Google's clever-clogs are focused on many things, but not this: The Chrome Web Store. Devs complain of rip-offs, scams, wait times

Support? Hello? Is anyone here?

Programmers are complaining that Google's Chrome Web Store still looks more like an ill-tended shack than a legitimate store.

Developers are continuing to complain about dubious extensions with fake users, extension copying, and long waits for extension approval, among other gripes.

Over the weekend, an individual writing under the name Julio Marin Torres published a series of posts to Google's Chrome Extension forum complaining about a handful of browser extensions that rely on fake user statistics to create a sense of legitimacy.

For example, an extension called Sling Online Racing has a mere three one-star reviews but nevertheless claims 162,706 users. All this extension does is open a URL:

The webpage is deemed safe by Google's Safe Browsing service but it injects JavaScript code that serves ads. Torres claims these extensions rely on fraudulent installations to manipulate store ranking data and deceive users by making them believe the browser add-ons are more successful than they actually are.

Attempting to game store placement with fake figures is a violation of Google policies.

Other Chrome extension developers have been complaining that people have copied their extension code and reposted it as their own. And they claim that Google has not taken action on their reports.

The Register asked Google for comment but no one responded.

From what we're told, the Chrome Store is run by a skeleton crew and doesn't have enough personnel to provide individualized support. Shortly after we looked at Chrome Web Store complaints in October, a developer managing multiple extensions contacted The Register desperate to get some support from Google.

A developer who asked to remain anonymous and has been creating Chrome extensions since 2010 and now has a startup managing six of them, said in an email to The Register that the Chrome Web Store is broken in a number of ways and said very few people seem to be working on it. He confirmed that user count manipulation is a serious issue.

"We had a system running before Xmas that was watching the store monitoring changes in products, user counts, ratings and other things and we definitely observed that there was some gaming of the system going on pretty much exactly as Julio mentioned," he said.

"There were extensions with millions of users but no reviews which is very, very unlikely and then other extensions would suddenly get millions from nowhere and then lose them again."

He said he wasn't sure why this was going on. He also cited a number of other problems. The developer backend has been half-done for years, forcing developers to rely on both an old dashboard and a new one, he said. And extension approvals can take days or weeks.

"The emails you get are really cryptic so if you fail approval it's hard to know what you need to change to fix it," he said.

Private extensions get reviewed slowly, even though they're private and thus don't pose the same security risk, he said, also noting that extensions may be taken down without any changes being made.

"What I find incredible is that basically all of the other browser vendors have adopted the Chrome extension format for extending their browsers, so you would think Google would have a larger staff to work on this seeings as the other browser vendors now rely on them, but it doesn't seem to be the case," he said.

Even so, this developer said he enjoys making Chrome extensions and expressed appreciation for the Google personnel handling the store for doing the best they can with a limited budget.

According to Extension Monitor, a website that provides analytics for extension developers, there are about 188,000 extensions which account for about 1.2bn installs. Also, there are more than 20,000 extensions that share a name with another extension, which underscores the extent of the copying problem, or at least the lack of sensible naming policies.

Thumbs down from me

Google's Chrome Web Store under fire for shoddy service and cryptic policies


In an email, William Wnekowicz, a software engineer and founder of Extension Monitor, said with regard to copied code, he'd expect developers to monitor this themselves and issue takedown notices rather than relying on Google's oversight.

"As far as fake users, yes, I've suspected this is happening for quite some time," said Wnekowicz. "I track user counts daily and often come across an extension with odd user count thrashing. Instead of smooth growth curves, you see wild oscillations."

Wnekowicz said he wasn't certain how this is happening but he suspects Chrome extension devs may be spinning up browsers in VMs to download their extension. Such downloads get counted as users until seven days pass without any pings back to Google, at which point Google subtracts the user from the tally. It's also possible, he suggests, that devs are using compromised machines to boost installations.

"Regarding oversight of fake users, Google should absolutely be policing this, not only for the abuse of their recommendation system, but also for the abuse of Chrome users in general," he said. "I don't know what Google is currently doing, but I'm sure the data available to them can be used to temper these abuses." ®

Broader topics

Other stories you might like

  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Slack-for-engineers Mattermost on open source and data sovereignty
    Control and access are becoming a hot button for orgs

    Interview "It's our data, it's our intellectual property. Being able to migrate it out those systems is near impossible... It was a real frustration for us."

    These were the words of communication and collaboration platform Mattermost's founder and CTO, Corey Hulen, speaking to The Register about open source, sovereignty and audio bridges.

    "Some of the history of Mattermost is exactly that problem," says Hulen of the issue of closed source software. "We were using proprietary tools – we were not a collaboration platform before, we were a games company before – [and] we were extremely frustrated because we couldn't get our intellectual property out of those systems..."

    Continue reading
  • UK government having hard time complying with its own IR35 tax rules
    This shouldn't come as much of a surprise if you've been reading the headlines at all

    Government departments are guilty of high levels of non-compliance with the UK's off-payroll tax regime, according to a report by MPs.

    Difficulties meeting the IR35 rules, which apply to many IT contractors, in central government reflect poor implementation by Her Majesty's Revenue & Customs (HMRC) and other government bodies, the Public Accounts Committee (PAC) said.

    "Central government is spending hundreds of millions of pounds to cover tax owed for individuals wrongly assessed as self-employed. Government departments and agencies owed, or expected to owe, HMRC £263 million in 2020–21 due to incorrect administration of the rules," the report said.

    Continue reading
  • Internet went offline in Pakistan as protestors marched for ousted prime minister
    Two hour outage 'consistent with an intentional disruption to service' said NetBlocks

    Internet interruption-watcher NetBlocks has reported internet outages across Pakistan on Wednesday, perhaps timed to coincide with large public protests over the ousting of Prime Minister Imran Khan.

    The watchdog organisation asserted that outages started after 5:00PM and lasted for about two hours. NetBlocks referred to them as “consistent with an intentional disruption to service.”

    Continue reading
  • Suspected phishing email crime boss cuffed in Nigeria
    Interpol, cops swoop with intel from cybersecurity bods

    Interpol and cops in Africa have arrested a Nigerian man suspected of running a multi-continent cybercrime ring that specialized in phishing emails targeting businesses.

    His alleged operation was responsible for so-called business email compromise (BEC), a mix of fraud and social engineering in which staff at targeted companies are hoodwinked into, for example, wiring funds to scammers or sending out sensitive information. This can be done by sending messages that impersonate executives or suppliers, with instructions on where to send payments or data, sometimes by breaking into an employee's work email account to do so.

    The 37-year-old's detention is part of a year-long, counter-BEC initiative code-named Operation Delilah that involved international law enforcement, and started with intelligence from cybersecurity companies Group-IB, Palo Alto Networks Unit 42, and Trend Micro.

    Continue reading

Biting the hand that feeds IT © 1998–2022