220 comments

[ 2.7 ms ] story [ 232 ms ] thread
Putting this here because Google won't remove it even though it has been reported multiple times.
I’m sure that, if enough people report it, it’ll be delisted. It only has 500 users so I doubt it’s in any priority queue for a human reviewer to look into it.
Sadly, the most efficient way is probably to report it to the abuse contact of the host. In this case - Scaleway / Online.net.
It is surprising that they apparently haven't added a more strict check when an extension claims to be from a known company.

I would have thought they would have a list of names like "Microsoft", "Facebook" etc. that would trigger a more thorough check. In this case it should be clear that they tried to pose as Microsoft, and it is coming from an account that has no association with Microsoft.

You'd think they'd have a vetting process on their ads as well, but they don't. Not a good one at least.

Either Google doesn't care, or they aren't able to do any form of sensible checking of stuff uploaded to they various platforms. Well, either that or they don't see it as a massive issue.

They don’t care. A company that can soft-censor (by placing specific warning messages) videos about a virus a few weeks after it became a hot topic in the West could easily detect big corpo brand appropriation if they wanted.
Either Google doesn't care < this one IMO

Caring removes money from them, at least in add case, so better to shift the bullshit to their "users", who are really the product being sold to advertisers, so who cares. Customer is always right, its just we are not the customer.

These reports are usually handled by a single person with a dozen other responsibilities. Chances are, nobody will ever read majority of user generated reports. Also, the person may have already left the company and a replacement was deemed by management to not be necessary.
Thanks for the heads up. Just when MS started offering login form filling from MS Authenticator ...

(At least for me that popped up a couple of days ago, when I used the real Authenticator app for some MS authorization in my phone.)

If you get this information to a tech journalist who makes a story about it, it'll probably be delisted much quicker.
The chrome web store is overrun with phishing apps like these, I think it's safe to say Google have given up.
Just like they have with Play Store.
Perhaps if the store made more money, they would have motivation to do something about it...
If the store made more money, why would they do anything? If it ain't broke, don't fix it.

Now, if the store started making less money because of scams...

Because of the prospect of losing that income stream. Their ad services are very well managed. AFAIK they're not making much/any money from the stores now so it makes sense they're not fixing it, or am I wrong?
It's Google. It doesn't matter how profitable something is, if it's incompatible with their org chart they'll let anything rot.
Chicken and egg. They would probably make more money if the store was more curated. At the moment it's hard to discover apps in the sea of spam and fake apps. As an example, there are literally hundreds of QR code readers, most of which are probably based on the same library but with very different levels of security. In fact, one of the top QR readers asks for very invasive permissions without any justification
Agreed completely, Google seems to be totally lacking any resemblance of vision or direction. Hard to overcome the chicken/egg problem with that...
Well it’s their store, what exactly is stopping them?
(comment deleted)
Just a couple of days ago, the #1 app in the Top Grossing chart on Play Store was "Funny Voice Changer", which is a sketchy app aimed at children that gets you to sign up for a 3 day free trial then charges $280. It has a 4.1 stars rating with mostly obviously fake reviews. I see now it's down to #29 on the chart, but it's still there.

I understand vetting everything manually would take unreasonable amounts of manpower but maybe you should check that literally the #1 grossing app in you store is not a scam?

> I think it's safe to say Google have given up.

As with sooo many of their underfunded departments. Google My Business is the worst, full of bugs and piss poor 3rd world country support staff.

> Google My Business is the worst, full of bugs and piss poor 3rd world country support staff.

This I simply don't understand. Google Maps would be nothing against their competition if it wasn't for almost every single business being on there. But then the support and UX for actually being a business on Google Maps is absolutely horrific, and I think they simply stopped caring about it. As you say, it's full of bugs and every upgrade to the UX seems to make it worse for us as well. Not sure what's going on in Google's brain, but I'm afraid they have run out of lamp oil.

As a business, you just have to use it. Whether it sucks is irrelevant as that does not affect the reason why you're there. I've given up on thinking GMaps is in any way accurate anyway, since even if the business owner somewhat cares, they won't remember to update it immediately.

