Chrome extensions add extra features not built into Chrome, like ad blocking, translations and one-click full-page screenshots.

Just like apps on your phone, extensions request permissions to track what you do, see and share online. But many extensions get far more access than they need and collect data way beyond their intended purpose. And that’s when you’re at risk of identity theft, scams and data harvesting.

How did Google get into this mess?
Google Chrome first introduced browser extensions in 2011. At that point the dominant browser extensions ecosystem was Mozilla’s, having been around for 12 years already. Mozilla’s extensions suffered from a number of issues that Chrome developers noticed: Essentially unrestricted extension privileges required very thorough reviews before extensions could be published on Mozilla Add-ons website. And since these extension reviews largely relied on volunteers, they often took a long time, with publication delays being very frustrating to add-on developers.

Google Chrome was meant to address all these issues. It pioneered sandboxed extensions which allowed limiting extension privileges. And Chrome Web Store focused on automated reviews from the very start, relying on heuristics to detect problematic behavior in extensions, so that manual reviews would only be necessary occasionally and after the extension was already published.

Google’s over-reliance on automated tools caused issues from the very start, and it certainly didn’t get any better with the increased popularity of the browser.

So what we have now is:
1. Automated review tools that malicious actors willing to invest some effort can work around.

2. Lots of extensions with the potential for doing considerable damage, yet little way of telling which ones have good reasons for that and which ones abuse their privileges.

3. Manual reviews being very expensive and unreliable thanks to historical decisions.

4. Massively inflated extension count due to unchecked spam.

Those last two (“Manual reviews being very expensive and unreliable thanks to historical decisions” and “Massively inflated extension count due to unchecked spam”) further trap Google in the “it needs to be automated” mindset. Yet adding more automated layers isn’t going to solve the problem when there are companies that can put a hundred employees on devising new tricks to avoid triggering detection. Yes, hundreds of employees because malicious extensions make a lot of money and are big business.

What could Google do?
If Google were interested in making Chrome Web Store a safer place, I don’t think there is a way around investing considerable (manual) effort into cleaning it up. Taking down a single extension won’t really hurt the malicious actors, they have hundreds of other extensions in the pipeline.

The Chrome Web Store has a little less than 135,000 extensions. That’s certainly a lot of extensions but not yet enough to make manual investigations impossible. It would be great if Google was able to function as a reliable curator, but so far, Google’s actions have been entirely reactive, typically limited to extensions which have already caused considerable damage.

After all, with a 90% market share, Google Chrome no longer has to compete, having essentially won the browser wars and Chrome will likely remain the dominant browser of choice for many years to come.

What can we do:
Have you downloaded shopping and price checking extensions from companies you know very little about? How about FREE VPN extensions (remember nothing is really free)? We have to stop downloading browser extensions unless you know they have been vetted, come from a trusted source and are free from malware and spyware. DON’T simply believe the 5 star reviews or rely on the fact that it shows as a “featured” extension – do your own research. And if you already have multiple extensions in your browser – it’s time to do some house cleaning and remove any questionable ones.

There’s a new breed of extensions that Kim Komando has suggested we all delete immediately. Here’s a link to her article.

From Kim Komando – New intrusive extensions that you need to be aware of: https://ckarchive.com/b/gkunh5hlloxm4tzodd9oku8gom999tm

Deliver David's Tech Talk to my inbox

We'll send David's weekly Tech Talk to your inbox - including the MP3 of the actual radio spot. You'll never miss a valuable tip again!