Having just started on creating chrome extensions recently:

a) I was surprised that they don't require access to the source code in order to review. I wrote everything using typescript and uploaded the packed/obfuscated output, which wasn't a problem at all. I'm sure they have software that unpacks and attempts to detect hazardous patterns, but clearly humans are not actually trying to understand the code's structure. It would be a low bar to require well commented source code (and even to require certain coding conventions) to make extension code more reviewable. Want to be on our platform? Write it this way. Show us the source.

b) On the flip side, trying to do anything interesting requires adding permission after permission to the manifest, which of course results in the scary messaging at install time. While you're asked to justify each permission when you upload, as far as I'm aware extension authors have to provide their own copy to end users attempting to explain permissions - I've certainly never seen it as an end user when installing an extension. Including these explanations either in the initial install dialog, or on first usage of each permission, would be beneficial. Of course this would require that extension reviewers verify the usage of each of the permissions, but since they're universally accessed through the chrome api, they should be easy to spot in the source (and #a would help this significantly).

I made a chrome extension that has about 3000 users and adding about 100 users weekly. One Day someone reached out to me offering to pay 0.20$/user for it. The extension required manual data input from time to time so I was happy to get my hands off it.

I was confused as after buying the guy seemingly did nothing with the extension. Now I'm realizing that it has become a part of the malware community. I was also using ESCompiler to bundle files which was naturally obfuscating it a lot.

The point is that these people acquire extensions when they have a growth trajectory, then sit back and let the cash roll in. Kinda like VCs. That's why they have such a huge collection of popular extensions.

Also, To get "Featured" on chrome, you just have to fill a paltry form about accessibility etc and wait for a few weeks. "Featured" does not mean the application is safe in any way. I'd say it's the contrary since the scammers know exactly how to get the tag to look more trustworthy.

It's now clear that I need some sort of semi-automated system to periodically review the list of installed extensions against a database of known-malicious IDs. I'm not going to manually go through a list of more than 100 extensions. We need something like HaveIBeenPwned, is there anything like that already?

Ironically, Google eliminated Chrome Web Store payments, so extension developers can no longer directly monetize extensions from the Chrome Web Store.

As always, if you're not the customer, you're the product.

I only trust three extensions, and maybe that's too many:

1) My password manager extension, 2) EFF's Privacy Badger, 3) Vimium

Everything else I run only temporarily or with the option where I have to click to enable it for certain sites.

Sigh, these articles are good, but at the same time someone will look at it and do stupid we gonna solve this right now kinda optimizations. Extensions are already behind a group icon, just do not tighten them up even more in stupid ways. It's already problematic, because average users doesn't even know how many extensions and what kind are installed. If you have an army of icons next to your url bar at least you know that something is there.

At the same time if you have an extension that shows some status via the pinned icon you have to guide them step by step.

If an extension doesn't steal your data, then leave them be. If you don't do your homework, well, then live with the "bloodsucker mosquito". We don't have to protect everyone from the real world at the expense of the many.

After so many incidents when legit extension is sold to another entity that implements malware, why there are no mechanism to additionally approve extension usage when developer changes? Sure, most users probably will click agree, but that would be a good start.

My question is how are these extensions with malware being "featured" on the web store? Are humans at Google running these applications and featuring them or is it AI/an algorithm?

If only there were some tech to grep store extension comments for malware complaints...

Question for the author since they’re semi active here: How do you choose to investigate these malicious extensions in the first place?