Outside of some core products, Google software simply accumulates cruft and bugs and, I think, is rarely updated at all. They'd rather release a new product than make an existing one better.

This sounds painfully familiar.

By core products, you mean Search, Gmail and YouTube?

Let's see.. Search these days seems to have given up on SEO blocking, Gmail has given up on any kind of UX improvements, and YouTube has given up on being a decent platform for either creators or viewers.

I think the CRU's of the issue is Search is so big, and despite getting progressively worse, brings in so much money, that eventually people at Google realised it doesn't matter whether their products improve or not. After that, its just path of least resistance.

> As a business, you just have to use it.

Thanks, I'm aware of this...

> Whether it sucks is irrelevant as that does not affect the reason why you're there.

No, it is not at all irrelevant. I'm much less likely to use it well and maintain up-to-date information if the UI and UX is so terrible that it makes it easy to make mistakes and hard to find the thing I'm looking for. Not sure why it sucking would be irrelevant, I'm a user of it, of course I don't want it to suck...

> They'd rather release a new product than make an existing one better.

I don't think this is true either. Google updates old products all the time. The updates they do frequently makes the software worse though. The willingness to make things better is there, it's just that their execution of these updates is poor as fuck

Many of the crap-extensions load ads which makes google money.

I think it’s safe to say Google likes this sort of thing.

Nah, I think they trust their (presumably machine learning) algorithms too much and need to include some(more?) humans in the mix.
Imo, it's not a good idea to directly link to the extension as one might accidentally hit the "Add to chrome" button. (e.g. when coming from the homepage and not peeking into the thread here)
Unless someone changed the submission title within the 2 minutes of your comment and this reply... you really have a high expectation of catastrophe.

Edit: well, don't complain about the downvotes, but here I am after a few downvotes thinking "Wow, who are these baby-coddling users who think HN readers are idiots who don't read the headline and just accidentally click 'Add to Chrome'?".

So maybe to explain myself: I'm used to scan through the homepage and open link and comment side by side for a few things that I think are interesting to me. While reading through it, I might get interrupted. So I might come back to a link a few hours later. So lets say, I open up the extension page and forgot the initial context. So for me, it could theoretically happen that I install this extension cuz I assume links posted at HN to be safe.
Solved easily but not making rash assumptions and reading what you're clicking.
Who approved this in the listing? Should Microsoft sue them.. that would be a start
The developer's address is harperrodriguez31@gmail.com Good luck figuring out who that is.
It's clearly a mr. Harper Rodriguez, age 31. How many could there possibly be with than name and age? We have his email address, so maybe write to him and ask that he stop pretending to be Microsoft.
I find it rather surprising that anyone with a gmail address can publish an extension that appears to be from Microsoft.
Very surprising - I assume that there is absolutely no human check before an extension can be made available.
I'm surprised that you're surprised. "Absolutely no human check" may as well be Google's tagline.
This extension does not "appear to be from Microsoft". It merely mentions Microsoft in its title.

But the fact that the developer was allowed to call themselves "Extensions" is worrying.

Of course it appears to be from Microsoft. Microsoft is right there in the name, and the extension uses their logo.

That Google allows this is clearly nothing other than gross negligence!

It makes you wonder how quickly a fake Google Authenticator would get take down.
I love that it's made by: "Extensions"
Yeah. That’s a clever move by the author. That will trick a lot of people.
I'm still amazed that people install (outside of very specific development or page manipulation use cases) Chrome extensions.

Are these more common on Chromebooks or some other platform I don't regularly use?

Even development ones are dangerous, even more so because of the broad permissions they often requires. I’m pretty sure that’s how I got my credit card number stolen once.
Without Dark Reader, uBlock Origin, and JSONView, the web feels broken to me.
Thank you for Dark Reader... this has made a world of difference
Those, plus Multi-account containers, and Violentmonkey for a small number of corrections to websites.
Oh the amount of extensions that do one thing that can be much easier and cleaner to be integrated via userscripts is staggering!

