[aragonite]

Not the GP, but just last week Google automatically removed a single use extension (https://readermode.io) from my browser after flagging it as malware (as I recall the extension updated itself a day before the removal). The extension has also been taken down from the Chrome web store (https://chromewebstore.google.com/detail/reader-mode/llimhhc...) though Google hasn't provided any details about what it was doing that led to the removal.

[nomilk]

I think the asymmetry in payoffs explains this, since a bad actor who baits and switches their extension could do massive damage to users. So google try to catch this behaviour and inevitably have some false positives (extensions labelled malware that actually aren't). The cost of a false positive is annoyance. The cost of real malware getting through could be your bank balance.

[hackinthebochs]

Automatic extension updates is a stupid practice. The attack surface for a legit extension is minimal, while being huge for a malware update. I'm against almost all automatic software updates in general, but browser extensions take the cake for having an obscene cost/benefit ratio. Chrome won't even let you turn it off. Personally I extract and load all my extensions in developer mode.

[jjeaff]

the alternative is leaving software eternally insecure as people will not update them. and of those that will, 99.99% (probably not an exaggeration) will not have the interest, time, or ability to review code changes before updating.

[hackinthebochs]

There are some core technologies that should be updated automatically as the cost/benefit is well in favor of updates (by default, but with an option to turn it off). But the fact that we're at the point of all software updating automatically with zero acknowledgement that there is even a cost associated with it is a huge problem. Ostensibly a security practice but now serves as a means for software distributors to extract the maximum value from their users. The pendulum is well overdue for a swing back towards the middle.

[amelius]

I heard (on HN) that often an extension changes owners just before turning bad. Curious if that was the case here.

[digitalengineer]

Correct! That's why I use "Under new management" https://chromewebstore.google.com/detail/under-new-managemen...

[freehorse]

https://web.archive.org/web/20240927002632/https://chromeweb...

There are several complains in the reviews, though it all seems a bit bizarre in that the issue was with an opt-in so-called "eco-mode" that basically was throwing pop-ups with affiliate links.