Why We Need a Google Condom for Chrome Extensions

What the hell are you doing Google? Why are you opening up holes filled with God-knows-what-access-to-us in a browser (the rapidly growing Chrome) which more and more of us are embracing?

While delighted with GooglePlus in a way I’ve never been with Facebook, I’m stunned that Google’s Chrome Web Store is populated with extensions that give an extension developer unbelievable and unprecedented access to our stuff.

Since we don’t yet have a “condom for the internet” other than our own savvy choices on what we do online, most of us inherently trust vendors like Google, Apple, Facebook and others to be smarter than us about security and privacy holes. With the rapid acceleration in new services like GooglePlus—services that are new paradigms and require highly tech-savvy people to dig in and work hard to learn about them—even friends of mine who use Chrome are installing browser extensions like crazy in order to manage all of these services easily.

The kicker? The “verified authors” of these extensions (Extended Sharing; Fixed Top Bar; GPlus Notifications) are written by people/organizations that on the surface seem OK and legitimate…but I sure as hell wouldn’t just hand over the keys to my house, access to my webcam, my browsing history, access to cookie sessions of my active Facebook, LinkedIn and other signed-in-sites (like Schwab or my bank?) to them. Especially since I’m logged in to all of them simultaneously with my Chrome browser and they (or their “partners”) would have access to everything! I highly suggest you think twice about loading extensions if you’re a Chrome user.

But there’s more…

Yes, the stuff these extensions do is cool. But each of those cool extensions give access to:

• All data on your computer and the websites you visit (Google has a small link on each dangerous extension in yellow that says, “Caution: NPAPI plug-ins can do almost anything, in or outside of your browser. For example, they could use your webcam, or they could read your personal files.“)
• Your list of installed apps, extensions, and themes
• Your bookmarks
• Your browsing history
• Your data on all websites
• Your data on {list of websites}
• Your physical location
• Learn more here: http://goo.gl/Ga5nb

Google takes security seriously, specially after the recent China hacking incident. I also recently embraced Google’s 2-step verification process. While a pain in the butt until I got in to a rhythm using it, this new process demonstrates the length with which Google is going AND how they’re ensuring the enterprise and governments will feel about using Google Apps since security is paramount to these organizations.

Though Google reviews the extensions and explicitly states to developers that, “Because of the possibility for abuse, though, we will review your extension before hosting it in the Google Chrome Extensions Gallery or Chrome Web Store“, they also say here that, “Code running in an NPAPI plugin has the full permissions of the current user and is not sandboxed or shielded from malicious input by Google Chrome in any way. You should be especially cautious when processing input from untrusted sources, such as when working with content scripts or XMLHttpRequest.” (my emphasis)

So not only is there access to our browser with these extensions, even though Google reviews them, GOOGLE CANNOT REVIEW, MANAGE OR MONITOR ANY SOURCES ACCESSED BY THAT EXTENSION!

So again, there is NO way I’m using Chrome extensions. I suggest you don’t either. 

UPDATE July 15, 2012

This post at The Next Web outlines how positive it is that Google has finally begun vetting extensions submitted to the web store — a year after I wrote this original post — but then states (my emphasis in bold):

“It’s hard to believe that Google was not already monitoring the Web Store, but the introduction of this program — and the additional level of security for third party extensions — is all the more important considering that Chrome overtook Internet Explorer as the Web’s most used browser in May, according to Statcounter.“

Yep…it IS hard to believe but true.