Chrome spammers duped users, developers -- and Google too

Loopholes in Chrome's add-on technology allowed spammers to get past several security checkpoints -- including Google's

Google Chrome's culture of extensions and add-ons is a big part of the browser's appeal, even though some add-ons turn out to be either not worth the trouble or actively malicious.

Now Chrome add-on users face another complication: What happens when an add-on they've used and trusted for a long time is bought out by a third party and used to deliver adware or other unwanted annoyances. What's worse, there's no easy technological solution for this issue.

Two such add-ons, Add to Feedly and Tweet This Page, fall into this category of having been bought out and turned into adware delivery systems. In both cases, the authors of the add-ons sold them to another developer; in the case of Tweet This Page, the developer sold the code despite it being an open source project that anyone could pick up on and improve freely. Both extensions have since been removed from the Chrome Web Store.

Part of the problem is that an extension, once installed in Chrome and given the needed permissions, can update itself without interaction from the user. There's no real mechanism on Google's side to force the user to reverify the plug-in if it changes ownership. One possible way to prevent this would be to require any Chrome add-ons that change ownership to be registered as entirely new add-ons that users have to install separately.

Another problem is that the kinds of trouble these add-ons cause -- like spying on user behavior -- aren't always immediately discernible. Chrome does proactively block obviously malicious downloads and has blocked silently installed extensions since version 24. But a plug-in that surreptitiously monetizes user behavior or swipes information directly from a visited Web page might not be detected. It's also unclear if third-party add-ons designed to detect such behavior within a Web page, such as Ghostery, can detect them from within another Chrome add-on.

The real culprits, though, are the companies that exploit the trust of the user base after buying add-ons. In theory this goes against the current terms of service for the Chrome Web Store; the "Impersonation or Deceptive Behavior" clause seems to cover this. Also, Google has made it clear that extensions "must have a single purpose that is narrow and easy to understand," both to limit the shoehorning of unasked-for functionality into a single add-on and to keep Chrome itself from looking overcrowded.

But while Google moved fast this time to get rid of the offending plug-ins, it's important that it come up with a proactive solution for the long run, one that keeps add-ons and their makers honest. An add-on that aggressively monetizes user data doesn't need to be in the wild for long to be a success; the average phishing site, for instance, doesn't stay up for more than a day, but can still rack up an impressive amount of traffic in that short time.

Browser extensions and add-ons have long been as much a source of trouble as a convenience, and Google has been making a point of revisiting how they work in Chrome. In September 2013, Google moved to discontinue the use of the old Netscape Plug-in API (NPAPI) plug-in architecture, in large part because its "'90s-era architecture" (as Google described it) is a source of instability and security issues. Most such plug-ins are either now eclipsed natively by Chrome, like the built-in Flash player, or are technologies whose future is in question anyway, such as Microsoft Silverlight.

This story, "Chrome spammers duped users, developers -- and Google too," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2014 IDG Communications, Inc.

InfoWorld Technology of the Year Awards 2023. Now open for entries!