Google recently purged some 200 extensions from its Chrome Store inventory. Extensions and add-ons let users add functions and features to the Chrome Web browser, but bad extensions can expose users to a greater risk of spyware and malware. A major problem with many browser add-ons is ad injectors.
The clean-up resulted from an extensive search for embedded code that violates Google’s policies, triggered by increasing user complaints.
Google has been studying add-on security risks with a team at the University of California, Berkeley, and will release a full report of its findings on May 1.
“It is not so much the security of the Chrome browser as the security in having an open store for downloading extensions,” noted Martin Zetterlund, founder of ScrapeSentry.
“I am sure Google automatically screens any extension uploaded — but the bad guys will, of course, do their best to trick automatic screening,” he told LinuxInsider.
Tip of the Iceberg
ScrapeSentry this week revealed its discovery of problems with the Chrome extension Webpage Screenshot: The extension could send any information visible on a browser tab back to an IP address located in the U.S., such as page title.
“Obviously, they need to put more work into screening of uploads to the Chrome Store if it should be considered a trusted source, as opposed to downloading from random sites on the Internet,” Zetterlund said.
Distributing malware is against the Chrome Web Store’s Content Policies, said Google spokesperson Veronica Navarrete.
“When we detect items containing malware or learn of them through reports, we remove them from the Chrome Web Store and from active Chrome instances,” she told LinuxInsider.
However, Navarrete declined to answer specific questions about the program purge process, ad injection programs or the Webpage Screenshot extension.
Google removed Webpage Screenshot on Tuesday, Zetterlund said.
A Growing Problem
Ad injectors are code within an extension or add-on that inserts new ads or replaces existing ads on pages the Web browser visits. Google has received more than 100,000 complaints from Chrome users about ad injection in the last three months, according to Google Software Engineer Nav Jagpal.
Injectors are related to unwanted programs. Both are deceptive, hard to remove, and often secretly bundled with other downloads.
It is unclear if ad injectors are able to work within the more rigid architecture of Linux as a function protected by the Web browser’s integration with the operating system. The study refers to browsers tested only on Mac and Windows operating systems.
Google does not ban all uses of ad injectors. People can choose to install injectors that clearly disclose what they do, noted Jagpal.
However, injectors that sneak ads into a browser violate Google’s policies. Google alerts Chrome browser users with red warnings when users attempt to download software that is deceptive or does not use the right API (application program interface) to interact with the browser.
Ad Injector Study
The problem with Web browser extensions and add-ons is not restricted to the Chrome browser. The UC Berkeley team studied more than 100 million page views of Google sites across Chrome, Firefox and Internet Explorer.
The results were anything but pretty, noted Jagpal. The researchers found ad injectors on browsers running on the Mac and Windows operating systems, but it is unclear if they found them on the Linux OS.
The researchers detected ad injectors in the Chrome, Firefox and IE Web browsers. The study results include these findings:
- More than 5 percent of browsers visiting Google sites have at least one ad injector installed. Half of those browser visits showed at least two injectors installed. Nearly one-third have at least four installed.
- Thirty-four percent of Chrome extensions injecting ads were classified as outright malware.
- There were 192 deceptive Chrome extensions that affected 14 million users.
Google has removed or disabled those deceptive extensions. Google now incorporates the techniques researchers used to catch them to scan all new and updated extensions, noted Jagpal.
Google has several policies in play to limit or entirely prohibit ad injectors. Those policies affect both the Chrome browser and AdWords advertisers with software downloads hosted on their site or linked to from their site.
For example, all Chrome extensions hosted in the Chrome Web Store must comply with the Developer Program Policies. This means that extensions must have a specific understandable purpose.
AdWords advertisers must comply with Google’s Unwanted Software Policy and the DoubleClick Ad Exchange (AdX) Seller Program Guidelines. Both prohibit programs that overlay ad space on a given site without permission of the site owner.