Google Needs to Moderate Chrome Extension Gallery
If you are a Google Chrome user and have installed extensions from the Chrome Web Store, you need to know one important thing. The extensions available in official gallery are not as safe as you think. These extensions are not checked by Google for possible malicious behaviour. This means that these Chrome extensions may track your browsing habits, send data to a remote server, manipulate contents of a web page etc. without your consent.
The most unfortunate thing is that the Chrome team has no intention to implement an approval process for the items available at Web Store. I raised this issue earlier, but then the Chrome team said, “We’ve purposely avoided having a pre-review process for the extensions gallery / Chrome Web Store.”.
Thankfully, Mozilla is much careful about the Firefox users – and all add-ons are tested manually before they go public on AMO. Certainly, it takes long time to get approved but this ensures best and safe user experience. Google should implement a similar approval system for all items available in Chrome Web Store. After all, it is a critical issue directly related to the users’ privacy and safety.
Latest Incident: Awesome Screenshot Extension
SE RoundTable reports about a Chrome extension, "Awesome Screenshot", which manipulates Google’s search result page and inserts Amazon affiliate links without user’s permission. Neither the extension’s page on Chrome Web Store has any such information, nor it informs users after installation. This extension has 12930 user ratings and 422,340 active users. And, the extension has overall 5-star rating.
When such a popular extension has this kind of hidden feature, how can you expect other extensions to be safe. Think twice before installing any Chrome extension. :(
Review the permissions, that is it.
I dont see this as a problem.
Its only a problem if you start randomly installing things that have no peer review whatsoever.
I don’t know, i come from the time when there was no safety matt and if you downloaded something someone else had written and run it, then people laughed at you when you had to reinstall.
Dont install random crap. the clue was in the name ‘Awesome’ ….
Good News: Developer of this extension has released a new version and removed his Amazon Affiliate Links.
Read his comment on Chrome Gallery: https://chrome.google.com/webstore/detail/alelhddbbhepgpmgidjdcjakblofbmce
“Hi All, This is Joel, developer of awesome screenshot. I am so sorry to add the amazon search result in google search result page without info our users first. It’s such a bad decision.
This additional features was designed to scratch our own itch. Because when I search some shopping items in google, I always want to check them in amazon at the same time.
In the spirit of transparency, we should disclose that this feature does bring small amount of revenue to us, which enables us to continue to improve this product.
Since so many users don’t like it, we already updated a new version(3.2.1) to remove this feature.”
Serious issue with Chrome.
Hi, This is Joel, the developer of awesome screenshot the article mentioned. First of all, I apologize for what I did for it in the last version a day ago.
I’d like to share with you my intension for this amazon + google search feature.
1) It’s from my need. When I search some shopping items from google, I always want to check them in amazon also.
2) It can help us make small mount of money.
3) I provide an option to disable it.
However, I did it in a wrong way. I should did it like this: 1) Disable it by default. 2) Ask user’s permission to enable it 3) Tell users why we add it.
I did it wrong but still respect users. This feature exists only one day and I removed it in the new version(3.2.1).
Wow! That’s a good find. And a screen shot app inserting code to manipulate search results and insert their affiliate link is plain stupid and unacceptable!! And them correcting it now should not matter. They had no right to do this in the first place!
It’s great that the developer Joel has released an update to correct this “mistake”? It just strikes me as odd that a Chrome extensions developer would decide that his own personal preference for Amazon shopping results would best be served by including them in an extension for capturing screenshots. I guess when I think of something “scratching our own itch” my first thought isn’t adding that functionality to a completely unrelated extension to be downloaded by thousands of people unbeknownst to them. Who knows. Maybe I’m just old fashioned.
Yeah, and Wikipedia should make every edit go through an approval process before it’s allowed too huh…
Maybe we need an extension which alerts you when an installed extension has been reported by users as “misbehaving”…
Well, Google can implement practice of pulling out extension updates from public repositories such as github or google code and mark extensions that do not make their code available to public as suspicious. I’m sure that everything _IS_ checked with automated tools, but everything that uses, for instance, NPAPI, should be checked manually.
