This is scary. Because even at the time of install, after carefully reading all reviews, and inspecting the network tab everything looks okay. It’s only weeks/months later that the malicious code gets remotely loaded and executed.
Google needs to take a hard look at their Chrome Extension Store.
Meanwhile, in Firefox, you can just click the checkbox to disable automatic updates in the add-ons manager (either globally or for a particular add-on).
They also seem to have a pretty decent review process for add-ons; I don’t know whether they’d catch malicious updates, but when I submitted my add-on, I got actual technical feedback about the code (like a suggestion to replace innerHTML with textContent on a particular line).
With how great Firefox Quantum is these days, maybe it’s time to consider switching?
A power user can always download the extension’s source code and install it separately in developer mode. Since that counts as a different “extension” than the one offered in the store, it won’t automatically update.
I’m probably in the minority here, but I think automatic updates as a default is a good idea. Ideally there would be a way to turn this off, but defaulting to automatic updates is better than defaulting to manual updates. The vast majority of updates fix real bugs and the vast majority of users won’t update manually.
I also think automatic updates as a default is a good idea. What I find odd is that you can’t disable auto-update on a per extension basis. That way I can only authorize official extensions to auto-update and then decide for every other extension. It would definitely reduce the risk of a popular extension being bought and re-uploaded with malicious behavior.
Once I used some extension that scrobbled to last.fm track plays from various streaming services. It had lots of users and was not malicious, but after one of updates it started to inject shady ads to all pages. This extension was banned in Chome store after few days after that. Seems that it’s not uncommon pattern of monetization there.
I wonder why this style of trojaning is common only in Chrome webstore. Almost everything auto-updates now (and only few software distribution services use premoderation of each version).
This is scary. Because even at the time of install, after carefully reading all reviews, and inspecting the network tab everything looks okay. It’s only weeks/months later that the malicious code gets remotely loaded and executed.
Google needs to take a hard look at their Chrome Extension Store.
I just checked, there doesn’t seem to be an official way to stop Chrome extensions from auto-updating. This is madness.
Meanwhile, in Firefox, you can just click the checkbox to disable automatic updates in the add-ons manager (either globally or for a particular add-on).
They also seem to have a pretty decent review process for add-ons; I don’t know whether they’d catch malicious updates, but when I submitted my add-on, I got actual technical feedback about the code (like a suggestion to replace
innerHTMLwithtextContenton a particular line).With how great Firefox Quantum is these days, maybe it’s time to consider switching?
A power user can always download the extension’s source code and install it separately in developer mode. Since that counts as a different “extension” than the one offered in the store, it won’t automatically update.
I’m probably in the minority here, but I think automatic updates as a default is a good idea. Ideally there would be a way to turn this off, but defaulting to automatic updates is better than defaulting to manual updates. The vast majority of updates fix real bugs and the vast majority of users won’t update manually.
I also think automatic updates as a default is a good idea. What I find odd is that you can’t disable auto-update on a per extension basis. That way I can only authorize official extensions to auto-update and then decide for every other extension. It would definitely reduce the risk of a popular extension being bought and re-uploaded with malicious behavior.
Once I used some extension that scrobbled to last.fm track plays from various streaming services. It had lots of users and was not malicious, but after one of updates it started to inject shady ads to all pages. This extension was banned in Chome store after few days after that. Seems that it’s not uncommon pattern of monetization there.
I wonder why this style of trojaning is common only in Chrome webstore. Almost everything auto-updates now (and only few software distribution services use premoderation of each version).