Google has blocked Send to Feedly and Tweet this Page, a pair of extensions for its browser that users complained had started inserting ads into pages that they were browsing.
While extensions have to ask for user permission if an update requires more access to what they’re doing on the web — like the difference between tracking browsing habits on GeekWire.com vs. tracking all the browsing someone does — it seems like the people who bought and now operate these extensions didn’t have to ask for additional permissions before slamming users with ads everywhere.
The adware authors took advantage of that and the fact that users aren’t notified whenever an extension changes hands, meaning that many people who used one of those extensions had no idea that they had been sold to spammers.
Amit Agarwal, who developed the Send to Feedly extension, said in a blog post that he received an email offering him a “four-figure deal” for the extension. A month later, the person who purchased the extension then updated it to push ads on users as they browsed the web. Other developers of higher-profile extensions have said they received similar offers.
While Google has outlawed inserting ads into web pages using Chrome extensions, these incidents show that its enforcement of that rule is, at best, imperfect. Even if Google managed to perfectly enforce the rule against advertising, some powerful extensions require broad permissions to do what users want them to. Even without inserting ads, a malicious buyer could decide to use broad permissions to track what users do on the web.
One of the takeaways from this situation is that if companies want their services to be available to users as a browser extension, those extensions should be developed in-house, or purchased from the third party that developed them if possible.
Meanwhile, developers need to do what they can to protect users from malware, including ensuring that they sell their software to people who won’t turn around and sell their users up the river. It’s easy to say that users should be responsible for protecting themselves, but what these incidents have shown is that it’s possible for users who have done everything right and found a trustworthy browser extension to get hurt by actions that they don’t have control over.