Its all the little things that add up, and I hate that mobile Firefox update disabled Tampermonkey.

Talk about planned regressions. Pardon my French, but fuck Mozilla and their recommended extensions program.

Why are you amazed about that?
As a Firefox extension user myself, it is pretty crazy what permissions we allow from them. Even with something like uBlock Origin, which I'm sure a lot of people here use, one of the permissions you have to accept is literally "Access your data for all websites". Why are we okay with that?
Well, the alternative is static filter lists like in Safari, which results in a worse experience.

I trust gorhill much more than I trust random ad delivery networks trying to possibly exploit zero-day vulnerabilities.

Good question. I think my perception is that finding and using them is a high bar of entry.

And the suspicion that Google doesn't do even a cursory examination would put me off of using anything that isn't independently vetted.

If everyone that reads this simply takes the time to report it, the HN community should be able to get this extension down fairly quicly, right?

https://chrome.google.com/webstore/report/mabdjppmcjpjplolig...

It's Google, so, no?
Google’s automated systems do have anomaly detection that would flag it if there were many reports though.
That's exactly it, dogpiling can be discarded as anti-competitive behaviour.
It works on other, bigger and more important Google properties what makes you think the Chrome store handles it properly?
While I appreciate the approach of making "the world" a bit better once you see a chance to do so, I also don't think a company like Google should (be able to) leave it to random internet users to clean up their mess.
They could offer a bounty.
They could also hire people to do that necessary job.
I assumed they did.
Yeah, don’t assume that.
I tried the report abuse button and got a 404 when submitting the form. Lol, classic Google.

EDIT: My guess is they delisted the extension right about as I was submitting, since the extension page loaded, but the report submission failed, and now the extension is also gone. Maybe a cache purge was in there somewhere.

I reported abuse few minutes back. Google pulled it out shortly after that.

Also I am pretty sure Google has a "karma" number for users (just like reddit) in the backend where they automatically take down if report is from a user with high karma.

aaaand its gone. Worked two minutes ago, now the link responds with 404.
Really surprising that something so blatant would get past the playstore checks..If i remember correctly, there was a vetting process on the first updload of an app anyway, not sure about extensions.

Brand/Company names could easily be flagged as a 'needs review' for example.

This is just an extension and whoever is supposed to be vetting things at Google is completely asleep at the wheel.

Think about the fact that this extension has been up for over 2 weeks but if I upload a YouTube video where somebody says the wrong thing it's down in minutes.

They have armies of highly paid employees and none of them can take care of this?

I doubt bots can sleep..

That is, if Google have a bit for this at all. But I like your sense of humor if you say there is actual human in charge of this.

Lol. Yes you are, of course, correct.

What I should have said is the Product Manager at Google in charge of the extensions for Chrome is asleep at the wheel.

Microsoft lawyer should file a DMCA for abusing trademark, then it should be resolved quickly
You cannot legally file a DMCA notice for trademarks. The DMCA is for copyrights only.
Microsoft could file a DMCA claim for violating their copyright. Google usually does not verify claims before executing them, and there's no penalty for false claims.
Can confirm that's how it works. Google does not verify that claims are fully filled out (a nearly blank claim form is sufficient), they don't respond to counter-notices in a timely matter (1+ month processing time), and they don't provide information on the claimant that you can use to pursue them for a false claim.
False DMCA claims are penalized under section F of the DMCA.

> (f)Misrepresentations.—Any person who knowingly materially misrepresents under this section—

> (1)that material or activity is infringing, or

> (2)that material or activity was removed or disabled by mistake or misidentification,

> shall be liable for any damages, including costs and attorneys’ fees, incurred by the alleged infringer, by any copyright owner or copyright owner’s authorized licensee, or by a service provider, who is injured by such misrepresentation, as the result of the service provider relying upon such misrepresentation in removing or disabling access to the material or activity claimed to be infringing, or in replacing the removed material or ceasing to disable access to it.

