Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Chrome Google IT Technology

Google To Warn of Chrome Extensions From New or Untrusted Developers (therecord.media) 13

Google says it will scan the extensions users install in their Chrome browsers and warn users if they are adding an extension from a new or untrusted developer. From a report: The new extension scanning feature will be part of a Google security feature called Enhanced Safe Browsing, which Google added to Chrome in May last year. Google says trusted developers are those who adhere to the Chrome Web Store Developer Program Policies. "For new developers, it will take at least a few months of respecting these conditions to become trusted," the browser maker said in a blog post today. Currently, Google said that almost 75% of all extensions hosted on the Chrome Web Store were developed by "trusted developers." For the rest, the browser will show an alert like the one below if users had enabled Enhanced Safe Browsing in their Chrome settings page.
This discussion has been archived. No new comments can be posted.

Google To Warn of Chrome Extensions From New or Untrusted Developers

Comments Filter:
  • I want my FREEDOM to have toxic extensions!!

  • by rsilvergun ( 571051 ) on Friday June 04, 2021 @09:54AM (#61453958)
    People have been known to buy extensions for the purpose of installing spyware and adware.
  • by Impy the Impiuos Imp ( 442658 ) on Friday June 04, 2021 @10:05AM (#61453994) Journal

    Have they done a statistical analysis of problematic extensions (and the subset of major security breach problems) vs. "Trusted" status of that developer, had it been applied back then?

    Also, I recall a Paypal scandal where a guy spent a year building up a great reputation as a seller, then introduced an investment for $200k and fled with the all the money.

  • also make an extension that is like a watchdog that monitors all the other extensions for malicious behavior, or build it right into the chrome browser itself
  • by fuzzyfuzzyfungus ( 1223518 ) on Friday June 04, 2021 @10:18AM (#61454044) Journal
    I wouldn't be surprised if, in terms of percentage of extensions that are malicious, the churn of new extensions submitted by randoms throwing stuff at the wall to see what they can slip through is a lot worse than the percentage of extensions that are malicious among longer-established and more popular ones; but, if memory serves, most of the really alarming extension incidents have happened because a formerly benevolent extension changed hands and the new owner added some 'features' which then merrily auto-updated their way through the install base.

    This doesn't seem like an outright bad tool or anything; but it seems like the metric that they should be focusing on is how many people are affected by malicious extensions, rather than how many extensions are malicious. If some random cookie-cutter shovelware is malicious but has 2 users, the developer and his sockpuppet; it barely matters. If one of the top 100, probably even top 1000, go rogue however, that's a ton of affected users.
  • by dackroyd ( 468778 ) on Friday June 04, 2021 @10:21AM (#61454050) Homepage

    I believe this should be pronounced "security model for Chrome extensions is not good enough".

    Telling users to "be careful" is shifting the blame for when bad stuff happens, from the people making software to the people using software.

    • I believe this should be pronounced "security model for Chrome extensions is not good enough".

      Telling users to "be careful" is shifting the blame for when bad stuff happens, from the people making software to the people using software.

      I have to agree. Any new extensions I submit can take up to 1~1.5 weeks to be approved. This is [supposedly] so they can human review the code to make sure it isn't doing anything malicious. But given how many malicious extensions are out there, I have to wonder how much reviewing there actually is. Quite frankly, I've gotten more/better and faster human reviews from firefox extensions than I have google's side. These days (within the last 6 months or so), my updates and new extensions are passing within a

  • The message to any developer of extensions who is "Trusted" is clear: raise your rates for any development work you do - because extensions developed by you will not cause a security warning while those developed by that other guy trying to enter the business will cause you support issues.

  • by Targon ( 17348 ) on Friday June 04, 2021 @10:57AM (#61454182)

    The number of times people will get an add-on/plugin in Chrome where they never got a warning is at 100% or so. I've yet to see anyone who actually got warned about "free maps toolbar" getting installed under Chrome. When ANY extension can get installed without the user being asked to verify the installation, that is a huge security concern.

Keep up the good work! But please don't ask me to help.

Working...