from Hacker News

The Karma connection in Chrome Web Store

by supermatou on 10/30/24, 5:23 PM with 43 comments

  • by semenko on 10/30/24, 6:17 PM

    I was optimistically hoping some of the MV3 changes would result in Chrome webstore policy enforcement being standardized, but that hasn't happened.

    Sensor Tower (https://sensortower.com/) makes a lot of popular extensions, like StayFocusd https://www.stayfocusd.com/. They seem to resell ad data (in violation of [1]?) and ship likely obfuscated code [2] (in violation of [3]?), but there's no enforcement or even clear reporting mechanism.

    [1] https://developer.chrome.com/docs/webstore/program-policies/...

    [2] https://robwu.nl/crxviewer/?crx=https%3A%2F%2Fclients2.googl...

    [3] https://developer.chrome.com/docs/webstore/program-policies/...

  • by michaelbuckbee on 10/30/24, 6:32 PM

    There was a question raised but not really answered about "what do these extensions what with all this browsing data?" - while it may be that they're used for direct ad targeting (like real time ad buying against your IP address) it's more likely that they're selling "click stream" data.

    In its most innocuous form, this is stuff like SimilarWeb (which is like a more advanced Google Trends), but in the B2B world, it's also custom enterprise reports that are like "how many people that use our bank at xyz also use any other bank at this array of domains and which are most common?"

  • by barumrho on 10/30/24, 7:21 PM

    I've decided that browser extensions are too much of a security/privacy risk. I just stick with 1password extension and an ad blocker extension that uses Safari's Content Blocker API only.

    And then from time to time I have a dedicated profile on Chrome to use other extensions that might be useful, but I don't do day-to-day browsing there.

  • by tencentshill on 10/30/24, 5:56 PM

    Is there any way to only allow chrome extensions to update with permission? It seems like any extension on the store could become malicious overnight, automatically, for millions of users.

  • by bborud on 10/30/24, 6:50 PM

    Why is Google not policing this? Liability concerns?

  • by _fw on 10/30/24, 7:28 PM

    I am absolutely flabbergasted at the fact that Chrome extension security is the way it is, considering how much Google spends to keep chrome secure.

    How is it, in 2024, users can still blindly install malicious software directly into their browser from a web store with Google’s name at the top of it?

    This goes to show even the most cautious and conscientious of users can get caught out by their extension changing hands. What, is Google expecting us to review our extensions, and their permissions, and their authors, and their authors’ associated businesses, every time we want to use our computer?

    Additionally, are we even able to review the source code of extensions if they are not open source?

  • by cxr on 10/30/24, 6:47 PM

    Most people aren't (or at least feel they aren't) able to take a hardline stance about only using free software, but if there's one area of your digital life you should be able to apply it to, it's browser extensions.