According to a discussion on Reddit, a Chrome extension “Smooth Gestures” was found tracking user’s activities. This is really disappointing for me as a Chrome user and extension developer. We have already seen another such extension “Awesome Screenshot”, which was modifying Google’s search result page without user’s permission.
Reddit user Khoker has reported about this “Smooth Gestures” Chrome extension. He says:
And this isn’t some unknown, shady app. Google reports it to have over 400,000 users and a 5-star rating with over 5000 votes.
Anyway … troubleshooting a JavaScript error today, I noticed the following code was being inserted into every page I visited. The only reason I noticed it at all was because it was broken, and a # was erroneously added before the setTimeout call the last time it updated.
Khoker has also posted that JavaScript code on Reddit here. I am unable to check and verify this issue, as the developer of “Smooth Gestures” extension has removed it from the Chrome Web Store (google cache).
The Real Problem
As Chrome team does not review the items available in the Chrome Web Store, developers are free to create such extensions. After the exposure of Awesome Screenshot last week, I contacted Chrome team once again. This time, Google’s Mihai Parparita replied and explained Chrome’s security features:
A review process is in place for extensions that use NPAPI plugins, since those extensions have unfettered access to a user’s machine once installed. For other extensions we believe that the other mitigating factors (limited APIs, fine-grained permissions, user reports from the store, etc.) strike the right balance between security and not having posting to the store be a bottleneck and time-drain for developers. [Read more here]
I agree with the answer that Chrome already has various security measures and limited extension APIs but, as you can see, these are not enough. How can you wait for “user reports from the store”? Most of the internet users (and hence, the Chrome users) don’t have any idea of the geeky stuff behind the extensions. Both reported extensions, Awesome Screenshot and Smooth Gestures, are very popular extensions – have lots of active users and tons of 5-star ratings. And, they are hosted on “official” Chrome Web Store. When an end user sees such parameters, he/she is easily convinced to install it.
Chrome team should immediately find a way to stop such issues. :(
- Think Twice Before Installing Any Chrome Extension
- Google Reminds Branding Guidelines To Chrome Extension Developers
- Google’s Reply : Chrome Extension Developers Signup Fee And Official Extension
- Chrome Extension APIs For contentSettings
- What is a Chrome web app?
- Google Chrome Introduces Developer Signup Fee And Domain Verification
- Screen Capture Extension For Google Chrome (By Google)
Chrome extension is such a spyware.
It’s sad … I use Chrome for almost all my browsing but I won’t install extensions in general because of Google’s disregard for the users and their security. It wouldn’t be as disappointing if they were some small start-up with limited skills and resources. As it is, they’ve got world at their doorstep in so many ways and they’re peeing on them from an upstairs window …
developer of this extension posted on Reddit;
We really aren’t trying to spy on users but instead were using this code to populate a map of users. We’re using the very cool node.js app called hummingbird. – https://github.com/mnutt/hummingbird
We should have done this differently and for that I AM DEEPLY SORRY.
Even before google removed us, we voluntarily disabled the web application and it remains down. Over 90 thousand users upgraded to this code and rather than run the risk of further alienating (and not the cool reddit kind of aliens) we took what steps we could to rectify this. While we could have easily gotten the referrer data from the call we opted to just get the domain.
Why? We are using that data to run regression code for the cases where smoothgestures runs poorly.
We’re not trying to be dicks here, we just didn’t think ahead and in that blatently obvious oversight cost us to have a rollercoaster of a day.
I also have another plugin called Troll Emoticons that had the same code for about 3 weeks now so we didnt really think it was a problem.
I am going to do an AMA about the subject of getting the chrome extensions pulled and what our day has been like and talk to you fellow redditors about how to get what we were looking for. Accurate user statistics, something that the chrome webstore lacks.
We’re working with google now to get the update back in the store and would love to get your feedback.
On Reddit: http://www.reddit.com/r/chrome/comments/juijx/til_a_chrome_extension_was_spying_on_me_beware/c2fk1ct