does a lousy job purging bad extensions from Chrome&quot;. A: Because all of the malware I reported is still there. And B: Because actually policing your store for malware for once shouldn&#x27;t be a news item.

The security model of chrome extensions is such that I only use one--and that&#x27;s one from a well-known company that I already trust with sensitive items.<p>I just can&#x27;t talk myself into the &quot;This extension will have access to your browsing history and private data on all websites&quot; warning that appears beforehand, and it looks like with extensions sending private URLs away to be crawled, I was at least a little correct to worry.

&gt; <i>Preliminary results revealed that 5% of people accessing Google every day have been caught out by at least one malicious extension.</i><p>How might they have detected what extensions are installed in their visitor&#x27;s browsers?<p>Is there a way to enumerate installed extensions?<p><a href="http:&#x2F;&#x2F;browserspy.dk&#x2F;" rel="nofollow">http:&#x2F;&#x2F;browserspy.dk&#x2F;</a> and <a href="https:&#x2F;&#x2F;panopticlick.eff.org&#x2F;" rel="nofollow">https:&#x2F;&#x2F;panopticlick.eff.org&#x2F;</a> detect plugins, but those aren&#x27;t the same as extensions.

When the extensions are removed from the Chrome Web Store are they removed from everyone&#x27;s browsers automatically? I didn&#x27;t see it mentioned here or in the article.

Aren&#x27;t extensions written in JavaScript? That alone sounds like it&#x27;d make it pretty easy to examine and remove any &quot;unwanted functionality&quot; from one, or to show that it&#x27;s doing something it shouldn&#x27;t be. It only takes one knowledgeable user to find out and spread the news...<p>As an aside, I&#x27;m surprised at how willing most users seem to be to install any software, be it browser extensions or random apps on their phones&#x2F;tablets&#x2F;PCs. Especially in the case of deliberately malicious extensions mentioned in the article, I wonder if they were installed without the user ever considering &quot;What is this for? Do I really need it?&quot;

I don&#x27;t understand why you can&#x27;t block (or lockout) certain permissions for extensions. If an extension requests permission to browsing history, you should be able to install the extension by deny it access. this is the same problem that I see on Android.

its too easy to bait and switch with chrome extensions. Authors can sneak malware into their code at any point and you have zero chance of stopping it

So how long until AdBlock Plus and uBlock are &quot;bad&quot; extensions?<p>Enjoy your walled garden. Soon enough the walls will be so high you wont even <i>remember</i> what a free browser felt like.

Chrome extensions can do some really nasty things.. Just last year while doing adware research for extensions, I actually came across an extension monetization company who was silently installing google android apps to the users phone with no human interaction what so ever, I wrote a break down of this on my blog:<p><a href="http:&#x2F;&#x2F;extensiondefender.com&#x2F;blog&#x2F;red-alert-dangerous-exploit-poses-major-threat-to-all-android-users&#x2F;" rel="nofollow">http:&#x2F;&#x2F;extensiondefender.com&#x2F;blog&#x2F;red-alert-dangerous-exploi...</a>

This probably isn&#x27;t a popular view for the HN crowd but at this point I&#x27;m convinced that for 90% of users, browser extensions are an anti-feature doing way more harm than good.

Chrome always gives this really scary warning that the extension will be able to read all my tabs etc. They need to sandbox everything so that I don&#x27;t have to feel worried while installing extensions. Worry is not a good UX.

An extension I use regularly got zapped (Website Screenshot). There are definitely alternatives out there, but it&#x27;s a little annoying that there was no indication as to WHY it was removed. Oh well.

This only addresses part of the problem. Chrome extensions are ONE method of injecting into a page. What about more advanced methods including code hooks, Proxy, LSP, TDI, WFP, etc... What is Chrome going to do about those?

Well... Wouldn&#x27;t it be useful to publish a list of the offending extensions?

That&#x27;s amazing news ..... YEARS after it should have happened

Whats googles protocol for approving apps? how do they not notice the problems before the apps even hit the store?

Google needs a better way to notify users when extensions are superseded. For instance, I used to use the Google Voice extension even though it was buggy as hell, and kept using it for too long because I didn&#x27;t know about the much better Hangouts extension that replaced it (I had been using Hangouts for a while but never had the Chrome extension).

Better yet, disable all of them.