SN 1013: The Chrome Web Store is a mess - Apple Encryption in the UK, Texas Vs. DeepSeek - podcast episode cover

SN 1013: The Chrome Web Store is a mess - Apple Encryption in the UK, Texas Vs. DeepSeek

Security Now (Video)
Feb 19, 20253 hr 31 minEp. 1013
--:--
--:--
Listen in podcast apps:
Metacast
Spotify
Youtube
RSS

Episode description

  • US lawmakers respond to the UK's outrageous demand about Apple's encryption.
  • What, exactly, is a "backdoor", and can a "backdoor" NOT be secret?
  • Highlights from last week's Windows' Patch Tuesday.
  • A look into RansomHub: The latest king of the Ransomware hill.
  • "TOAD": Telephone-Oriented Attack Delivery.
  • The state of Texas -versus- DeepSeek.
  • Disabling Apple's "Restricted Mode".
  • Where did I put that $800 million in Bitcoin?
  • A Sci-Fi author update.
  • And a deep dive into the misoperation of Chrome's critically important Web Extension Store

Show Notes - https://www.grc.com/sn/SN-1013-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to Security Now at https://twit.tv/shows/security-now.

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Join Club TWiT for Ad-Free Podcasts!
Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit

Sponsors:

Transcript

Primary Navigation Podcasts Club Blog Subscribe Sponsors More… Tech Chrome Web Store's Extension Crisis: Security Experts Sound the Alarm

Feb 21st 2025 by Benito Gonzalez

AI-created, human-edited.

In a recent episode of Security Now, hosts Steve Gibson and Leo Laporte dove deep into the troubling state of Google Chrome's Web Store, drawing from Vladimir Palant's revealing exposé. Palant, the original developer of Adblock Plus, presents a damning critique of what has become a largely uncontrolled marketplace for browser extensions.

The discussion centered on Palant's blog post titled "Chrome Web Store is a mess," which details systematic problems with Google's extension ecosystem. As Gibson and Laporte explored the findings, several alarming issues came to light:

Despite Google Chrome commanding roughly 90% of the browser market share, the company appears to take a "least effort required" approach to moderating its extension store. Reports of malicious extensions often go unaddressed, and when action is taken, it's inconsistent and seemingly reluctant to confront established businesses.

The hosts highlighted particularly egregious examples of review manipulation, including an extension with just 30 users receiving nine five-star reviews in a single day. As Gibson noted, detecting and cleaning up such obviously fraudulent reviews would be "trivial" for Google to implement, raising questions about the company's commitment to maintaining store integrity.

Perhaps most concerning is the revelation about Google's "featured" badge for extensions. Despite Google claiming manual evaluation of featured extensions, the investigation revealed that numerous spam and non-functional extensions carried this supposedly prestigious designation. The criteria appear to be largely automated, focusing on superficial elements rather than actual security or functionality.

The podcast highlighted several key problems:

Rampant spamming of identical extensions under different namesPreviously removed hostile extensions returning under new identitiesA fundamentally broken permissions systemUnheeded developer reportsMassive extension clusters operated by potentially malicious actors

Leo Laporte revealed that he avoids these issues entirely by using Firefox, where extensions like uBlock Origin continue to function at full strength. Steve Gibson, while using a Chromium-based browser (Arc), emphasized the importance of sticking to well-known, trusted extensions like Bitwarden and uBlock Origin.

The discussion concluded with a sobering assessment: Google's dominant market position may have removed any incentive to properly address these issues. As Gibson noted, rather than telling listeners not to use Chrome extensions, the episode aimed to equip users with the knowledge to make informed decisions about their browser security.

The hosts suggested several practical approaches:

Stick to well-known, trusted extensions from reputable developersBe extremely skeptical of featured badges and high ratingsConsider alternative browsers with more rigorous extension review processesUnderstand that an extension's permissions requests should match its stated purpose

The situation appears unlikely to improve soon, with Google taking what Palant describes as an "entirely reactive" approach, typically addressing only those extensions that have already caused considerable damage. For users, the message is clear: proceed with extreme caution in the Chrome Web Store, as the security of your browsing data may depend on it.

Share: Copied! Security Now #1013
Feb 18 2025 - The Chrome Web Store is a mess
Apple Encryption in the UK, Texas … All Tech posts Contact Advertise CC License Privacy Policy Ad Choices TOS Store Twitter Facebook Instgram YouTube Yes, like every site on the Internet, this site uses cookies. So now you know. Learn more Hide Home Schedule Subscribe Club TWiT About Club TWiT FAQ Access Account Members-Only Podcasts Update Payment Method Connect to Discord TWiT Blog Recent Posts Advertise Sponsors Store People About What is TWiT.tv Tickets Developer Program and API Tip jar Partners Contact Us
Transcript source: Provided by creator in RSS feed: download file