The Chrome Web Store, sadly, is sort of the Wild Wild West when it comes to safety and security. As much as it pains me to say, Google has done a very poor job of policing the shop that houses more than 200,000 extensions and web apps. Multiple times a year, we hear and report on numerous extensions that have been found to hijack user data and are guilty of all sorts of malicious behavior. To make matters worse, recent events have prompted Google to suspend any and all paid extensions that utilize the Web Store’s integrated payment platform. This has affected countless developers that have had their legitimate extensions pulled from the shop because of the wrongdoing of others.
Over the years, Google has taken some steps to clean up the Chrome Web Store. The removal of crypto-mining extensions is one such improvement but that only takes down a small percentage of malicious culprits. The bigger problem is that many extensions masquerade as innocent shopping tools, productivity boosters or simple entertainment add-ons but under the hood, users are getting their personal information stolen and compromised. Until third-parties do the leg work to find the malicious code, the extensions remain unhindered in the Web Store. Getting these extensions removed or blacklisted takes what sometimes feels like an act of Congress before the problem is addressed. It really is a shame and it becomes even more insulting when the folks behind the Chrome Web Store went so far as to warn Microsoft Edge users that extensions may not be secure when you download them for Microsoft’s new Chromium-based browser. Ouch.
Today, however, I uncovered a new project that might begin to redeem the Chrome Web Store in due time. Currently, the only way to check for malicious extensions is to head to your browser settings, click “more options” and select extensions. If you have any extensions installed that Google has deemed malicious, they will be labeled as such in the extension menu. At that point, you should remove said extension and any related data it may have gathered. This new update, when it fleshes out, appears to do a check of your installed extensions and will warn users if they have any installed that are “blocklisted.” Yes, it is referred to as blocklisted not blacklisted. I don’t know. Your guess is as good as mine. Initially, I thought this may be a managed account feature but looking at the code, it appears that it’s being added directly to Chrome right alongside the password checker.
This feature falls under the “Safety Check” process in Chrome that checks passwords and looks for unwanted software. Depending on the user and the particular extension, the output of the Safety Check will vary. If your extensions check out, you might see “You’re protected from potentially harmful extensions.” If you have a harmful extension installed but disabled, you will be prompted with “1 potentially harmful extension is off. You can also remove it.”
If you are on a managed device, your situation could be a little trickier. For example, if you remove an extension but your Admin pushes it back to your device, you will see “Your administrator turned 1 potentially harmful extension back on.” If you do not have permission to add or remove extensions, you’re probably going to have to get with your IT department and have it removed from the Admin Console. All of this could change as the feature is developed but it’s clear that Google is trying to make the best of a bad situation by cleaning up the Web Store.
The bigger problem here is that until an extension or app is blocklisted, there’s no way to know that it is malicious unless you know how to dig into the source code and see what it’s actually doing. This is where Chrome developers should shift their attention in the long term. A complete overhaul and a stricter vetting process for the Chrome Web Store is sorely needed if it is to continue to serve as the go-to for millions of Chrome users. Rant over. Carry on.
Source: Chromium Repository