Chrome has a massive copycat extensions problem
You have probably read about the fake Adblock Plus extension that 37000 Chrome users installed before it was removed by Google after it was reported to the company.
The verification system of the Chrome Web Store is automated which means that any extension that passes automatic validation will be published in the store. Google won't do anything about it unless it is reported by users, developers, or security researchers.
There have been plenty of incidents in the past where Chrome extensions would be used to inject ads, hijacked, updated and then misused, or run crypto mining operations.
We talked about precautions that users should take before installing Chrome extensions in 2014, how toÂ verify extensions for Chrome, and about the Chrome fake application problem in 2015.
Nothing has changed on Google's side of things. Chrome extension submissions are still vetted automatically only, and incidents like the recent fake Adblock Plus extension that found its way into the store highlight that the protection can be bypassed. The extension was listed for weeks in the store, and it was used apparently to display aggressive advertising campaigns.
The fake extension hoped on the bandwagon of one of Chrome's most popular extensions, the adblocker Adblock Plus. Adblock Plus has more than 10 million Chrome users according to the Chrome Web Store, and fake extensions that look as if they are the real deal may get a small piece of the pie when they make it into the web store.
Google removed the extension, but the problem is not going away if Google reacts after the fact only.
If you search for ublock right now in the Chrome Web Store for instance, you get a dozen or so extensions returned. While the official uBlock Origin is the first listed extension, you find extensions with names such as uBlock Adblock Plus, uBlock Adblocker Plus, uBlock for YouTube, or uBlock Ultimate Adblocker listed there as well.
Some of these have thousands of user ratings and millions of users. It is unclear if these extensions are fake, or simply hopping on the bandwagon of popular extensions by using similar names.
Raymond Hill, the developer of uBlock Origin, warned in June 2017 about these copies.
Beware: plenty of copies of top blockers popping up in Chrome store w/ (at best) absolutely NO added value. Avoid, stick to the genuine ones
Many of the extensions listed right now when you search for uBlock are copies of the original. They take the open source code of the extension, and create a new extension out of it that usually comes without any added functionality. The worst case is that invasive code is added that shows advertisement, tracks user movement on the Internet, or does other unwanted things.
Google announced yesterday that it is aware of the broader situation, and that it looks at ways to handle this better to " improve our protection and keep users safe from malicious Chrome Extensions and Apps".
More broadly, we wanted to acknowledge that we know the issue spans beyond this single app. We canâ€™t go into details publicly about solutions we are currently considering (so as to not expose information that could be used by attackers to evade our abuse fighting methodologies), but we wanted to let the community know that we are working on it.
The company did not reveal how it plans to do that though, nor provided a timeline of when users can expect the new or improved system.
Microsoft vets any extension that is developed for the company's Microsoft Edge browser before it is allowed in the Store. Mozilla does manual reviews of extensions as well, but will change the system for WebExtensions to do the reviews after they have been submitted to Mozilla AMO opposed to doing them before that.
I noticed this too. Very annoying and confusing for the average user. Blatant stuff like uBlock Adblock Plus pops up for both searches of either uB0 or ABP. Also, why the hell “uBlock” still exists?
PS: Martin, there’s an e-mail address in your screenshot, upper right of it.
Thank you :)
It’s still there?
The same problem has Google Play. And that’s why I always visit an official website of an add-on/app and there I can find a link to the Chrome Web Store or Google Play. This is the safest way.
What next? Equifax Extensions..
Google has made it impossible to trust offerings on Google sites like the Google Play Store and the Chrome Web Store.
Why Google continues to Not enforce unique app / extension titles is baffling.
Compounding the problem are the masses of Idiot ‘Reviewers’ who don’t mention the developer’s handle and web site, if available.
Same problem with Google Play Store – just a nest of malware. With perfectly decent software sitting outside outside the arena because of Google marketing priorities. App publishers like Cheetah Software (and quite a few others) still peddling their dubious wares within Play Store (often with suspiciously high feedback scores) even after years of concern.
The upshot being more than just security concerns. There’s little doubt in my mind that Google don’t give a monkeys about the online safety and security of the man in the street – just as long as they can rake in the money and the data.
There is also a company that copycats popular extensions of Firefox and Chrome. They have more than 10 copycat sites including:
They just replace the icons and push the same extensions again and again to Mozilla and Chrome Store. They push malware too in the extensions.
Aren’t these just a web-hosting space to developers publish their browser extensions? With a quick glance I saw a lot of legit extensions there.
For example: https://add0n.com/stylus.html display a link to https://addons.mozilla.org/en-US/firefox/addon/styl-us/.
Do not make too obvious that you are the owner of the company.
Don’t forget that Google charges fees for developer if they want to publish extensions and apps. They should have enough money to make manual submission system like Apple.
As always, you can reduce your exposure to Chrome extension problems by running the minimum number of them you can tolerate. Collecting them like postage stamps is not a good idea….
> “The company did not reveal how it plans to do that though”
They said “We canâ€™t go into details publicly about solutions we are currently considering (so as to not expose information that could be used by attackers to evade our abuse fighting methodologies)”
Which for me means their plans still rely on algorithms.
There’s nothing wrong with ‘Ads’, they help keep the websites you regularly visit for information up and running, they pay the running costs, hosting etc.
“The fake extension hoped on the bandwagon…” I think you meant “hopped,” Martin. :)