According to a discussion on Reddit, a Chrome extension “Smooth Gestures” was found tracking user’s activities. This is really disappointing for me as a Chrome user and extension developer. We have already seen another such extension “Awesome Screenshot”, which was modifying Google’s search result page without user’s permission.
Reddit user Khoker has reported about this “Smooth Gestures” Chrome extension. He says:
And this isn’t some unknown, shady app. Google reports it to have over 400,000 users and a 5-star rating with over 5000 votes.
The Real Problem
As Chrome team does not review the items available in the Chrome Web Store, developers are free to create such extensions. After the exposure of Awesome Screenshot last week, I contacted Chrome team once again. This time, Google’s Mihai Parparita replied and explained Chrome’s security features:
A review process is in place for extensions that use NPAPI plugins, since those extensions have unfettered access to a user’s machine once installed. For other extensions we believe that the other mitigating factors (limited APIs, fine-grained permissions, user reports from the store, etc.) strike the right balance between security and not having posting to the store be a bottleneck and time-drain for developers. [Read more here]
I agree with the answer that Chrome already has various security measures and limited extension APIs but, as you can see, these are not enough. How can you wait for “user reports from the store”? Most of the internet users (and hence, the Chrome users) don’t have any idea of the geeky stuff behind the extensions. Both reported extensions, Awesome Screenshot and Smooth Gestures, are very popular extensions – have lots of active users and tons of 5-star ratings. And, they are hosted on “official” Chrome Web Store. When an end user sees such parameters, he/she is easily convinced to install it.
Chrome team should immediately find a way to stop such issues. :(