Google halts paid-for Chrome extension updates amid fraud surge: Web Store in lockdown 'due to the scale of abuse'
Meanwhile, probe reveals how Avast's 'anonymized' user data can be, er, deanonymized
On Saturday, Google temporarily disabled the ability to publish paid Chrome apps, extensions, and themes in the Chrome Web Store due to a surge in fraud.
"Earlier this month the Chrome Web Store team detected a significant increase in the number of fraudulent transactions involving paid Chrome extensions that aim to exploit users," said Simeon Vincent, developer advocate for Chrome Extensions, in a post to the Chromium Extensions forum. "Due to the scale of this abuse, we have temporarily disabled publishing paid items."
Vincent said the shutdown is temporary while Google looks for a long-term way to address the problem. Developers who have paid extensions, subscriptions, or in-app purchases and received a rejection notice for "Spam and Placement in the Store," he said, can probably attribute the notification to the fraud fighting shutdown.
Vincent said those who have received a rejection notice can reply to the email and request an appeal. This process needs to be done for each new version published or updated while the fraud block is in place.
Google did not respond to a request to clarify how Chrome Web Store fraud was being carried out.
The Chocolate Factory provides developers with several payment options for selling apps, extensions, and themes. The Chrome Web Store has a one-time payment system called Chrome Web Store Payments. For Chrome Apps, which soon will be phased out in Chrome (and later for ChromeOS), developers can use a Google Payments Merchant Account and Chrome Web Store API to sell in-app virtual goods.
Over the past few days, developers of Chrome extensions have been reporting account suspensions and app rejections that appear to be related to the fraud emergency. KodeMuse Software, an India-based software biz that makes several Chrome extensions, insists its code complies with laws and Google policies, says its account was inexplicably suspended.
The anti-fraud measures may have gone into effect prior to Vincent's announcement. Developers began reporting that they'd received "Spam and Placement in the Store" warnings on January 19, and more reports followed over the next few days.
Google's clever-clogs are focused on many things, but not this: The Chrome Web Store. Devs complain of rip-offs, scams, wait timesREAD MORE
In an email to The Register, Jeff Johnson, who runs Lapcat Software, which makes macOS and iOS audio apps and a privacy extension for Chrome and Safari called StopTheMadness, said that existing extensions remain accessible in the Chrome Web Store, but updates and new extensions are being rejected.
"I submitted a minor bug fix update on January 19, and I received an email on January 22 from Chrome Web Store Developer Support titled 'Chrome Web Store: Removal notification for StopTheMadness,'" he explained, noting that the extension was not removed but the update was rejected.
"There have been many complaints in Google's Chromium Extensions forum in the past few weeks, but Google provided no useful information until now."
Johnson said that he has a Safari app extension in the Mac App Store and while developer support isn't great, the Chrome Web Store is worse and feels understaffed – a charge other software makers have made.
"The Mac App Store usually reviews my updates within 24 hours, and if something goes wrong, I can contact support and get a response within a reasonable amount of time," he said. "With the Chrome Web Store, however, my updates can take up to a week to get reviewed, and if something goes wrong, you're almost hopelessly lost."
"Google seems to want to automate things as much as possible and avoid employing human staff," he continued. "There's no phone # you can call. There is email, but when they finally respond – if they ever do respond – you get the feeling that the response was written by AI rather than a real person."
Johnson attributed Google's lack of communication with developers for the current situation, where a large number of developers encounter problems due to a sudden policy change and have nowhere to turn for help. ®
Speaking of browser extensions... Cast your mind back to December and you may recall antivirus-maker Avast ran into trouble with its Firefox add-on. The extensions were booted out of Mozilla's web store for breaking its privacy rules.
It appears the extensions harvested a lot of information about their users and sent it all back to Avast – including URLs of sites visited, along with a per-device unique ID. Avast-owned Jumpshot then sold that, apparently deanonymized, data on "100 million global online shoppers and 20 million global app users," boasting to customers: "Analyze it however you want: track what users searched for, how they interacted with a particular brand or product, and what they bought. Look into any category, country, or domain."
This hosepipe-like feed includes things like web search terms, videos watched, links clicked on, and so on.
And, crucially, it is seemingly easy to deanonymize this data. If you're a big brand, or any website, really, and you get told by Jumpshot that device ID ABC123 was used to buy some stuff at 10.05am from your dot-com, and you see that purchase in your own logs at that time, you now know ABC123 is used by a particular shopper, and you can identify them in all their other Jumpshot-collected web activity.
And all that Jumpshot data appears to have been sold to big names, too, such as Unilever, Nestle Purina, and Kimberly-Clark, judging by the outfit's marketing.
Avast told PC Mag today it has stopped all user info harvesting "for any other purpose than the core security engine, including sharing with Jumpshot." However, according to the web magazine's Michael Kan:
Nevertheless, Avast's Jumpshot division can still collect your browser histories through Avast's main antivirus applications on desktop and mobile. This include AVG antivirus, which Avast also owns. The data harvesting occurs through the software's Web Shield component, which will also scan URLs on your browser to detect malicious or fraudulent websites. For this reason, PCMag can no longer recommend Avast Free Antivirus as an Editors' Choice in the category of free antivirus protection.
- AdBlock Plus
- App stores
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Google AI
- Google Cloud Platform
- Google Nest
- G Suite
- Identity Theft
- Kenna Security
- Microsoft 365
- Microsoft Office
- Microsoft Teams
- Palo Alto Networks
- Privacy Sandbox
- Software License
- Tavis Ormandy
- Trusted Platform Module
- Visual Studio
- Visual Studio Code
- Web Browser
- Zero trust