Google Web Store quietly purged of nosy apps
Super Mario could see 'every page that you visit'
Google's Chrome Web Store has quietly been purged of at least two games after a blogger revealed that the Flash-based browser extensions had unfettered access to all website data, browsing history, and bookmarks stored on users' computers.
The removal of Super Mario World and Super Mario World 2 came without explanation following a post published Thursday by mobile-security blogger David Rogers, who took the time to read the fine print in Google's Chrome application bazaar. The most troubling caveat, which Google displayed only when users clicked through several layers of links, was the following:
This item can read every page that you visit – your bank, your web email, your Facebook page, and so on. Often, this kind of item needs to see all pages so that it can perform a limited task such as looking for RSS feeds that you might want to subscribe to.Caution: Besides seeing all your pages, this item could use your credentials (cookies) to request your data from websites.
“It's pretty obvious how potentially bad the Mario extension could be, particularly when this is supposed to be just a Flash game,” Rogers wrote. “What really irks me though is the 'permissions by default' installation. You click one button and it's there, almost immediately with no prompt.”
Google has defended the web store for its Chrome browser by pointing out – correctly, we'd add – that privacy risks of each app, extension, and theme available are disclosed, and that online forums allow users to share any negative experiences with company employees and fellow users.
“It appears that the blogger you referenced actually witnessed these protections at work,” a Google spokesman wrote in an email. “By looking at the clearly visible permissions that signal the level of access that is being requested, as well as the user reviews featured prominently on the page, users can make a determination if an app is suspicious or not. This transparency helps people make informed decisions about which applications they trust.”
But the spokesman declined to even acknowledge that the apps were removed, let alone say why. He also declined to say whether Google employees are permitted to install Chrome add-ons that have access to their website data, cookies, browsing history, and other sensitive data.
Google's Chrome Web Store isn't the only source of browser add-ons that have access to some of users' most intimate web habits. An extension for Mozilla Firefox with more than seven million downloads was recently caught cataloging every website a user visited and combining it with the user's IP address and a unique identifier – without any notice in the corresponding privacy policy.
In all, there about about 17,000 apps, extensions, and themes in the Chrome store. Remember, just because they're available from Google's servers doesn't mean the company says they won't access personal information you probably want to keep private. ®
Regcast training : Hyper-V 3.0, VM high availability and disaster recovery
COMMENTS
What wrong living in a glass house!
A reply by someone in a local govt who had a chat with me when I spoke of internet privacy.
His replies were always such as If you have done nothing wrong you have nothing to worry about!
So what if you live in a glass house. Do you have something you need to hide?
I told him that is not the point and that is where I stopped as he just DID NOT GET IT.
When are we going to ask the right questions on this topic?
Google have deflected with the age-old "caveat emptor" but that's simply not good enough any more.
When the public as a whole (not just us paranoid geeks) do not yet have the tech-enlightenment required to understand how some of these mechanisms work, just sticking up a dialog (Vista UAC, android application access permissions dialog, etc etc etc) WILL NOT DO.
This clunky mechanism works for the geeks who created the environment in the first place: unless we ask the question "how do we get Joe Schmoe to understand what this app is asking for?" we will continue to see stuff like this on every platform which can download executable content.
In the meantime, I'll keep wearing the tinfoil hat and say "no" to everything where possible until the tech industry wakes up and interfaces with the average "idiot" properly.
i want the old store back
the old chrome store was better as it did tell you what the app requested before it installs the app store that it uses right now press install no question asked it does it (i think it should always ask as it opens it up for exploitation{think that's the correct word} for auto installs)
(side note some systems i have installed chrome on is giving me the old store {that i think is easier to use any way} that does ask when installing add-ons )
IT infrastructure monitoring strategies
What you need to know about cloud backup
Agentless Backup is Not a Myth
Top 10 SIEM Implementer’s Checklist
Steps to Take Before Choosing a Business Continuity Partner
