I was optimistically hoping some of the MV3 changes would result in Chrome webstore policy enforcement being standardized, but that hasn't happened.
Sensor Tower (https://sensortower.com/) makes a lot of popular extensions, like StayFocusd https://www.stayfocusd.com/. They seem to resell ad data (in violation of [1]?) and ship likely obfuscated code [2] (in violation of [3]?), but there's no enforcement or even clear reporting mechanism.
MV3 makes it considerably harder to introduce a security vulnerability, but it doesn’t really help with outright malicious extensions. In the end this isn’t an issue which can be solved by technical means. It’s a moderation issue, and Google currently seems to be scaling back moderation despite not being great at it to start with.
Event with MV3 you still have access to `chrome.webRequest.onBeforeRequest` and content scripts, so this particular issue won't be 100% solved.
I don't think the solution is technical. The solution would be a strict policy, and nuke every extension and publisher from the store who even hints at doing this kind of BS.
There was a question raised but not really answered about "what do these extensions what with all this browsing data?" - while it may be that they're used for direct ad targeting (like real time ad buying against your IP address) it's more likely that they're selling "click stream" data.
In its most innocuous form, this is stuff like SimilarWeb (which is like a more advanced Google Trends), but in the B2B world, it's also custom enterprise reports that are like "how many people that use our bank at xyz also use any other bank at this array of domains and which are most common?"
I've decided that browser extensions are too much of a security/privacy risk.
I just stick with 1password extension and an ad blocker extension that uses Safari's Content Blocker API only.
And then from time to time I have a dedicated profile on Chrome to use other extensions that might be useful, but I don't do day-to-day browsing there.
Is there any way to only allow chrome extensions to update with permission? It seems like any extension on the store could become malicious overnight, automatically, for millions of users.
Most users have no way to vet a chrome extension update (or on initial install). If we want strong security for everyone, we need better solutions than that
AFAIK there are two ways for this, neither of which is convenient to use: install all extensions from the source (you can unpack an existing crx for it or use their clonned repo if it's opensource) or use a group policy to disable extensions autoupdate and update each of them manually when the new version has something you want.
I don't think so. However, extensions are automatically disabled if they request more permissions. And in Manifest v3 most extensions won't have access to most pages unless you click on them.
Personally I have 15 extensions installed. Only four of them have access to all sites, and two of those are because they are not updated to Manifest v3 yet. I didn't say it was impossible for a Manifest v3 extension to have access to all sites. Most will not.
Can a firewall rule distinguish between an extension update and a new install? Would blocking the entire chrome web store cause other problems in chrome?
I am absolutely flabbergasted at the fact that Chrome extension security is the way it is, considering how much Google spends to keep chrome secure.
How is it, in 2024, users can still blindly install malicious software directly into their browser from a web store with Google’s name at the top of it?
This goes to show even the most cautious and conscientious of users can get caught out by their extension changing hands. What, is Google expecting us to review our extensions, and their permissions, and their authors, and their authors’ associated businesses, every time we want to use our computer?
Additionally, are we even able to review the source code of extensions if they are not open source?
> I am absolutely flabbergasted at the fact that Chrome extension security is the way it is, considering how much Google spends to keep chrome secure.
It's crazy and it's not even a "Google Scale" problem. There are only around 2,000 extensions that are popular (100k+ users) and the co-ordinated malicious activity is super blatant.
> Additionally, are we even able to review the source code of extensions if they are not open source?
Yes and you can even do this without installing the code by downloading the zip file (that contains the extension code) by using the extensionId + a get request (or using a browser)
You can unpack and view the code of any extension after you've installed it. There's even a rule against obfuscation, though I'm not sure how enforced that is.
A Chrome extension is basically a zip archive with a bunch of JavaScript inside. There's no safeguarding of the code within.
Does that only cover the background/web-worker or does it also include the UI parts (popup, content-ui, dev-tools...) ? That would make using something like React or Vue almost impossible.
They care about making money, but malicious extensions: damage the Google/Chrome brand, often are directly distorting the search experience and it opens them up to long tail liability (think Cambridge Analytica).
The problem is the organization isn't set up to promote people for proactively managing these risks. Similar to why Twitter never got rid of the bots
>They care about making money, but malicious extensions: damage the Google/Chrome brand, often are directly distorting the search experience and it opens them up to long tail liability (think Cambridge Analytica).
More importantly, they're not getting paid for any of the malicious addons. Sure, they might be getting a cut when they show fake download button (because they run the ad network), but what are they getting when sensor tower exfiltrates your browsing history? At best they're helping their competitors get better targeting data.
Where's the evidence for that? The OP only mentions affiliate fraud and user data harvesting. Neither of that seem to benefit google. To my knowledge google doesn't run an affiliate network, and data harvesting likely helps rival ad networks rather than google.
Just because there's affiliate fraud happening doesn't mean google is benefiting. What evidence is there that google is benefiting? Are they even using google's affiliate network? Does google even have one?
I had no idea until I made an extension how messed up the ecosystem is.
Now I regularly get offered ~5 figures a month in recurring revenue to turn my extension into malware & I've see how blatant the abuses are by other extensions / the sellouts.
Is it that you don't believe these pieces of malware are generating fake engagement on Google's properties? Or that Clicks, Views & Users don't matter to Google?
>Is it that you don't believe these pieces of malware are generating fake engagement on Google's properties?
The extensions engage in affiliate fraud (ie. injecting affiliate code/cookies to links/sessions) and collect user data. That hardly counts as "engagement on Google's properties", which are mostly search ads and youtube. To my knowledge google doesn't have an affiliate network, so they're not getting anything there either.
You seem to imply that the extensions are engaging in ad fraud (eg. viewing/clicking on ads), but there's no evidence of that presented in the OP or in this comment section.
Most people aren't (or at least feel they aren't) able to take a hardline stance about only using free software, but if there's one area of your digital life you should be able to apply it to, it's browser extensions.
If anything the non Developer Editions of Firefox disabling the ability to load an extension locally (without resetting it every time the browser starts) closes one path to preventing auto-updating of extensions.
That's a path necessary only in Chrome - Firefox allows you to disable auto-update of extensions, both wholesale and individually, without extraneous steps like that.
(The ability to load extensions locally would be great for its own reasons, but that's irrelevant to this discussion.)
Sensor Tower (https://sensortower.com/) makes a lot of popular extensions, like StayFocusd https://www.stayfocusd.com/. They seem to resell ad data (in violation of [1]?) and ship likely obfuscated code [2] (in violation of [3]?), but there's no enforcement or even clear reporting mechanism.
[1] https://developer.chrome.com/docs/webstore/program-policies/...
[2] https://robwu.nl/crxviewer/?crx=https%3A%2F%2Fclients2.googl...
[3] https://developer.chrome.com/docs/webstore/program-policies/...