Now, in this instance we're talking about a fraudulent listing, so I can't imagine there's much civil liability to worry about, but the suggestion that there is "no penalty for false claims" is not true.

And also, DMCA claims are made with a statement that they are accurate "under penalty of perjury". I haven't seen anyone convicted under this, but I wouldn't imagine that MS legal would find this to be an acceptable way to solve the issue.

Developer's email harperrodriguez31@gmail.com I don't think Microsoft engineers uses gmail. It could be their real name?
Can we also take a moment to assign partial blame to Microsoft for this situation? Their authentication is a shambles, they try to force you to use their app rather than other 2FA providers and heavily steer you towards having to install Microsoft apps.

And that's if you're lucky and they arbitrarily don't mandate a phone number and an email address for a corporate account. Oh and the email address can't be the primary corporate domain that owns the account because of course what we need is personal emails to authenticate business accounts.

Lord help you if you were ever an early adopter of an onmicrosoft.com domain. You will remain in purgatory until you wipe your accounts and start again.

If the 100M iPhone breach wasn't Apples Fault, this couldn't possibly be MS fault.

Both were due to deficiency of a service.

Needs to be a standard for push notification 2FA.

Does Google still require a phone number for enabling 2FA?

I'm using my standard TOTP 2FA app with my Microsoft account, fwiw.
Slightly offtopic but I think the problem of rogue addons applies to firefox as well. I wish it were possible in firefox to limit which addons can be loaded on a per-container basis. The extensions I want loaded on banking websites, social media and youtube are completely different. And limiting them per-container makes it a relatively simple mental model to reason about.
In that case you can use multiple profiles.
The point of containers is to not have to juggle a bunch of profiles.
Hm, not really, they have different use cases, and Containers was never meant to 100% replace Profiles.

Containers are for being able to keep separate identities in the same browser window, but on a per-tab basis.

Profiles are for being able to separate different browser instances, with all their settings, extensions and so on.

While Profiles was used before to do the same thing that Containers now allow you to do, there are things you cannot do with Containers that you'll need to use Profiles for. Having separate extensions for different sessions is one of those things.

I was able to learn how to use containers quite quickly and some container addons make it very easy to use them. Not so much for profiles, setting up multiple profiles seems very tiresome and honestly whenever I look up how to create multiple profiles I lose interest. Would really love a solution that is as easy to manage and use as containers and allows to control which addons are allowed to load/run.

Edit: Also IIRC multiple profiles cannot be synced across devices through the same firefox account while it is possible with containers

I was just thinking about this the other day. I would love to keep google/gststic blocked in noscript on most containers except the Google container.
I wonder why there's no ONE employee who could read all names of extensions and just click "accept" "reject" whenever they apply

I bet it'd reduce amount of scams significantly

sure, it's easy to make demands like this in an internet comment, but this would cost google easily thousands of dollars a year, it would surely drive them out of business
(comment deleted)
I laughed. (I'm also frustrated by just about everything they do, and the fact that I'm so reliant on it.)
>it would surely drive them out of business

LOL. Agreed

Please recalibrate your irony detector.
It would be more complicated than that in the vast majority of cases. Sure, you would catch people trying to impersonate major corporations that everyone is familiar with. With well trained staff and clear polices you could also catch some more obscure cases, such as companies that serve businesses yet is relatively unknown outside corporate environments. It becomes much more difficult to verify authenticity otherwise since it would involve research, not just reading names. That research would also have to be conducted with care, since all but the most trivial of scams would factor that into their methodology.
It is a very simple extension. No effort to hide the malicious URL.

See the source: https://crxcavator.io/source/mabdjppmcjpjploliggpbonahnjjlgk...

The malware link: hxxp://przekierowanie2.chrome_augustow.pl/?123-Microsoft525896

(comment deleted)
https://crxcavator.io is nice. I always wondered by there is no direct way to easily peek into an extension's source code.
the link is ://przekierowanie2-chrome.augustow.pl/?123-Microsoft525896

for those confused about the underscore in the tld

How about the related one that claims to be from Microsoft, but uses msftliveapps@gmail.com?

https://chrome.google.com/webstore/detail/microsoft-autofill...

