Chrome Web Store falls to Brazilian whacks

http://www.theregister.co.uk/2012/03/25/chrome_web_store_malware_hijacks_facebook_profiles/

 

Never really liked the "web store", always seemed like a big feature creep to me. Just another reason to avoid it.

 

I thought that Google had started to check new apps uploaded to the web store some time ago. Embarrassing

EDIT: Kaspersky writes: "Think twice before installing Chrome extensions". I'm tempted to say: "Think twice before installing Chrome as long as Google isn't doing their homework".

 

There was a thread sometime ago about whether or not Google has a system in place to verify rogue extensions. I even provided links with evidence that they don't.

This is just another great example. Unless someone is familiar with the people behind an extension, then one should stay the heck away from any of them, which probably means 99% of them. Pretty insane.

And, I still do not understand why Google hasn't done nothing about this. Why haven't they implement a system to verify extensions, before uploading them to Chrome Web Store?

I hope Google starts to have some bad advertising about it, everywhere. Once it starts happening, a change will happen. I like to think that it would.

But, you're being drastic when you say I'm tempted to say: "Think twice before installing Chrome as long as Google isn't doing their homework"..

Even Firefox, which I do praise Mozilla's work to prevent rogue extensions, doesn't come without its own issues. Heck, I remember a fight between two very popular extensions, where one of the developers introduced code to prevent the other extension from working. So... not exactly malware, but nonetheless an extension that went rogue.

 

I don't think it's drastic to feel uncertain about installing Chrome. This is a company constantly getting its own self in trouble, and they themselves make it hard to trust anything Google. You're right about Firefox extensions having issues, extensions there have a bit too much power, imo. However, at least the majority of them (if not all, maybe excluding the likes of AdBlock and NoScript) go through some kind of vetting process.

Over in Chrome you get some half-assed "about the developer" thing, which can easily be tainted or outright faked, and very little else. Sometimes you can go by the comments, but who is to say the comments aren't planted? (the same could be said for Firefox extension comments as well).

 

As discussed before the only time extensions are checked is when they load up binaries. This obviously is not enough. Malware can work within the sandbox - we see this with android.

Google will be idiotic about this and not do anything until it's too late. Implementing a "bouncer" after hackers already have started getting money out of it is just going to make them try a bit harder.

There should have been a bouncer from day one.

Hopefully they actually do something but I am not confident.

EDIT:

Who's saying to feel uncertain about installing Chrome? It's the extension store (google seem sot have an issue policing these) that's got issues.

Firefox uses a vetting process but I don't think AdBlock or NoScript are vetted anymore because of their reputation. This is why it was possible for NoScript to go rogue that one time.

They need to implement some strong heuristics to red flag and review malware. They need to do thi svery very quickly or they'll be playing catch-up for months as they are with Android.

They say that they've been taking them down as fast as the authors have been putting them up, perhaps this is already in place in some way.

 

Tlu said it was tempting to say to avoid installing Chrome based on "Google not doing its homework", which I happen to agree with. Whether it's not minding the shop when it comes to extensions, or one of many issues Google is involved in at a given time, it's difficult to place trust in them for many, myself included.

Chrome is a good browser, Google is not a good company (anymore). Rather silly to use a product from a company that's hard to trust, right? I really wish they'd get their s*** straight, I really do. I'm not confident they will though either. They've had years now to put something in place, knowing extensions were likely attack vectors. Maybe they don't want to admit they aren't perfect, I don't know.

 

I somehow missed that.

I agree that it's difficult to use a product from a company you don't trust. At this point I'd be wary to use Chrome based on other things if I weren't confident that it was fine based on packet sniffing and the fact that it is largely open source.

My friend at Mozilla keeps pushing me to use Firefox though lol and he is convincing. If I hadn't done my homework I likely would have switched already.

 

I totally agree with this. I admit I use some Google services as it's difficult not to, but their apathetic approach to security with extensions & some other Google issues quite frankly scare me.

