Massive Spying on Users of Google's Chrome Shows New Security Weakness

A newly discovered spyware effort attacked users through 32 million downloads of extensions to Google's market-leading Chrome web browser, researchers at Awake Security told Reuters, highlighting the tech industry's failure to protect browsers as they are used more for email, payroll and other sensitive functions. From a report: Google said it removed more than 70 of the malicious add-ons from its official Chrome Web Store after being alerted by the researchers last month. "When we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses," Google spokesman Scott Westover told Reuters.

Most of the free extensions purported to warn users about questionable websites or convert files from one format to another. Instead, they siphoned off browsing history and data that provided credentials for access to internal business tools. Based on the number of downloads, it was the most far-reaching malicious Chrome store campaign to date, according to Awake co-founder and chief scientist Gary Golomb.

Google : Only WE are allowed

[Anonymous Coward]

to spy on Chrome users. The rest of you can take a hike!

Not a surprise really. For me, google can go take a hike.
google.com is blocked at my firewall for obvious reasons.

Re:Google : Only WE are allowed

[GuB-42]

Blocking google.com won't do much, it will just prevent you from using the English version of the search engine and their company website. Ad networks and analytics use other domains.
If anything, the domain you want to block would be 1e100.net, that's the reverse-DNS for Google servers.

I guess you can find google-owned IP ranges and block them but unfortunately, a big part of the web will stop working since many websites depend on Google services.

Just do like everyone else and install uBlock Origin. And use Firefox if you dislike Chromium and its derivatives.

Re:

[Z00L00K]

I have also discovered that Google Chrome comes with a nasty spyware as well. The so called "Software Reporter Tool", which scans your computer for all stuff you have. It do look like it's also messing with files that it thinks you shouldn't have, but I'm not sure if it's that tool or if it's the Microsoft Defender.

As an example - if you download some GPS map data from Garmin to update your SD card one of those softwares sets your file size of the map data to zero rendering the file destroyed.

Google's Chrome INsecurity

[bobbo666]

Well, what do you EXPECT!! It's from Google. Geesh. Being surprised that a Google product leadsto/aids security problems is like being surprised that M$ Vista doesn't work!

Blame google's search results

[ArchieBunker]

How did the people get these extensions? Most likely through a google search. They allow bullshit extensions and spyware programs to get to the top search results and even the ads themselves. If they can move The Pirate Bay 30 results deeper they can move these malicious items as well.

Re:

[tsa]

So Google now most peruse the whole internet constantly so it doesn't by accident show sites with malicious content? Be careful what you wish for, especially when giants like Google et al. are concerned.

Re:

[tlhIngan]

So Google now most peruse the whole internet constantly so it doesn't by accident show sites with malicious content? Be careful what you wish for, especially when giants like Google et al. are concerned.

No, they need to police their web store better. Google's web store search for Chrome sucks.

They don't need to police the internet - you can only install extensions from the Chrome web store anyways, which Google controls and approves extensions of.

Problem is the Chrome Web Store search

[Solandri]

The problem is the poor search functionality in the Chrome Web Store. It seems to prioritize results based on how closely the extension name matches your search terms. And the resulting matches are completely unsortable. You cannot order them by popularity, by rating, alphabetically, anything. I just typed in "malware block" as my search terms in the CWS, and the top ten results have:

1. 0 reviews
2. 775 reviews
3. 74 reviews
4. 0 reviews
5. 2458 reviews
6. 0 reviews
7. 0 reviews
8. 104430 reviews
9. 130750 reviews
10. 0 reviews

    The Android Play store has a similar problem. The first few years it was virtually impossible to find good stuff unless you already knew the name. It's gotten better, but it's nowhere near as good as a regular Google search. With a regular Google search, at least you're assured of getting top results which are in some way popular. The priority in both the Play store and the CWS seem to be giving exposure to little-known apps and extensions to get users to try lots of different things. Not to help users gravitate towards popular or highly-rated apps/extensions.

Re:

[ArchieBunker]

Google's search results are just poor in general. Bing isn't much better and who even knows what Yahoo is up to these days. DDG seems to use Bing as their catalog.

Re:

[DontBeAMoran]

webcrawler.com FTW!

why does google need alerts from externals?

[mcrepairman]

Why does google need alerts from external researchers to not distribute malcious code? why is it acceptable for users and regulators that google does not police its own web store it profits of?

Re:

[PsychoSlashDot]

Why does google need alerts from external researchers to not distribute malcious code? why is it acceptable for users and regulators that google does not police its own web store it profits of?

Why do you expect Google to decide "bad-website-checker-extension-plus-plus-good" is pulling users' web usage for malicious purposes? Determining intent isn't easily automated and requires research. Google provides the hammer. It's not their job to protect you against hammer-accessories that might do you harm, even if those accessories are advertised on the hammer-provider's web site.

Computers are complicated devices and despite a decade of simplifying things to expand market via improved accessibility

Re:

[mcrepairman]

well, this is not how consumer protection works. distributors must act with due care to ensure the safety of the products they distribute, even if the producer is the actor who carries primary responsibility for product safety.
art 5 (2) of the EU product safety directive says the following:
"2. Distributors shall be required to act with due care to help to ensure compliance with the applicable safety requirements, in particular by not supplying products which they know or should have presumed, on the basis o

Mozilla

[tsa]

I've been using Firefox ever since it was called Netscape, and never needed or wanted another browser, amongst others because of this.

Re:Mozilla

[StormReaver]

I also have used Firefox since its Netscape incarnation, and I don't use Chrome because of its poor security, but this particular case isn't really a Chrome fault. This could just as easily happen to a Firefox extension.

That being said, I really like Mozilla's Recommended Extensions system. When I'm looking for an extension, I look for one with the Recommended badge. Recommended extensions have been reviewed by Mozilla for security and truth in advertising.

Victims

[hcs_$reboot]

I hope all the millions victims who downloaded these malicious extensions got a warning from Google from Chrome to tell them their data/privacy is at risk (yes. Google knows which Chrome has which extension)

And yet . . .

[smooth wombat]

that big piece of spyware called Chrome stays up and available.

New security weakness in Chrome?

[minorityreport]

A malicous app uploaded to the Google Web Store does not translate into a security weakness in the browser.

ActiveX all over again

[lamer01]

The hubris of IT people never ends. Make something that's easily extensible = security nightmare.