Think twice before using Chrome! :P
was playing around chrome extensions and apps. Apparently chrome apps have access to browser actions, even offline etc.
Also, for featuring extensions/apps in chrome web store, developers have to pay some fee. $5 something.
I think this type of problems could be avoided simply by review process.
For example, look at the iTunes store, QA does matter.
Also, Hi Joel, How does one *knowingly* makes such mistake? Anyways, good luck.
That’s basically Ad-ware it looks like the spy/adware scanners will need to add your chrome extensions to the list of things to scan.
Thanks for this valuable information. Chrome needs to improve. Firefox is the best!
either google team or the developer himself removed this extension from the web store gallery. I am getting this error:
An error occurred:
Item not found. This item may have been removed by its author.
equally harmful for Chrome OS users. Google please fix this issue as soon as possible.
Ed: Its a common mistake usually called the “Golden Rule”
When determining how to treat other people, a simple, but frequently incorrect heuristic is to assume they have the same preferences as you and then treat them as you would like to be treated. This works in broad strokes, but fails on both minor details like this. It also can fail pretty spectacularly when dealing with other cultures or when you have some quirk that you didn’t realize.
For what it’s worth, I happen to share Joel’s preferences, so this probably isn’t a spectacular failure.
You mentioned about extensions stealing your browsing data, but you only showed us a case that inserts affiliate advestisements instead.
Made me think.
i think joels main motive was to make some money,lets just be honest.
Personally, I hope Joel was banned from the Chrome Web Store and Amazon affiliation. There is absolutely no way he added that functionality without first thinking that it was wrong. Every time he looked at “Awesome Screenshot” he probably thought, “with my secret money-making features.”
Bojan, sid, get real. Chrome is fine. Stop expecting your hand to be held, constantly.
Who installs a screenshot extension into a browser, anyway?
First…
“…this feature does bring small amount of revenue to us…”
With over 420,000 active users, that’s way more than a “small amount of revenue.” I’ve built similar stuff with Amazon affiliate marketing and with a user base of 30,000 it was bringing in nearly $2,000 a month. And depending on where that developer lives, he could be extremely wealthy now.
Second…
The developers “own itch” argument is a straw man. If the developer wants to check Amazon pricing and builds that into the plugin for checking prices, why is his affiliate code embedded in the links? Amazon does not allow affiliates to use their own affiliate code when purchasing products, so the developer is violating Amazon’s terms of service. And the problem outlined in this article is not having Amazon products in the search results, but having the affiliate code embedded. Let’s not get off subject and distracted with the developers itches.
Third…
I’m in favor of plugins that are somehow “certified” or “approved” by Google as being safe for use. And why not charge the developers for the approval process? I’d pay to have my plugins approved, and to get some kind of badge that indicates approval. I’d also like to submit non-approved plugins that cost me nothing and people can use at their own risk…with adequate warning of such.
“This additional features was designed to scratch our own itch. Because when I search some shopping items in google, I always want to check them in amazon at the same time.”
This is a clear lie because Amazon TOS states that you are not allowed to click your own affiliate links. Clearly the only itch being scratched is the dev’s need to make money by hijacking Google, because they aren’t clicking these links themselves; not to mention that Amazon links for products tend to show up fairly high in most searches without the need for calamine lotion.
I’m behind Google on this one. I fundamentally dislike this corporate-big-brother mentality for deciding what is worthy of the App store, not to mention the long delays that approach introduces to the App release process. The emphasis should be on providing us users with the information we need to know that apps are safe, but not on controlling this. Peer review is the best defense. Certification labels are one element of that. It is fine if Google decides to offer a Certification program, but they don’t have to be the, or the only, certification body — there is room here for other organizations to provide those services also. Google might consider a mechanism to support “certification bodies” and their rankings in their Gallery.
