Google, Mozilla Ban Hundreds of Browser Extensions in Chrome, Firefox
martyb writes:
Google, Mozilla Ban Hundreds of Browser Extensions in Chrome, Firefox:
[...] Both the Google Chrome and Mozilla Firefox teams are cracking down on web browser extensions that steal user data and execute remote code, among other bad actions.
Browser extensions are add-ons that users can install to enhance their web surfing experience - they offer the ability to do everything from setting a special search wallpaper to displaying continuous weather data to language translation. This group also includes things such as ad blockers and security scanning.
[...] While extensions are useful, they can also introduce danger. In addition to intentionally malicious browser extensions that compromise users, legitimate offerings are also common targets for cybercriminals who look to exploit vulnerabilities in their code.
[...] In this case, Google said that after becoming aware of a widespread pattern of pernicious behavior on the part of a large number of Chrome extensions, it has disabled extensions that contain a monetary component - those that are paid for, offer in-browser transactions and those that offer subscription services. It's a temporary measure, according to the internet giant - but one that doesn't yet have a timeline for resolution.
"Earlier this month the Chrome Web Store team detected a significant increase in the number of fraudulent transactions involving paid Chrome extensions that aim to exploit users," it said in a notice, issued Friday. "Due to the scale of this abuse, we have temporarily disabled publishing paid items. This is a temporary measure meant to stem this influx as we look for long-term solutions to address the broader pattern of abuse."
The notice added, "We are working to resolve this as quickly as possible, but we do not have a resolution timeline at the moment. Apologies for the inconvenience."
[...] Mozilla meanwhile has taken a more case-by-case tack, disabling 197 Firefox add-ons in total for a range of improper activity. This includes remote code-execution and harvesting user data. The add-ons have not only been removed from the official Mozilla Add-on (AMO) portal, but have been disabled in the browsers of existing installs.
[...] That's not to say the extensions were intentionally malicious. Mozilla's policy is that extensions that dynamically fetch code from elsewhere, legitimate or otherwise, are in violation of its content security policy.
Read more of this story at SoylentNews.