I literally can’t tell real from fake on these shitty platforms.

Edit: Or this using msandapp.chrome@gmail.com:

https://chrome.google.com/webstore/detail/microsoft-news-new...

The average person has no chance :-(

How on Earth is "Offered by: Microsoft Corporation" not verified in literally any way whatsoever. That's so poorly vetted it's negligent.

Maybe extensions and apps should be signed by domain ownership?

In general this is a good idea. But in the case of Microsoft--good luck figuring out which of Microsoft's thousands of domains are legit! :)
It would seem to me that Microsoft would choose to link it to microsoft.com so that customers can easily recognize its authenticity.
They have already failed this test: they are already publishing extensions using msftliveapps@gmail.com and msandapp.bgcextn@gmail.com, doubtless many others!
I believe Google requires you publish Chrome extensions with an @gmail address, in which case MS doesn’t really have a choice.
Good grief--that is so evil (not to mention anticompetitive) that I didn't even consider it!
(comment deleted)
Not sure what would make using a Gmail account anticompetitive, but it's also not true. You need a chrome web store account (which they amusingly encourage you not to use your personal email for) which can use any email address.
Any idea what problem Google is solving by requiring the use of gmail?
Naivety on the internet, and people believing what they read on a web page without checking.

Google doesn't require a gmail adresse to publish.

Yeah, I didn't think it made sense.
Absolutely untrue, as mentioned elsewhere in the thread. I have Chrome extensions published under a non-gmail email address.
Microsoft might, I suppose, have a policy against microsoft.com accounts on other firms infrastructure, and therefore if it needs a Google account uses gmail or other non-microsoft.com domains.
Reminds me of Paypal where I'm simply unable to tell whether some mails from them were phishing or not (regardless of time spent investigating these mails), and I believe that virtually no one would be able to tell.
They were even cognizant of the issue to the point where they set up a robo inbox you could forward any suspected phishing emails to and it would reply telling you if it was legit or not. It was something like phishing@paypal.com
It still frustrates me that legitimate Paypal e-mails include really big "click here to login" buttons that link you to their website. Such links are considered a hallmark of phishing, and there are many attempts to prevent people from clicking on such links. Many services I use include text like 'we will never send you such a link you know how to get to our website'.

The fact that paypal does not do this normalizes clicking on links in e-mails.

"use email for notifications, but don't trust email content" is not a solution for most users. If you can't trust email, why even have it? Install a secure app and leave email behind, or make email secure by having clients clearly display cryptographically secured provenance info, and flag unknown/untrusted senders.
There is no alternative to e-mail. Except perhaps for SMS. There is no other method for contacting people that is anywhere near as pervasive. It also has the advantage of being federated, not controlled by any specific entity.

Besides that, compared to WhatsApp and signal, email is generally for longer and less urgent messages. Those fit notifications much better.

In that context an email saying "hey this is whats up, login as you normally do if you want to verify or act accordingly".

It's far from ideal. We will probably come to some form of solution at some point. But at this moment it is a clear no-brainer.

It might be legit. The Microsoft rewards app uses msandapp.bgcextn@gmail.com. I’m guessing 1 million installs makes that legit.

There’s no way even for technical people to make a proper assessment of the trustworthiness of the publisher.

Google has ruined the internet because they want Google Search to be the only “trustworthy” source online. Too bad they suck at it and Google search is a steaming pile of shit now.

That one is legit, I'm guessing Chrome requires users to use a gmail account in order to submit an extension to their store.

https://blogs.windows.com/windowsexperience/2021/02/05/simpl...

Talk about training users to fall for phishing schemes. Plus users have been so desensitized to entering 2FA codes they’ll type them in anywhere. I feel like web security is worse than it was 10 years ago.
We need webauthn not just 2FA
Love how the goalposts keep moving.

