back to article Youtube Queue Chrome extension booted out of store for search engine hijacking, revealing Google's lax dev checks

Google has removed a Chrome extension called Youtube Queue from its official online store for violating its program policies following complaints it was hijacking users' web searches. However, another extension called Croowila Videos Player that shares similar suspect code remains available. Via Twitter on Monday, a Microsoft …

  1. IGotOut Silver badge

    so tempting

    " Google today announced the release of its Suspicious Site Reporter "

    Knowing how Google like everything to be automated, how about if everyone decided to report double-click.

    1. STOP_FORTH

      Re: so tempting

      They will have whitelisted doubleclick. The swines!

  2. chuckufarley Silver badge

    The fault...

    ...Dear Commentards, is not in our Service Providers,

    But in ourselves, That we are Consumers.

    Commentards and Internet Giant: what should be in that 'Internet Giant'?

    Why should that name be sounded more than ours?

  3. sabroni Silver badge

    Isn't that handy!

    Gives them a nice excuse for deprecating the AdBlocking api.

    Good timing. Serendipitous even.

  4. Dan 55 Silver badge

    Your security in their hands...

    Alerted to the issue, the ad giant contacted support@softools.com [...] But according to Bill Auerbach, who created legacy processor toolchain biz Softools, Inc, which operates on the softools.com domain, his company's support address was listed on the Youtube Queue page seemingly without authorization nor any verification by Google

    If it's not about slurping your data, Google aren't really bothered.

  5. Lee D Silver badge

    How many times:

    Honour based security is worthless. "I'll ask for permission to read every website, but I promise I'll throw most of them away" is a stupid pointless exercise as even with the best analysis in the world you can still miss something that's doing that you didn't realise.

    Fine-grained permission control is literally the *only* thing worth having, and doing it properly means that your app approval process is greatly simplified. Have a bar... on that bar is a tiny little icon for each extension (whether the user wants it or not). So when they are on the bank and that little icon is still lit up THAT EXTENSION IS READING THAT WEBSITE. They are the ones stupid enough to have said "Yes to All" without thinking it through but maybe the reminder will prompt them to realise that that wasn't the brightest idea.

    If you have "permission to read" and "permission to talk to the Internet", you have implicit permission to "do what the hell you like with my data and spread it over the Internet". It's just that simple. An app approval process doesn't even hinder that.

    The way to stop it is to make it so that it's just not possible.

    There will come a time when Microsoft, Apple, Google, etc. will learn this - likely the first "hard" lesson of one will teach the others. But everything from UAC to iTunes app permissions to Chrome extension security models are messed up and just wrong. We learned this with Java, with Flash, with ActiveX, with the operating systems of the 90's ("everything single user as admin"), etc. but we keep committing the same mistake over and over and over again.

    Don't "look for people who might be trying to jump over the fence". Build a fence that they can't jump. It's ironic that the Android app permission model is so much better than the others... but still useless unless it has a "don't give them that permission, but let them believe you did" so you can use the app and it has no say in whether you can or not depending on what security you gave it.

    Yes, people are dumb and will Yes to All if they have the option. This isn't surprising. But then the blame is on them. You make it big clear warnings, including the word "THIS SHOULD NEVER BE NECESSARY, WE HIGHLY RECOMMEND YOU DON'T DO THIS" and flag warranty bits if they do that taint the OS like Linux taints the kernel if you're silly enough to tinker with untrustable code... we do it for "rooting" the device, why not for loading it up with potential malware? Maybe people would think twice and app manufacturers would flee from ever asking for those permissions if we did that? In the meantime every "approved" extension/app is just another reputation-loss for whoever approved it in the first place, and none of the major players are immune from that.

  6. Cavehomme_

    The whole Google ecosystem is a veritable PoS. Countless billions in profits and tax avoidance instead of investing a bit in more secure processes. Hardly surprising that a flogger of ads and hooverer of our data cares Sweet Fanny Adams whilst the billions continue to roll in from the gullible.

  7. Anonymous Coward
    Anonymous Coward

    " Google today announced the release of its Suspicious Site Reporter "

    I'm sure this is just as useless as Google's regular "Suspicious Site Reporter" website that completely ignores user reports and just as futile as taking the time to try and report adware/spyware/malware apps on Google's Play Store.

    History has shown time and time again that Google only takes action when they receive enough negative press.

    And even then, the dodgy developers are allowed back after a cooling down period or after they have (at least temporarily) removed the offending code from their worthless.ad-spewing app or browser extension.

    “There's an old saying in Tennessee — I know it's in Texas, probably in Tennessee — that says, fool me once, shame on — shame on you. Fool me — you can't get fooled again.”

    1. chromechronicle

      Re: " Google today announced the release of its Suspicious Site Reporter "

      Couldn't have put it better. This is nothing more than an exercise in PR and making the user feel as though they're in control. In reality, reporting a website will be as futile as trying the win a disputed PayPal case if you're the seller.

  8. iron Silver badge

    "Youtube Queue, was supposed to help you line up YouTube videos one after the other"

    So its an extension to do something that YouTube provides for free as a standard feature? Why would anyone develop such useless nonsense and why would anyone install it?

  9. chromechronicle

    Chrome Store Cess Pit

    The Google Chrome Store is riddled with extensions and apps that, I'm sure, were once great, but were sold to people who now use them for 'bad stuff'.

    The worse offender of the lot is:

    Click & Clean:

    https://chrome.google.com/webstore/detail/clickclean/ghgabhipcejejjmhhchfonmamedcbeod?hl=en

    Look at what it has access to in the Chrome browser. And then look at all those fraudulent, glowing 5-star reviews.

    Google do not care, but I tell you, one day, a third-party will uncover a whole world of shit and expose the Chrome Store for the cess pit it is.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like