Chrome is relatively stable, safe & more or less bug free. As for Google, isn't their new motto "Resistance is futile"?

 

But, aren't you folks mixing things? One thing is privacy, another thing is security.

I have doubts you're saying not to trust in Google due to security issues. This thread is about a security issue, in what comes to extensions, considering there's no vetting process.

I could very well say I don't trust Internet Explorer either; nor Firefox or Opera. Which is why I use Chromium. But, that's not the issue.

 

Dodgy Google privacy policy issues aside; I was referring primarily to the lapse security at the Chrome Store.

I will concede that Chrome is the safest browser 'out of the box', which is a good security policy by Google. The slacking at the Chrome Store however could be a portent of things to come from Google. Sometimes companies get too big for their boots.

I don't trust Opera to work properly.

 

I'm not mixing things at all, my post was in fact referring to its security. Though, honestly, in today's world, privacy and security often go hand in hand. After all, if a company is invading your privacy in the form of tracking and what have you, it is also hampering a part of your security. But I get what you mean, and no, I don't intend to turn this into a Google rant.

Their general company practices are well known, their intent is well known, so we needn't beat a dead horse. This is about their extension process, and said process frankly sucks.

 

For those who don't know, both Chrome and Chromium are made by Google. It seems necessary to point this out.

 

Yeah, I actually misundertood your post. Don't know why, but I associated it with privacy.

But yes, they should get their **** together. This isn't funny any longer. Google Chrome Web Store is weak spot, and they must take care of it once and for all.

It's actually pretty crazy if you think about it. All a cybercriminal has to do is have a website with some dead video saying the user needs to install Adobe Flash Player. Maybe the user knows he/she shouldn't install programs from non-official sources. But, this website actually says to download Adobe Flash Player from Chrome Web Store - Google's official website for extensions. Maybe they think OK. Maybe Google partnered with the folks behind Flash Player. I'll install it.

Quite a few security researchers have shown that Chrome Web Store simply has no vetting process to spot this malicious extensions. One has to wonder why Google still hasn't done anything about it.

Maybe it isn't getting that bad publicity about it? That would be a strong bet... Maybe this needs to change.

 

And your point is? I suppose I should have put the emoticon in my previous post... Then again, and I don't know if this reply was meant for me, I did not say I don't trust Google. lol

 

This is an unsubstantiated claim. But it is fashionable and emotive and is being exploited.

 

It's not unsubstantiated that Google tracks people. Tracking is a privacy issue. Ipso facto privacy is also a security issue.

 

My point is exactly that: even in the Ubuntu forums, I've seen anti-Chrome rants and suggestions to use Chromium instead without any recognition or admission that both browsers are made by the same entity.

Whether to trust something or the other is certainly not a decision to be based on ambient noise.

 

Ipso facto and semiotics and irony don't really cut it.

 

Then, I'll have to ask again: What's your point?

You came up with For those who don't know, both Chrome and Chromium are made by Google. It seems necessary to point this out.

Apparently, as a reply to one of my posts. Although, nowhere in that same post I made mentions to Google Chrome. Which is why I'm asking: What's your point?

 

Err, hate to derail this..but where are you getting unsubstantiated from? There's plenty of proof for Google tracking, and, if you're trying to argue that privacy is not related to security, well, I don't see how you can come up with that either.

 

Neither do immature ad hominem pointless retorts, apparently.

 

Although the following article is about appstores, maybe it is time that Google looks at the advices of ENISA (the European Network and Information Security Agency) from 12 Sept 2011 :

Appstore security: 5 lines of defence against malware

The article was previously named here at reply # 12

 

Well, it's a thorough vetting process - see here.

 

@vasa1: Thanks for pointing out that both Chrome & Chromium are developed by Google. In so many articles, blogs, posts I have seen authors recommending to chuck Chrome and embrace Chromium as it is open source and do not contain "proprietary Google code"

What is unsubstantiated that you are referring to? Google's tracking or privacy and security often going hand in hand?