The "potentially unwanted programs" euphemism is corporate speak for admitting the behavior is malicious but hiding behind legalese. What's worse is the Featured badge issue becuase it shows Google's review process is either nonexistent or so bureaucratic it's useless. I remember the Windows 8 Store scams you wrote about back then, and it's depressing how little has changed in the fundamental problem. Platforms want the control that comes with gatekeeping but don't want the liability that comes with actually vetting what goes through.The permission system for extensions is theoretically good but realistically most people just click through because they want the functionality and don't understand the risk surface area they're accepting.
Yeah -- one issue is that most browser extensions really do need that level of deep access to most things in your browser. And they're so easy to create.
The biggest problem is people don't realize how dangerous browser extensions are. They're probably the number one type of software I see "go bad." Often, the original creator sells to another companies, which rolls out an update that adds spyware and other junk to monetize it.
I fully agree with you, and this practice should not even be legal. The fact that they have this garbage out there and then certify it as approved completely negates any credibility from Google.
This is indeed malware, as it is malicious, privacy-invasive software, and you are right about the extensions.
Happy holidays, and thank you for all your writing.
Thankfully, Google pulled the extension by now! But it's always been funny to see companies attempt to bury disclosures of this in a contract as if it makes what they're doing legitimate.
Have a great holiday season - and thanks for subscribing!
It should be trustworthy if you trust Malwarebytes! That's the big "gotcha" here -- you need to trust the developer of the extension. (I used to use Malwarebytes, and I recommended it frequently. So unless anything has changed, it's still a great application!)
Personally, I just stick with the built-in Microsoft Defender/Windows Defender antivirus, and then I rely on the built-in anti-phishing stuff in my web browser of choice. Also, I run an adblocker (the one built into Brave, or uBlock Origin Lite in Chrome.)
Different people have different preferences. Back in the day, Malwarebytes was one of the first programs that actually blocked those Potentially Unwanted Programs (PuPs), while other antivirus companies seemed scared to do so (lawyers might get involved!).
These days, most antivirus companies are blocking stuff like this.
I don't think Microsoft Defender is perfect, but I don't think any security program is perfect. Mostly, I'm just paranoid about the software I install and try to keep everything updated.
If you like Malwarebytes, definitely stick with it! There's nothing wrong with it, as far as I know. Same for any other reputable antivirus, really.
Thanks Chris. I've always considered you, Paul Thurrott, and Brian Livingston as trustworthy sources and have gotten a lot of good info from y'all. Oh, and Steve Gibson too.
The "potentially unwanted programs" euphemism is corporate speak for admitting the behavior is malicious but hiding behind legalese. What's worse is the Featured badge issue becuase it shows Google's review process is either nonexistent or so bureaucratic it's useless. I remember the Windows 8 Store scams you wrote about back then, and it's depressing how little has changed in the fundamental problem. Platforms want the control that comes with gatekeeping but don't want the liability that comes with actually vetting what goes through.The permission system for extensions is theoretically good but realistically most people just click through because they want the functionality and don't understand the risk surface area they're accepting.
Yeah -- one issue is that most browser extensions really do need that level of deep access to most things in your browser. And they're so easy to create.
The biggest problem is people don't realize how dangerous browser extensions are. They're probably the number one type of software I see "go bad." Often, the original creator sells to another companies, which rolls out an update that adds spyware and other junk to monetize it.
Very interesting article.
I fully agree with you, and this practice should not even be legal. The fact that they have this garbage out there and then certify it as approved completely negates any credibility from Google.
This is indeed malware, as it is malicious, privacy-invasive software, and you are right about the extensions.
Happy holidays, and thank you for all your writing.
Thankfully, Google pulled the extension by now! But it's always been funny to see companies attempt to bury disclosures of this in a contract as if it makes what they're doing legitimate.
Have a great holiday season - and thanks for subscribing!
It just seems to always fall back to 'once a Google always a Google'
Any thoughts on the Malwarebytes extension?
It should be trustworthy if you trust Malwarebytes! That's the big "gotcha" here -- you need to trust the developer of the extension. (I used to use Malwarebytes, and I recommended it frequently. So unless anything has changed, it's still a great application!)
What, if anything, do you use now in place of Malwarebytes?
Personally, I just stick with the built-in Microsoft Defender/Windows Defender antivirus, and then I rely on the built-in anti-phishing stuff in my web browser of choice. Also, I run an adblocker (the one built into Brave, or uBlock Origin Lite in Chrome.)
Different people have different preferences. Back in the day, Malwarebytes was one of the first programs that actually blocked those Potentially Unwanted Programs (PuPs), while other antivirus companies seemed scared to do so (lawyers might get involved!).
These days, most antivirus companies are blocking stuff like this.
I don't think Microsoft Defender is perfect, but I don't think any security program is perfect. Mostly, I'm just paranoid about the software I install and try to keep everything updated.
If you like Malwarebytes, definitely stick with it! There's nothing wrong with it, as far as I know. Same for any other reputable antivirus, really.
Thanks Chris. I've always considered you, Paul Thurrott, and Brian Livingston as trustworthy sources and have gotten a lot of good info from y'all. Oh, and Steve Gibson too.
It's a huge honor to be put in that list - thank you!