Protecting Chrome users from malicious extensions

I already said this, but IMO it´s good for browser security to keep things centralized. I guess it also makes it easier for Google or any other browser maker to check all submitted extensions for malicious behavior.

http://www.zdnet.com/blog/security/malicious-chrome-extensions-hijack-facebook-accounts/11074
http://www.eweek.com/security/two-google-chrome-extensions-banned-as-malware.html
http://www.securelist.com/en/blog/208194095/Malicious_Chrome_extensions_a_cat_and_mouse_game
http://www.zdnet.com/blog/security/mozilla-firefox-hit-by-malware-add-ons/5408

 

Sure, and nobody would point it out.
More likely possibility, but still escapism.

Absolutely lacking counterpoints. And people say I'm a Google fanboy.

 

How to install Chrome extensions manually

 

You should always not to install extensions unless really for some reasons compelled to do so!
My only extension active is HTTP Switchboard.
If some extension is really needed and not found on Chrome "shop", stay away. Stay away also from many there.

 

Right, I forgot you were ignoring me. Sorry, but I cannot simply avoid the topic just cause you're here.

Staying away is far too much generalizing to be accurate. It's the wrong mentality to trust only the official source (though you're right to only do so to an extent), while treating everywhere else as malicious.

Let me give you an example: X-Notifier, a relatively popular and essential extension that was kicked out of the Chrome store for no apparent reason. I just got a Chromebook, but syncing data doesn't install that extension. Where else would I find it other than the developer's own site?

 

So you don't mind that X-Notifier injects a script from superfish.com in all your web pages?

See: `http://www.superfish.com/ws/sf_main.jsp?dlsource=xnotifier&userId=M0YzRkFGNzgtMERDRi00MD&CTID=xn-cr`

There are other things in there that do not look quite right.

 

No, that does not interest me during these adware glory days under a Google platform. If you looked that deep, you should notice a working opt-out checkbox.

Please specify what else there is.

 

There is a library related to wips.com which is hooked onto chrome.webRequest.onErrorOccurred() for main_frame for <all_urls>. The code fails before I can trace far enough, as the `client_id` is not set on my side (maybe because linux or chromium). But I can see there is some kind of information sent to wips.com. Errors on main_frame request can occur when someone blocks sub_frame (like for ads, although redirecting to a blank doc prevents an error from being fired)). I would need to investigate further to find out, but I am not that interested.

 

In light of gorhill's comment I'm open to the idea that you ran into a well-intentioned impediment, but that doesn't mean the mechanisms involved are implemented in the way that is best for security.

Do you happen to know how/where the detection was done? Does Google have visibility into the sync data proper and block extensions based on that? Does Chrome phone home information about the extensions you are about to install [while syncing] so that Google can respond with an "allow/deny"? Was the detection purely client side with zero information about the extension flowing to Google? One way or another, there should be some way for you to disable Google's restrictions. Even if that means shooting yourself in the foot.

 

I'm not sure about the details, but whenever an app/extension is removed from the Chrome store for whatever reason, it cannot be synced to another device and of course yours won't be updated. I presume entire extension aren't synced, only automatic "download links" to those in the Chrome store. That makes manually installing/updating extensions a hassle without an updater built-in, but Google wants to ban it altogether for "safety" (more like money).

 

What about the methods mentioned at https://support.google.com/chrome/a/answer/188453 ? I'm not in a position to try them and develop first hand knowledge of the ins/outs, but a glimpse suggests there is some possibility of instructing chrome to install/update extensions from a URL of your choosing. Maybe you can configure your Chromes to pull your own crx derivative from a server other than Google's?

FWIW, I've noticed similar looking functionality in Firefox extensions/manifests. For now, it is easy enough just to drag/drop my extensions onto Firefox when needed. However, I'm getting the itch to try for better isolation from AMO. It is only a matter of time I suspect, if you know what I mean.

 

Sorry, I don't know the ind/outs either or what to add.

I'm just glad this nonsense wasn't enforced on my computer yet.

 

**** **** stack, it's here. I'm honestly glad I got X-Notifier on Windows before it was removed from the Chrome store. As for the other ones, I can live without them, but it's a serious inconvenience and loss of control.

 

So this is yet another example of taking things for granted and not noticing when your freedom is being slowly abolished.

 

Well Chrome disabled 360IS web shield plugin last night for my safety, basically disabled the AV programs browser protection with no way of re-enabling it, the irony is the message said they were disabling it for my safety.

 

Found something interesting: http://dottech.org/158511/how-to-re-enable-blocked-chrome-extensions-guide/

 

Install, yes, works without problems, not really, but it works more less. But the most annoying part is the popup, which can not be disabled.
They recommend using dev channel, but since I do not use Chrome, I do not have that option and I would not like to use dev version.

 

Fascinating, the way they are trying to spin this. Google appears to have replaced its corporate motto 'don't be evil' by 'just say the others are evil'. A little context analysis:

Google Chrome

The rest of the world

 

A little update, it did not really help to stop malicious extensions from appearing in Chrome's Web Store.

http://www.computerworld.com/s/article/9250498/Many_Chrome_browser_extensions_do_sneaky_things

 

@ TairikuOkami

Yes like I said before, extensions are a huge risk, and the consumer should be educated about it. Another option for browser-makers is to put more restrictions on what extensions are able to do, but that would probably break things.

 

Thanks for the update. Interesting stats. About 0.2% of the 48k are malicious and almost 10% suspicious. I breezed through the pdf document and suspicious/malicious extension names they listed were ones I never heard of before, nor would ever use, based on what they do. The feeling I get is stick with the highly popular ones, especially one that have been long-term tenants in the store, and you'll probably be ok.