Self-updating apps have become quite popular, with most major web browsers (except Apple's Safari) updating themselves and even Windows 8.1 introduced self-updating applications from the store, meaning you never have to deal with actively maintaining your computer - a task best left to the computer itself. That is, until those updates introduce new, undesired features into your overall computing experience.
Enter Chrome extensions - add-ons to the Google Chrome browser that are designed to add specialized functionality without a specialized application. It turns out that, in the case of these extensions, non-obtrusive updates might just be a huge problem. As the popularity of these extensions has grown, so has the desire for malware and adware companies to purchase said extensions and add "functionality" such as inserting ads into webpages or adding damaging code.
Now, the fact that Google allows the browser to interact outside of the browser is a security topic for another day. Today we are only discussing the security issue related to the transfer of ownership and "enhancements" to these extensions without the knowledge of the user. Adding and removing features from a stand-alone application is common, but the application is used within a closed environment and only affects the experience of that single set of content. With this, unexpected additions are affecting the user's entire experience online.
Obviously these extensions can be removed if they violate your privacy knowingly, but many are performing tasks outside of your view. It would be easy for one of these things to have once been just a way to quickly post photos to Tumblr by dragging them to the menu bar, but now to enter your Gmail contacts and report them back to the new owner, or to initiate spam messages right from your browser without your knowledge.
This is one of the main issues with public add-ons for common Internet software, such as browsers, especially when the publisher has no policy for quality protection. Google has implemented new rule within the past few weeks requiring an extension to only perform a single task, but my guess is that this rule will be followed about as well as Android.read more...