Is it time to dump Google Chrome?
Last week (8/25) an extension for the Google Chrome browser called “Smooth Gestures” was found to contain tracking code that recorded the URL of every single page that you visited (Discussion here). The extension provides mouse gestures in the browser and was extremely popular. Since then, the extension has been removed and the developer has made a public apology. Doesn’t matter, tho. The damage has been done and I won’t be using anything from them again. Still, all’s good, right?
Not So Fast
Two weeks ago, Blogstorm reported that another very popular extension had gone rogue. This time is was “Awesome Screenshot”. This plugin would inject its own Amazon affiliate links into Google’s search results. This was another plugin that I was using and I, too, thought it was odd that links to Amazon products started showing up in the top of Google’s results. I just assumed (as did probably most people) that they had formed a partnership with Google. Nope, the plugin was changing the search results. Even if you disabled the plugin, it was still happening. Uninstall it, the fraudulent results go away. (I wasn’t able to confirm this as the extension was pulled. Chrome may have been just caching the results and injected script).
Why Laissez-faire Doesn’t Work
_Laissez-faire_ is a French phrase that “describes an environment in which transactions between private parties are free from state intervention, including restrictive regulations, taxes, tariffs and enforced monopolies” (Wikipedia). Taken literally, it means “Let us do”. Applied to an online app store such as Google’s Chrome store (where you get plugins, apps and extensions for Chrome, Plus, et al), it translates into having no technical review process for apps. Google has apparently gone on record as saying that they’ve “purposely avoided having a pre-review process for the extensions gallery / Chrome Web Store.” (source) Without a proper review, there is no way for people to know for certain if the apps and plugins that they are downloading are not malicious. As word of this spreads, you can bet that the number of malicious spying extensions is going to increase sharply.
When I raised this problem last week, some of the responses that I got were jarring. Far too many people said “So they can see my web history… big deal.” Or “I’m not doing anything were I need to worry about my information getting viewed.” I then asked them when was the last time that they bought something on Amazon, used Paypal, or checked their bank account online. I then asked them if they were aware that browser plugins have access to all information that you enter on a webpage. And since the plugin operates within the browser itself, it resides in front of any encryption, so SSL isn’t going to help you here.
Another all-too-common response is that people should just “review the source code for the extension themselves.” This is a ridiculous comment made far too often by software programmers who take their ability (and free time) for granted. It’s a rant for another time but I’ve never heard an auto mechanic (or any other profession for that matter) suggest that people should just “take apart their transmissions” if they think something might be wrong.
Back on Track
Anyway, _caveat emptor_ and other Latin phrases aside, Google needs to step up and implement some form of technical review process for the app store. It won’t happen, however, because their incentive to do so is nil. Most people are happy to accept that computers are magic, that developers are wizards, and that the proper default assumption is that everyone is good. Kumbaya and all that. The only way to get a policy to change is by complaining about it. But with a user base of approximately 20% world-wide, that would take millions of people to complain. That simply won’t happen.
That is, until the unexplained charges start showing up on your credit card statement. But, hey, who bothers checking those, right?