A feature that’s supposed to make the Google Chrome browser secure has actually been turned into a vulnerability.
It’s inevitable: when some software becomes the most popular in its class, bad guys will start targeting it. Google Chrome made its way to #1 among browsers simply by being better than everything else. And now there is a huge issue that may let cyber-criminals gain access to your personal data – passwords, credit card numbers, etc.
You see, Chrome downloads and installs updates automatically, without asking you, and without notifying you. Which is, in principle, a good thing — using old and potentially buggy software is a security risk.
However, not all the updates come from Google. If you have installed third-party browser extensions from the Chrome Web Store, they will be automatically updated too. And that’s where the trouble is.
You may choose to install a perfectly legitimate Chrome extension, with no malware whatsoever, on your browser, and give it permissions to access your data. But if the extension’s developer includes malware code in a future update, you will never know.
There have been many cases where companies approach developers of popular Chrome extensions and offer to buy the extension. Some of these developers are not aware of the scheme and take the money in good faith. Then the new owner releases an update and bang… millions of Chrome users have spyware on their computers. Google will review and remove reported malware, but often by that time it’s too late.
What can you do about it? Not much, unfortunately. You can choose not to install any extensions on your browser. Or you could switch to a different browser altogether. There is an extension called Extension Defender that will scan your list of installed extensions and identify those that are known to misbehave — but again, it may be too late by the time it discovers something. Apparently, you can also turn off auto-update, but this is, too, a potential security risk in itself.
The only real way to get rid of the issue would be if Google introduces stricter review policies before anything is published in their extension store.