First arcane password rules so it takes 5 minutes and half a dozen attempts to come up with a password that is accepted. Then force the user to change it often. Then add email verification. Then SMS/phone verification. Still not good enough, now we all need to have a hardware token to buy the counterfeit garbage for sale on Amazon. Fuck that. It's just not worth the trouble. Honestly the world was a lot easier (if a bit slower) when you dealt with businesses in person or via mail. Fraud and identity theft just doesn't scale in meatspace, so it was never a big problem.

I maintain that most of what we get from the Web and computers, as individuals, is barely better than what we had before, and not enough so to justify its costs. Shopping very much included.

For some context, I grew up very much "OMG wire my brain in, let's get this future shit going!" Years of watching that future develop, and some reflection, have almost entirely reversed that sentiment, for me.

For example: are streaming services convenient? Yeah, of course. Am I actually happier with them than I was with the library, rentals, and the occasional purchased movie? Marginally, if at all. (but I have Internet service for the handful of things it actually is highly beneficial for, so, may as well use streaming, too)

Is shopping online convenient? Yes. Am I happier than when I just had way less idea what was available to buy, and there was more friction to indulging every little purchase-whim? I really wonder. This one may not just be marginally better, but net-harmful.

I can consume an order of magnitude more diverse and interesting media than I could without the internet. I can order exactly the right thing from the internet instead of making do with a kind-of solution from the store.

I think you're remembering what it was like pre-internet with rose-colored glasses.

The internet is great.

We definitely have more of everything data-related and have a much better idea of all the stuff we can buy. I'm skeptical how far that's actually moved the happiness and life-satisfaction needles, in general.

[EDIT] specifically, I think some of our "satisfaction" from this sort of consumption is itch-scratching generated by the possibility of doing it, in the same way that pre-Internet one rarely felt bothered by not knowing some piece of trivia, if no-one around happened to know either. Now it itches until someone looks it up, because you know you can find out quickly. Now if I'm not watching the best possible thing, for example, it itches, but I don't think it would have before. I think to some extent the level of choice available, aside from famously causing analysis-paralysis ("browsing Netflix" is famously an activity all its own, that may or may not end up in ever actually watching anything) also generates the very desire that it's satiating. I'm not sure I was actually less happy watching the best thing I could find at the video store, versus the best thing I can find on streaming services.

I don't know about you, but for me having access to youtube means that I can do things like fix my car, learn about medieval hats, see what kinds of weird animals exist, etc.

These sorts of things improve my life immeasurably and definitely give me a sense of 'satisfaction' that I would not otherwise have been able to achieve paying someone to fix my car, watching a reality show on TLC, or going to the library and reading a book about ducks for the 50th time.

Your problem isn't the Internet, it's the lack of trust busting in the tech space that prevents e.g. Disney from being able to launch its own streaming service or Amazon from promoting its own Basics products. The reason why everything sucks is because big players have zero incentive to change when they aren't punished for favoring themselves. Instagram doesn't even allow you to copy and paste photos anymore.
If you were wearing a size 13 (EU 48) shoes, walking into a store and asking for what they have in your size was exclusively met with "but which do you like". It turns out none of the top 10 choices I asked about would be available, and we'd eventually retreat to "which do you have that I dislike the least?"

With online shopping, I think the biggest wins are for anyone not being in the "common" category (be it the 5-95% size, fashion, usefulness etc): if what you generally need is suitably common, you might miss the physical shopping (try-ons/try-outs for wearables/tools are very useful).

This also means that there is more incentive for non-common products to be produced because the market is larger.

Note that current best practice is simple password rules, with password expiry only when there is reason to do so.

Generally the suggested rules are: be at least 12 characters long, check the password against lists of known passwords.

It could be this MS extension is a companion project to the latest Windows 10 update - the News and Interests taskbar widget.
Microsoft Edge requires a MS Live account.
A Google account, which any organization that has its shit together (and uses Google properties) has set up for their domain.
Which Microsoft, ostensibly, wouldn't be doing. Considering the whole Office 365 product exists and is a direct competitor to Google Suite.
And yet here they are.
Most of the other big extensions have their own domain email. Like Grammarly, 1Password, Zoom, Pocket.