Although I fundamentally disagree with the articles main premise that we need these corporations to decide what is best for us, exposing such rogue apps as “Awesome Screenshots” is a great service. Thank you for that. As we can see from Sid and Joel’s responses, the public exposure led to the resolution of that particular problem. This is a good illustration of the effectiveness of peer review for this problem.
Its just like posting apps on the Android Market, what’s new.. :D
Google Chrome extensions are open source, people. Right-click an extension’s icon, select “Inspect Popup,” and then take advantage of Chrome’s element inspection tool to look at the code. See something crazy? Delete the extension. Simple as that.
I am so shocked that someone would give away their extension and want to monetize it! Gasp! I cannot believe that.
“Maybe we need an extension which alerts you when an installed extension has been reported by users as “misbehaving”…”
great idea.
# This is a big disappointment for me as a Chrome user. How can I trust an unknown developer and his extensions? I’m surprised. Google has lots of money, it can buy big brands like Motorola but can’t hire a team to monitor extensions.
Google should take our safety seriously. Don’t be evil Goog
# I guess the Mozilla has advantage here. It has a vast community of volunteers who offer their service to check all firefox extensions.
# Imagine the worst: I trust an extension developer and install his extension from Chrome web store. Developer’s account gets hacked and the hacker adds malicious code to the extension’s file and releases it as a new update.
Google Chrome automatically updates extensions – and thus all users got affected. This is so panic.
# I have uninstalled all extensions except those created by Google itself.
https://chrome.google.com/webstore?category=ext%2F15-by-google
# Thanks TechRaga for your informative post.
I am very sad.
I use Firefox as my main browser since FF 1.0. After Chrome was born and showed the speed advantage etc. I was using both but my main browser remained FF for all my serious and security works. Since I was facing crashes in FF in opening random sites, I was planning to shift entirely to Chrome which never crashed on these sites.
But, but …. as I use many indispensable extension in FF, I think it is better to be safe than sorry. As a developer I feel bad that Joel’s greed overcame his ethic. He should have released the ext with shareware tag and mention that the freeware will have the ad inserted. This is the way a developer should earn his livelihood and not by cheating. It just gave a very bad reputation to Chrome at the end.
Thank you Arpit. Firefox will remain my main browser.
Regards,
Anand
Mozilla code reviews don’t solve the problem. Try to search this on your favorite search engine: firefox extension vulnerabilities
Hmm, I guess it is time to remove Chrome, until such time that they decide to start moderating extensions.
For Browsing experience Chrome is the Best.But Firefox beats Chrome and IE in overall performance. Especially at Add-Ons.
I think Chrome needs to sort this issue asap. This was such popular extension there is need to spread the awareness about it.
the Awesome Screenshot extension is again available in the chrome extension store gallery. what a shame for Chrome itself. They should remove and block its publisher.
There is a middle road here — CREATE A “SECURITY REVIEW” class for Chrome’s extension store, much like an “Editor’s Choice” award, that can be applied to extensions that meet certain Good Housekeeping criteria. Reviewers would be either in-house or Google approved (modicum chain-of-trust). This keeps the store fast, but allows for people to wait for “Approved” seal if they want to be safer.
Joel is back to his old tricks.
The latest version inserts more advertising malware.
It injects javascript that inserts links to a shopping directory from various sites.
“Joel is back to his old tricks.”
Idiot. If you don’t like it, don’t use his app.
Sometimes we all have to make sacrifices…
Maybe you should also consider the fact that Joel like you is a human being, and this just happens to be the best way for him to monetize his app and generate revenue for him and his family.
Ever considered that the more money people can generate the more money indirectly goes into your taxes. This fact extends internationally. Regardless of where Joel lives, this anti money making sentiment is ridiculous. If you hate the fact that he is trying to make money, why haven’t you become Mother Theresa?