Originally published at: https://boingboing.net/2020/06/19/google-removes-106-malicious-c.html
…
Tricky to find a list of the malware extensions. Here’s what I was able to get:
browse-safer
browsing-protector
browsing-safety-checker
bytefence-secure-browsing
convertwordtopdf
doctopdf
easyconvert
easyconvertdefault-search
gofiletopdf
mydocstopdf
pdf2doc
pdf-ninja-converter
pdf-opener
quicklogin
quickmail
search-by-convertfilenow
search-by-convertpdfpro
search-manager
secured-search-extension
secure-web-searching
securify-for-chrome
thedocpdfconverter
theeasywaypro
thesecuredweb-protected-b
ttab
viewpdf
Sources: https://awakesecurity.com/blog/the-internets-new-arms-dealers-malicious-domain-registrars/; https://awakesecurity.com/wp-content/uploads/2020/06/GalComm-Malicious-Chrome-Extensions-in-store-extensions.txt
A marketplace where everyone can contribute is great, but this seems to suggest the need for tiers of access, where only trusted developers can use libraries that can do these intrusive things. Let anyone make a color picker, but anything sensistive, screen the shit out of them.
The problem with this approach is defining who can be trusted.
In my opinion a marketplace where everything is open-source and verified by the community would be a better idea:
I’d agree wholeheartesly for a more open source ecosystem like Mozilla, but for a corporate bohemoth like Google/Chrome, community verification will alsways be somewhat hamstrung and just feels like they’d use it to avoid liability.
Honestly, it’s ok with me if author verification is slow and errs on the side of caution. I mean, how many browser extensions accessing sensitive capabilities do we need? A browser should be dead simple IMHO.
I’ve worked on enough Open Source projects to know just how well community verification works.
This topic was automatically closed after 5 days. New replies are no longer allowed.