Evernote has a normal Gmail account listed. So maybe this goes hand in hand with having a bad product.

Perhaps those orgs use Google apps?
I have a Google account on an email completely unattached to any other Google services (I think it was an originally migrated pre-Google Youtube account), so I am sure you can have a Google account with any external email address.
It does not. It does require a Chrome web store account, but you can use any email address you want for that.
> I'm guessing Chrome requires users to use a gmail account in order to submit an extension to their store.

Google apps/Gsuite/Google for work (or whatever it’s called now) accounts all work fine.

There’s no requirement to use a gmail.com account.

Source: have published extensions on my own and for my company.

Wow, I looked at the review responses by the developer and assumed from the poor English that it was fake, and reported it.
Considering APPLE goes so far to make you confirm DUNS numbers for a company acct. It seems like this would have been a good mitigating practice and already has precedence. While it’s a PITA it makes sense.
The core issue is that Apple uses humans to evaluate these requests and provide a point of contact with businesses. Google believes any process requiring a human is broken.
I think those are legit. Guessing you need a gmail or gsuite address to publish?
Too bad Microsoft can’t afford a Google Workspace account and has to rely on the free gmail accounts. Lmfao.
I wonder whether foo@x.microsoft.com would look more or less legitimate to the untrained eye.
They could, but what sort of service doesn't allow you to sign up with a random domain? It also wouldn't be better if they had: chrome@msftext.com, or are you suggesting just moving all microsoft.com emails to Google Workspace?

Perhaps it's like YouTube? You cannot buy or use a Youtube Premium subscription with a Google Workspace account. I tried inviting a family member to my Youtube Premium subscription, using her Google Workspace email. It doesn't work, because Youtube doesn't see it as a Gmail account.

@gapps.microsoft.com would be at least better than a random unverifiable @gmail.com address. Google Workspace (is that what we're calling it this week?) lets you use subdomains right?
Let's be real: getting legal and infosec to sign off on that is never going to happen. "We just need to borrow a subdomain of Microsoft.com, give control to our biggest competitor, and sign a contract with them... to get a vanity email address in their store."
It's really not that big of a deal. You can still control the DNS and decide what you set up. And if Google screws you over, they'd be shooting themselves in the face.

All you'd need to actually work would be email, so some MX records on a subdomain. Is it ideal? No. Is it better than all of your users having no way to verify that a Chrome extension is actually you? Infinitely better.

opening a gmail account takes about 30 seconds

vs. months of emails and meetings for something that more or less achieves the same result

Except it doesn't more or less achieve the same result. Also, if it legitimately takes months of meetings to get through something like that, there's a serious issue with your company/process.
> Also, if it legitimately takes months of meetings to get through something like that, there's a serious issue with your company/process.

ever wondered why these large companies end up running things on random domains?

this is why

If you think that it's bad, have a look at https://chrome.google.com/webstore/detail/microsoft-defender.... Over 1 million people are using this crap...
This is why when setting up my relatives' computer I only install Adblock and then make this directory readonly:

    chmod 444 ~/Library/Application\ Support/Google/Chrome/Default/Extensions
Sounds like a great way to get your browser to crash unexpectedly.
Arguably that's better than the alternative, where they get scammed or hacked. I usually edit their desktop shortcut to disable extensions, personally, but I like the parent's solution better.
Even better way to discover which browsers don't handle pretty normal situations (read-only) in a normal way. If Google Chrome is forcing people to allow installation of extensions, it's much better to move to a different browser, than to either live with crashes or live with poor security (in this, parental case).
Yep. I was tired of coming home and seeing a million malware search engines and fake VPNs extensions installed. I'm always puzzled as how they manage to get in there. I'd rather crash the browser than allow this garbage which usually takes a full reinstall to get rid of.
Your comment made me chuckle.

Back in 2008 Chrome was the breath of fresh air, with absolutely spartan look, total lack of extensions and amazing speed, while IE was the opposite. There was good reason for its initial popularity.

