Then where is it actually installed? Unless it's doing something really rootkit-y (unlikely given that AFAIK Chrome's extensions are just JS), monitoring file accesses would probably be sufficient to determine where it is and how to remove it. Unfortunately, I think this researcher just didn't really try hard enough...
Removing the extension proved so difficult that he ultimately advised users to run the free version of Malwarebytes and let it automatically remove the add-on.
...of course, what better than to sneak in an advert for their product!
IMHO this is a sign that JS running on a page has been given too much power (and the reason I only let JS run on a whitelist.)
The other thing I find slightly off is that there's been plenty of mention of how Chrome's extension API is nowhere near as powerful as what the old Firefox extensions could do, and it's a more walled garden, yet things like this are still reported.
Go ahead and try.
I agree that 98% of the time it is fine, but that is not the point. I want to have control over the software that runs on my computer, especially if sometimes useful functionality is stripped away, or malicious code can be run.
Off the top of my head, I had Google Drive install a chrome extension which then informed me that it needed me to grant it more permissions than it had when it was installed without asking by Google Drive, and then when I didn't grant them, it removed itself after a few days, without a trace.
Or there was the time that the Chromecast extension disappeared. Of course, this was because Google integrated that functionality directly into the browser, but, it made me feel very uncomfortable that the software on my computer was so unpredictable.
And there are many other times that extensions have just "upgraded" themselves into breaking.
Out of frustration after feeling no sense of agency, I started using git to track the changes to my chrome config folder. Even if I used git to roll back the filesystem to its previous state, I then have to modify the extensions to not have the right url to check for updates, and then there are still other mechanisms to thwart that. At best, I was able to manually re-enable the extensions I want, and I had to write a script to automate it after each time I started chrome.
Outside of the Chrome extensions themselves, when you install several Google products, like Drive or Google Earth, it adds it's spyware-like "keystone agent" updating daemon to three different locations. WHY? If you remove any of it's hooks, it just re-creates them. And it will monitor your filesystem and irreversibly apply updates to Chrome, which may remove features (like the ability to side-load extensions, or save HTML5 video, or mandatory WideVine DRM).
None of this is made clear to you. It will ask you for root access just so it can install its system-wide updater in two locations, but if you deny it, it will still install it for the current user. If you start to remove it, it will never alert you that it is being tampered with or explain what is going on, it will just resist like spyware, re-creating itself.
Out of frustration, I just started making files immutable so that it couldn't re-inject itself. Obviously that is not ideal, but I had work to do and I was sick of it worming around my computer.
It doesn't have to be this way. I understand the importance of updates. But Google doesn't have to do it in such an underhanded and frankly hostile manor. But this reflects a culture of gaslighting of the user, and general hostility.
So, it makes sense that malicious actors could piggyback on Google's already user-hostile platform. Google is already doing much of the work for them.
And before anyone responds by saying that there are technical means to take control of the Chrome browser that I missed, I am sure there are, but that is not the point. I am aware that there is an environment variable you can set that will request that Keystone Agent stop updating, but it is completely undiscoverable, and does not actually stop Keystone Agent from running. Someone should not have to have an extensive understanding of software development just to be able to say "NO", and accept the responsibility for it.
IMO, trying to keep standard-edition Chrome from updating itself (or the extensions) is a hopeless endeavor. It was basically part of the core philosophy for chrome from day one was that Google can basically push arbitrary feature and behavior changes at any time (But they promise really hard they'll be careful with that). I think the marketing was something like "The only version for Chome is 'current'".
If you want control, there are better options, e.g. using Chromium, a fork or another browser altogether.
What I find more worrying is that the practice of aggressively auto-updating everything has become almost an industry standard.
At some time we seem to have gone from protecting people against phome-home trojans to turning all our products into them and playing political games with the resulting power. In fact, software is seen as a security risk if it is not a phone-home trojan because apparently all users are children who cannot be trusted to take care of their own computers.
This is very convenient for the industry, because if all software is constantly changing, why bother to keep the underlying standards constant? That's why we now have "Living standards" that constantly change and expect all implementations to follow suit.
Stop using the products of advertisers, their goals are antithetical to what arguably should be yours.
When the same question marks that you mention started appearing in my mind, I not only went back to Firefox but started de-googlifying my life. Re-installed my OS to make sure no traces of Chrome remained.
And man, keeping track of changes in Chrome folder, talk about a losing battle.
Then again, every time i install Palemoon i notice that the biggest single file in the bunch is libxul. So i suspect dumping XUL is more about maintenance burden than anything else. CADT is a pox on FOSS projects...
I previously had Stayfocusd and I blocked myself from uninstalling the extension (as a test) by blocking chrome://extensions, but then found a loophole using the method above.
Edit: Confirmed. What this article talks about is a total non-issue. All extensions can be removed by right-clicking their toolbar button (btw they HAVE to have a button) and selecting "Remove from Chrome."
From competitors, trolls, and just random idiots...
I wonder if they flag it for review after X reports in Y time frame.
I wouldn't expect immediate action, but 19 days is a bit much.
it does look pretty bad towards the end, that you can specify any site as the extensions website to make it look more official.
What I don't understand is if they started chrome in another mode passing the executable arguments that should have disabled said extensions, how was it still redirecting the extensions management page?
It’s not impossible to uninstall chrome and re-install it under a different path, and create an alternate OS user account on the same laptop or desktop, and log into that to effectively reset Chrome to its default state in a non-disruptive manner.
The unfortunate fact, however is that most people simply won’t do that because it’s too inconvenient, or users of a particular machine have been subjugated by system administrator overlords, as part of an organizational policy, and lack admin privileges to migrate to a fresh user account in part or in whole.
People also often tend to use the admin account unhygienically. Which is not actually much of a sin, as long as you enter into those activities with the mindset of anticipating a full reinstall at the operating system level.
...which of course won’t even kill the firmware implants that advanced persistent threats have dropped into your peripherals, via intel extensions commissioned by the NSA.