,
10 tweets,
3 min read
Read on Twitter
Google Targeting Deceptive Install Tactics for Chrome Extensions - by @LawrenceAbrams
bleepingcomputer.com/news/google/go…
bleepingcomputer.com/news/google/go…
While extensions are very helpful, they can also be harmful to users who install them. We have been tracking unwanted and malicious extensions for years and they can be as damaging as regular malware due to our constant use of the web for sensitive transactions. (1/X)
For example, hackers breaking into developer accounts to modify popular extensions so that they steal the private keys for online cryptocurrency wallets and login credentials for popular sites.
bleepingcomputer.com/news/security/…
bleepingcomputer.com/news/security/…
An extension that uses your logged in Gmail account to create free domain names to be used for who knows what.
bleepingcomputer.com/news/security/…
bleepingcomputer.com/news/security/…
Or ones that check if your logged into Facebook so they can grab personal details like your name, address, DOB, gender, and email address.
bleepingcomputer.com/news/security/…
bleepingcomputer.com/news/security/…
We won't even go into the endless amount of search hijackers, page tracking, and in-browser mining extensions that are out there.
To make it harder to install malicious and unwanted extensions, Google banned inline installs of extension from a landing page. Instead developers would need to direct visitors to their Chrome Web Store page for the extension to be installed.
bleepingcomputer.com/news/google/go…
bleepingcomputer.com/news/google/go…
Extension developers quickly bypassed that restriction, by opening small overlay windows that only showed a small portion of the Chrome Web Store page for their extension. This, of course, conveniently makes it hard to see the amount of reviews,
bleepingcomputer.com/news/security/…
bleepingcomputer.com/news/security/…
Google has now updated their policies to state that any developers found distributing extensions using deceptive installation tactics will be warned or have their extension removed.
Developers can then appeal the removal and receive a response within 48 hours.
Offering an appeal process is ridiculous.
If a developer has historically performed deceptive installation practices, they are going to do so again.
Offering an appeal process is ridiculous.
If a developer has historically performed deceptive installation practices, they are going to do so again.
