Google's clever-clogs are focused on many things, but not this: The Chrome Web Store. Devs complain of rip-offs, scams, wait times
Support? Hello? Is anyone here?
Programmers are complaining that Google's Chrome Web Store still looks more like an ill-tended shack than a legitimate store.
Developers are continuing to complain about dubious extensions with fake users, extension copying, and long waits for extension approval, among other gripes.
Over the weekend, an individual writing under the name Julio Marin Torres published a series of posts to Google's Chrome Extension forum complaining about a handful of browser extensions that rely on fake user statistics to create a sense of legitimacy.
For example, an extension called Sling Online Racing has a mere three one-star reviews but nevertheless claims 162,706 users. All this extension does is open a URL:
Attempting to game store placement with fake figures is a violation of Google policies.
The Register asked Google for comment but no one responded.
From what we're told, the Chrome Store is run by a skeleton crew and doesn't have enough personnel to provide individualized support. Shortly after we looked at Chrome Web Store complaints in October, a developer managing multiple extensions contacted The Register desperate to get some support from Google.
A developer who asked to remain anonymous and has been creating Chrome extensions since 2010 and now has a startup managing six of them, said in an email to The Register that the Chrome Web Store is broken in a number of ways and said very few people seem to be working on it. He confirmed that user count manipulation is a serious issue.
"We had a system running before Xmas that was watching the store monitoring changes in products, user counts, ratings and other things and we definitely observed that there was some gaming of the system going on pretty much exactly as Julio mentioned," he said.
"There were extensions with millions of users but no reviews which is very, very unlikely and then other extensions would suddenly get millions from nowhere and then lose them again."
He said he wasn't sure why this was going on. He also cited a number of other problems. The developer backend has been half-done for years, forcing developers to rely on both an old dashboard and a new one, he said. And extension approvals can take days or weeks.
"The emails you get are really cryptic so if you fail approval it's hard to know what you need to change to fix it," he said.
Private extensions get reviewed slowly, even though they're private and thus don't pose the same security risk, he said, also noting that extensions may be taken down without any changes being made.
"What I find incredible is that basically all of the other browser vendors have adopted the Chrome extension format for extending their browsers, so you would think Google would have a larger staff to work on this seeings as the other browser vendors now rely on them, but it doesn't seem to be the case," he said.
Even so, this developer said he enjoys making Chrome extensions and expressed appreciation for the Google personnel handling the store for doing the best they can with a limited budget.
According to Extension Monitor, a website that provides analytics for extension developers, there are about 188,000 extensions which account for about 1.2bn installs. Also, there are more than 20,000 extensions that share a name with another extension, which underscores the extent of the copying problem, or at least the lack of sensible naming policies.
Google's Chrome Web Store under fire for shoddy service and cryptic policiesREAD MORE
In an email, William Wnekowicz, a software engineer and founder of Extension Monitor, said with regard to copied code, he'd expect developers to monitor this themselves and issue takedown notices rather than relying on Google's oversight.
"As far as fake users, yes, I've suspected this is happening for quite some time," said Wnekowicz. "I track user counts daily and often come across an extension with odd user count thrashing. Instead of smooth growth curves, you see wild oscillations."
Wnekowicz said he wasn't certain how this is happening but he suspects Chrome extension devs may be spinning up browsers in VMs to download their extension. Such downloads get counted as users until seven days pass without any pings back to Google, at which point Google subtracts the user from the tally. It's also possible, he suggests, that devs are using compromised machines to boost installations.
"Regarding oversight of fake users, Google should absolutely be policing this, not only for the abuse of their recommendation system, but also for the abuse of Chrome users in general," he said. "I don't know what Google is currently doing, but I'm sure the data available to them can be used to temper these abuses." ®
- AdBlock Plus
- App stores
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Google AI
- Google Cloud Platform
- Google Nest
- G Suite
- Identity Theft
- Kenna Security
- Microsoft 365
- Microsoft Office
- Microsoft Teams
- Palo Alto Networks
- Privacy Sandbox
- Software License
- Tavis Ormandy
- Trusted Platform Module
- Visual Studio
- Visual Studio Code
- Web Browser
- Zero trust