Google's Chrome Web Store is once again under fire for poor policing of harmful extensions.
In a blog post this week, ad-blocking biz AdGuard took Google to task for allowing almost 300 policy-violating extensions to be downloaded by over 80 million users – some of whom are likely faked by spammers – without doing anything until weeks after being alerted to the problem.
The bad extensions consist of fake ad blockers that inject adverts into search results rather than blocking them, fake ad blockers that engage in cookie stuffing to defraud advertisers, and extensions involved in spam-related abuse.
The Chrome Web Store, or CWS, hosts over 200,000 extensions that can be added to enhance the functionality of Google's Chrome browser, and other Chromium-based browsers like Microsoft Edge and Brave. But Google hasn't won much praise for its store oversight over the latest cleanup.
"Google fails with managing [the] Chrome Web Store and keeping it safe," wrote Andrey Meshkov, co-founder and CTO of AdGuard, a company that makes ad-blocking apps and extensions.
Since Meshkov's post was published, the dubious extensions have been removed, a Google spokesperson told The Register. Asked whether Google cared to say anything about persistent CWS complaints, Google's spokesperson did not respond further.
According to Meshkov, it took three weeks and a public blog post to get Google to take action.
It has been thus since the Chrome Web Store debuted in 2010. Literally every year since then there's been at least once Chrome Web Store security initiative. None of these have halted the abuse.
Google's latest gambit involves redesigning the Chrome Extensions APIs, an initiative known as Manifest v3 that aims to limit potential abuse and require more explicit permission to access sensitive data. But in making extensions less dangerous, Manifest v3 makes them less capable too, a prospect that some developers of content blocking and privacy extensions worry will hamstring their code.
The issue goes beyond technical capabilities that can be misused. Chrome extension developers contend that Google's CWS staff don't do enough policing and fail to respond in a timely manner to developer complaints about copycats and spammers. Last October, developers assembled a list of grievances that included lack of support and technical barriers in the CWS developer interface.
The situation doesn't appear to have improved. In January, Google had to temporarily close the Chrome Web Store to new paid extensions following a massive fraud campaign. In February, Google took down 500 Chrome extensions flagged by an infosec pro.
In April, another 49 got removed for stealing crypto credentials, followed by 11 more in May. Also in April, a developer tried to get Google to do something about the thousands of Chrome extensions that manipulate their installation count to boost their credibility among potential users.
In June, Awake Security flagged 79 malicious Chrome extensions and compared extensions to rootkits in terms of the security risk they pose.
After a decade, there's still work to be done. ®