And now, looks like Chrome lived long enough to see itself become a villain...

I'm curious which is the new Chrome these days? Personally for me, qutebrowser has taken that spot, but it's a tool geared towards professionals, not exactly for casual users.
I think Firefox. It’s continuously getting faster and uses way fewer resources in my experience. You can make it pretty minimalist like the good old days of Chrome.
how about security updates? i would advise against blocking updates. you're fixing an issue and creating another one.
the chmod isn't recursive, so I'm assuming the subdir for uBO is writable.
Chrome supports enterprise policies on Windows, Linux, and MacOS that allows you to specify allowed extension IDs via ExtensionInstallAllowlist.

https://support.google.com/chrome/a/answer/7517624?hl=en

https://chromeenterprise.google/policies/#ExtensionInstallAl...

This, unlike the "chmod 444," solution will let extensions update.

You can also allow safe extensions that aren't currently installed (but may be later) and the user can remove extensions in the Allow list if so desired (although there is a ExtensionInstallForcelist to stop that too).

Thank you for that!
How do I make my copy of Chrome "enterprise" managed?
Extension offering replication of basic browser functionality sends some major red flags, especially around storing passwords.
That top link screams scam. Replies from the "Product team at Microsoft Autofill" on a personal account, reviews about it taking up to 30% CPU all the time (possible crypto miner), and not using assets from the Microsoft brand.
Here is a crazy conspiracy theory: maybe they are both legit and MS used shady-looking e-mail addresses on purpose. Security-minded people will look at them and call them out, thus bringing to light how shitty the Chrome Extension store vetting process is, undermining Google Chrome's credibility in the process, so that users stay on MS Edge.
Report it for illegal activity instead of posting a negative review, will have a bigger impact.
Also writing a review requires you to install the extension first.
So glad Google has to vet the extensions... they seem to do a pretty good job of stopping scams that way.

Do people like walled gardens just so they have someone to blame when this kind of thing happens? They obviously don't work.

Naive question. How does one know this is malicious before installing it?

I think this would fool me if it wasn't for this thread. The only thing that seems off to me is the lack of information, and hovering over the contact developer shows a gmail address.

I wouldn't have looked at the comments in the reviews as I know what the Microsoft Authenticator does, as I use it constantly on my mobile device. So in this instance, I could have seen myself finding this link, clicking Add to Chrome without much thought.

I can surely see how an average user would fall for this and it's frightening.

>Naive question. How does one know this is malicious before installing it?

You can't, that's the problem.

yeah, the chrome marketplace is the wild west. probably the easiest way to get hacked is to install some extensions from there, like this one https://chrome.google.com/webstore/detail/microsoft-autofill... that is from "Microsoft Corporation" but has a gmail contact address. the android app store is probably not much better. google just doesn't care about the users. they invest in good tech and launch shiny products that get some market share and then leave the users to deal with the automated replies while engineers go to build the next shiny thing.
Pretty low effort too. It's just a popup with a button that links to hxxp://przekierowanie2-chrome.augustow.pl/?123-Microsoft525896 , which then redirects to hxxps://extensions-install.com/?123-Microsoft525896

The form itself doesn't look particularly MS-like, and the grammar is pretty bad.

One of the things that stuns me, is that for as effective as phishing and scam ads are today, they could be hundreds of times more effective if someone put the effort in to run them through a spell check in the target language.

It sometimes seems like the saving grace to society is that criminals aren't actually all that smart.

This one may have been run through a spell checker. The spelling is fine. It's the grammar/phrasing:

"Complete the installation register an account."

"How to register? Create an account and then verify, it is anti spam protection."

Isn't this sometimes intentional, to act as a filter of sorts, for more prospectful targets?
It can be, particularly for scams which require human interaction. But for an extension that collects phishing data, there's no point in it: If people enter data into it, they are a good target.
Email scammers have been A/B testing their pitches for a long time now. The evidence is clear: dumbing down the pitch is far more effective than attempting to capture more sophisticated users.
Email scammers and phishing forms have different per attempt costs.