
A phony ad-blocking Chrome extension infiltrated Google's official Web Store - piyushgupta27
https://www.theverge.com/2017/10/9/16449236/google-chrome-extensions-malicious-security-controls
======
ocdtrekkie
This is, unfortunately, remarkably common. It only received a lot of attention
here because it pretended to be a well-known extension: The Web Store is full
of extensions which hijack your start page and search provider and have full
access to all of your web content. They're often installed via pages through
malicious ads which state that you must accept Chrome's install extension
request to continue web browsing and use a variety of JavaScript-based tricks
to keep you on the page until you do.

Many times, I've reported malicious extensions I've found on user's PCs, and
months later they are still alive and well on the Web Store. Google has not
taken significant steps to vet browser extensions despite the massive amount
of access to your personal data they have, particularly if they use
permissions like accessing the content of pages you're on.

Microsoft appears to only permit Edge extensions on a case-by-case, human-
vetted basis. I strongly recommend instructing lay users to use Edge over
Chrome, and those who insist on Chrome should have --no-extensions added to
their shortcuts to ensure Google's extension interface is wholly disabled.

Unfortunately, while Chrome regularly brags about their security measures, it
does very little when they permit (and distribute) malicious extensions in
their store with permissions to do whatever they want with user data. It is
akin to bragging about how good your deadbolt is while leaving the door wide
open.

------
jayess
What happens when they remove an extension and people have installed it? Does
the installed extension get disabled somehow?

