Ugh, the #chrome #extension ecosystem is exactly as bad as I'd expect.
And the fact extension is still up claiming not to collect any data even if it has been called out in one of the biggest security newsletters shows how much Google care about this (not much). The only thing they care about is pretending to ship AI features to detect malicious extensions. Because that's how you get promoted.
I mean is it even possible to report a suspicious or bad extension? I don't see anywhere
Great research by @WPalant and @c0m4r
And @campuscodi for putting the spotlight on it.
=> View attached media | View attached media
=> More informations about this toot | More toots from gnyman@infosec.exchange
@gnyman Well, @campuscodi could still have read a little bit beyond the first paragraph 😅. It’s actually about twelve extensions, one of them being Karma shopping assistant which is quite officially being developed by a large company.
Definitely agree with the rest. The way to report suspicious extensions is very obscure, took me a while (and an insider) to find it. They’ve acknowledged my report but nothing else seems to have happened so far.
=> More informations about this toot | More toots from WPalant@infosec.exchange
@gnyman @WPalant @c0m4r @campuscodi It's utterly ridiculous that Google allows seamless transfer of ownership of extensions. Any change in ownership should put a halt on further automatic updates, give users a perpetual option to reinstall the pre-transfer version, and require opt-in to switch to the new one. Developers publishing extensions should be made aware that any attempt to evade these rules (eg by transferring whole owning Google acct) will be treated as criminal malware.
=> More informations about this toot | More toots from dalias@hachyderm.io
@gnyman @WPalant @c0m4r @campuscodi I can almost guarantee what the root cause here is:
While it's utterly obvious to us as users that transfer of ownership is a malicious event, it's completely normal and expected to someone with VC brainworms. This is their fairytale ending. Making a system that precludes it is unthinkable to them.
=> More informations about this toot | More toots from dalias@hachyderm.io
@gnyman @WPalant @c0m4r @campuscodi the worst is that you can block "Shorts" with an uBlock Origin rules. No need of a new extension.
Oh wait...
=> More informations about this toot | More toots from hub@cosocial.ca
@gnyman @WPalant @c0m4r @campuscodi if you install an extension (in a new profile in this case) and then uninstall it, there's a checkbox for reporting malware. Certainly not the most discoverable setup, and it requires that install.
=> More informations about this toot | More toots from david42@mastodon.online
@david42 @gnyman Have you ever heard of an extension being taken down after this? I suspect that it’s the same thing as https://support.google.com/chrome_webstore/answer/7508032?hl=en that various people pointed me to. You flag but you cannot even explain the issue. I don’t know what happens to the reports then, but I’ve never seen this do anything.
=> More informations about this toot | More toots from WPalant@infosec.exchange
@WPalant @gnyman I have no idea what happens to the reports or when. I'm sure something is done with them, eventually, given how Google operates internally.
=> More informations about this toot | More toots from david42@mastodon.online
@WPalant @gnyman that support page describes several other ways to report several kinds of issues. They are probably all better than the checkmark I described. I'm confident Google looks at all the reports, eventually, but may or may not be moved to take action.
=> More informations about this toot | More toots from david42@mastodon.online
@gnyman @WPalant @c0m4r @campuscodi there's a "flag concern" link right there in your screenshot. What does that do?
=> More informations about this toot | More toots from ketumbra@infosec.exchange
@ketumbra @gnyman From my experience: nothing whatsoever. Maybe if a few thousand users click it Google will take a look. Not sure what kind of look however given that they won’t know what people are complaining about, because the only halfway matching choice offered is “felt suspicious.”
=> More informations about this toot | More toots from WPalant@infosec.exchange This content has been proxied by September (ba2dc).Proxy Information
text/gemini