Proving once again that Google Chrome extensions are the Achilles heel of what’s arguably the Internet’s many secure browser, a researcher has documented a antagonistic appendage that tricks users into installing it and then is scarcely unfit for many to manually uninstall. It was accessible for download on Google servers until Wednesday, 19 days after it was secretly reported to Google confidence officials, a researcher said.
Arntz pronounced he found a Firefox prolongation that also resisted user attempts to uninstall it, but the retard was comparatively easy to bypass. The researcher has nonetheless to find any denote the appendage was accessible in the Firefox Extensions store.
Malwarebytes’ anticipating comes a few days after a apart confidence organisation unclosed four antagonistic extensions with some-more than 500,000 total downloads from the Google Chrome Web Store. The extensions found by ICEBRG were used in a click rascal scheme, but company researchers pronounced the add-ons just as simply could have been used to do some-more sinful things. Google private the extensions after ICEBRG secretly reported them.
On Thursday, Ars e-mailed Google officials with the following questions:
- Is all of this information [from Malwarebytes] correct?
- If it is, because did it take Google 19 days to mislay the prolongation from the Chrome Store?
- Is Google notifying users who commissioned the prolongation or providing assistance in uninstalling it?
- Do Google developers have plans to redesign Chrome to make it easier to mislay antagonistic or violent extensions?
- What is Google doing to forestall antagonistic or violent extensions from circuitous up in the Chrome Store?
A Google mouthpiece responded that the company would try to send a matter but she couldn’t guarantee it would be on the record. Company officials almost exclusively promulgate with reporters on background, a condition that prevents officials from being named or quoted. At the time this post was going live, Google had nonetheless to yield answers, on the record or otherwise.
But wait … there’s more
A half hour before this post was to go live, James Oppenheim, an editor of a examination site for children’s games, emailed to report nonetheless another antagonistic prolongation that remained in the Chrome Store, despite his attempts to get it removed. Oppenheim’s e-mail, which Ars got permission to publish, reads:
I’m essay to you with a follow up to your piece about chrome extensions. we cover family record for my site JamesGames.com. we seem frequently on SiriusXM and have been a Today Show writer given the ’90s.
Eleven days ago we perceived an offer to buy my extension, Play Red Ball chronicle 4 from a associate in India named “Ganesh”. Since we haven’t ever created an extension, we suspicion this was just a spam mailing left wrong. we didn’t respond.
However, by the third email Ganesh had an unrelenting tone. It seemed human-generated.
So, we motionless to google the prolongation he suspicion we had written. Turns out it is a Chrome extension, a game. Interestingly, it is named likewise to a lot of children’s program (the kick we cover). When we clicked on the prolongation page it shows my site as the central site of the app, and it lists the developer as “James Extensions!” (sic), again with a couple to my site.
Though it has a 4 out of 5 rating, there are many comments that the program is malware.
It appears that whoever published it knows adequate about what we do reviewing kid’s program to consider that my name would help make the malware some-more trustworthy.
I posted a criticism on the prolongation page and also wrote to Google around the stating symbol on the page asking them to take down the app, or at the least, take my site off of it. It’s been a week and we have had no response. we just checked currently and it is still there.
The presumably antagonistic app has 27,781 users according to the extension’s page. Makes me consternation how seriously Google is holding this problem.
I can’t seem to get by to anyone at Google, saw that you’re covering this area. Perhaps you can help and get a story out of it at the same time.
I haven’t responded to Ganesh. we have wondered if when we do if the offer to buy is legit or is just a way to get me to check out the app’s page, see that they are using my name, and then offer to mislay it if we compensate them. Could be paranoia on my part, but the whole thing is just bizarre. I’m pasting in his email next my signature.
Here’s a sampling of new comments left by people who downloaded the diversion from the Chrome store:
In Google’s defense, Chrome is by many accounts the Internet’s many widely used browser, making it also the one many tantalizing to target. What’s more, the series of people who breeze up installing a antagonistic Chrome appendage is a tiny splinter of the altogether user base.
Still, the summary is clear. Chrome may have an industry-leading confidence sandbox and the quickest confidence updates among any of the major browsers, but the extensions sojourn a pivotal weakness. Users, quite those with reduction technical imagination or who are generally vast targets, should equivocate installing extensions unless they yield a loyal advantage and then only after delicately researching the developer and the title.