Developers use a number of ways to breed extensions like a bunch of spam bunnies in Google’s Chrome Web Store, which is the biggest extension catalog online.
For example, sometimes they stuff the store with multiple extensions that do the same thing. Like, say, wallpaper extensions that have different metadata but provide the exact same wallpaper when installed.
Well, those developers can say goodbye to that and a slew of other run-arounds: on Wednesday, Google banned them in a set of new rules for the Chrome Web Store, which it published as a new Chrome Web Store spam policy within its Developer Program Policies.
Here’s an FAQ about the new policy, and here’s the full list of what’s now verboten:
- Repetitive Content: No more copypasta! No more submitting multiple extensions that provide duplicate experiences or function. Besides the wallpaper example is data or format converters listed as multiple extensions – for example, Fahrenheit to Celsius, Celsius to Fahrenheit – that all direct the user to the same multi-format converter web page.
- Keyword Spam: Google’s no longer going to put up with blabby, redundant extensions: specifically, those with “misleading, improperly formatted, non-descriptive, irrelevant, excessive, or inappropriate metadata, including but not limited to the extension’s description, developer name, title, icon, screenshots, and promotional images.”In other words, don’t stuff the description full of keywords, including brand names. The maximum number you can repeat a keyword is now five. To provide a longer list of brands or websites, developers can provide a link for users or embed the list in one of the extension’s promotional screenshots. No irrelevant information, either: for example, a sports team wallpaper shouldn’t include team stats and history in the extension’s description.Make it clear and well-written, Google said, and leave out unattributed or anonymous user testimonials: they’re no longer allowed in extension descriptions.
- User Ratings, Reviews, and Installs: Developers are forbidden from manipulating their extensions’ placement in the Chrome Web Store by doing things like cooking up bogus downloads, reviews or ratings. That means you can’t review your own baby, and you can’t get reviews from other developers or people affiliated with the publisher.
- Functionality: Extensions now have to have some purpose besides installing or launching another app, theme, webpage, or extension.
- Notification Abuse: Google disallows extensions that bleat out spam, ads, promotions, phishing attempts or other types of unwanted messages.
- Message Spam: The new policy prohibits extensions that send messages on a user’s behalf without the user confirming the content or the recipients.
Beyond annoying, they can be dangerous
This is just the latest attempt to mop up the sprawling Chrome Web Store and the many ratty extensions that lurk in its aisles, some of which are not just spammy – they can also be malicious. For example, a few weeks ago, Google found itself sweeping out a collection of 49 malicious Chrome extensions that MyCrypto researchers had caught pickpocketing crypto wallets.
You can see where those nasty extensions could have inspired Google’s new extension spam policies: for one, some were rated up by a network of bogus reviewers dishing out fake 5-star reviews. The reviews were cursory and low-quality, such as “good,” “helpful app,” or “legit extension.”
As well, one of the extensions – MyEtherWallet – had the kind of repetitive language that Google’s now outlawed. Harry Denley, MyCrypto Director of Security, calls it “copypasta”, with the same review posted about 8 times and purportedly authored by different users. All of the reviews shared the same introduction into what Bitcoin is and an explanation of why the (malicious) MyEtherWallet was their preferred browser extension.
Before that, in February, Google abruptly yanked 500 Chrome extensions off its Web Store after researchers discovered they were stealing browsing data, pulling off click fraud and serving up malvertising. The extensions had installed themselves on millions of users’ computers.
At the time, our advice was to not assume that, just because an extension is hosted from an official web store, it’s safe to use.
Our advice:
- Install as few extensions as possible and, despite the above, only from official web stores.
- Check the reviews and feedback from others who’ve installed the extension.
- Pay attention to the developer’s reputation, how responsive they are to questions and how frequently they post version updates.
- Study the permissions they ask for (in Chrome, Settings > Extensions > Details) and make sure they’re in line with the extension’s features. Be suspicious if the permissions change.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
John Lord
Suggestion: All the “LISTEN NOW”/”Latest Naked Security podcast” should also provide a transcript link. I have some friends who are deaf. Also, I do not like to waste time listening to a speech of information at 150 wpm when I can read at 900-1200 wpm. Life is short. The 42-minute podcast “S2 Ep36: Rogue Chrome extensions, Signal fears and Darth Vader” transcript would take me 7 minutes or less to read.
Paul Ducklin
To be clear, we don’t record our podcasts to be read – in fact, almost all the stories we discuss are ones that we have already covered in written form. We record our podcasts as an additional medium for people who like to listen to their cybersecurity news as well as reading it.
In other words, the podcasts are created specifically for listening to, not for reading, so we don’t do transcripts. (Podcasts, if written out, make lousy articles anyway, because spoken and written English are essentially two different languages.)
FWIW, back when our weekly podcast was 20 minutes long, our most common request by far was, “Love the podcast but it’s too short – I’m just starting to enjoy it and it ends. Can you make it longer?” And so that is what we did. It’s *supposed* to be 40 minutes of relaxed listening, not 7 minutes of reading, because we’ve already done the work of creating the written versions in a style that’s supposed to be read and not listened to.
HtH.
4caster
I much prefer the written word rather than a video or podcast, for the same reason. I rarely watch or listen to them.
Paul Ducklin
Then you wouldn’t enjoy a transcript of the podcast, because it’s not “the written word”, it’s simply a podcast typed out.
I don’t write my articles to be listened to but to be read; and on the podcast (if I am on I almost always discuss one of my own written articles) I don’t talk as though I were being read but for people to listen.
Transcripts are an *enormous* amount of work. I know, because we tried doing them for a while a few years ago and I was the one who drew the short straw and got that job – it’s interminable! The transcripts would often take me as long as writing a proper article, and all we’d end up with is text that just didn’t read well. We soon gave up when it was clear that people simply didn’t find the transcripts useful at all, because our stats showed than close to zero people ever even looked at them. Either they listened because that was their thing, or they just went looking for our regular written content instead.
If you like reading, then we already have masses of content for you that was created for reading, and we won’t be offended if you never listen to a podcast because you don’t have time. (But they are quite fun – you can cover topics in a very different way when you discuss them as a group that when you write an article on your own.)
DudeSweet
Does Google list Extension permissions in the store BEFORE installing them, yet?