Reports emerged over the past week about adware and malware peddlers buying popular Chrome extensions and turning them into data-collecting or ad-injecting tools. Google removed two of these extensions, but the problem runs deeper.
Here’s the gist of it: four days ago, developer Amit Agarwal talked on his blog about his experience with a Chrome extension that he had recently sold for a four-figure sum. Agarwal developed the simple extension, called Add to Feedly, in less than an hour, so he was happy to receive a nice payout for his work. About a month after he transferred the ownership of the extension, he began to notice one-star reviews from users complaining about the extension injecting ads in the webpages they visited. The buyer had turned Agarwal’s useful app into obnoxious adware.
Amit Agarwal apologized to users for selling the extension, an act that he called “a bad decision”. Following his post, more devs talked about being approached by shady parties to sell their extensions, update them so they deliver adware, or collect and sell user data for good money.
For instance, one of the developers of Honey, a coupon finding Chrome extension, revealed on Reddit how his team received an offer to sell clickstream information (what each user clicks on each site) to a data collection company for a six figure sum per month. Honey has more than 700,000 users and a retail focus, making it a prime target for companies that collect and re-sell user data. The Honey team rejected the offer, but it’s safe to assume that other devs fell into the temptation of a generous payout and allowed their legitimate extensions to turn into adware and malware laden honeypots.
Band-Aids, not cures
This weekend, Google removed from the Chrome store Add to Feedly and Tweet This Page, another extension that inserted malware in webpages. The company cited the rules it updated in December to prevent extensions from inserting ads in multiple parts of a webpage or in parts where an ad would not be normally displayed. The new rules were scheduled to be enforced in June, but in this case, Google moved in faster, probably because of the public outcry.
But there are many other shady extensions in the Chrome store, and the worst part is it’s hard for users to get rid of a misbehaving extension once it’s installed. Most users aren’t even aware that extensions might cause adware attacks or how to proceed in case they suspect an extension is misusing their data. The problem is compounded by Google’s lax approval rules and the fact that extensions update silently. And even if an extension starts out as benign, unscrupulous companies or individuals can purchase them or persuade their owners to turn into data scrapping tools.
As Ars Technica’s Ron Amadeo notes, there are some extensions that can help – Francois Beaufort’s Extensions Update Notifier will inform you when your extensions were updated, while Stop Extensions from Injecting ads is an extension that’s supposed to do precisely what its name says. However, even if these apps work as advertised, these are just Band-Aids, not really cures for the disease.
Chrome’s extensions give users amazing flexibility and power, and Google deserves to be commended for it. The other side of the coin, however, is that the power can be abused with terrible results. Like with the Play Store, which is laden with dubious apps, Google needs to act on this problem, and act fast. One solution could be a stricter review process for new extensions and updates, as well as a more transparent process for updating extensions and changing ownership.
Have you ever had any problems with a Chrome extension?