I always wonder about the revenue model behind free tools. Injecting ads or involvement in malware seems a logical way to monetize browser extensions and I doubt Google was able to find all badly behaving extensions in their Web Store.

This is the last paragraph in the ZDNet story. Note the link to "Duo report", which is fascinating...

A list of extension IDs that were part of this scheme are listed in the Duo report [duo.com]. When Google banned the extensions from the official Web Store, it also deactivated them inside every user's browser, while also marking the extension as "malicious" so users would know to remove it and not reactivate it.

Thoughts. questions....
- How can Google have an official Web Store that allows 500+ malicious Chrome extensions? I understand from the "Duo report" that "the Chrome extension creators had specifically made extensions that obfuscated the underlying advertising functionality from users", but still... hadn't Google tested these extensions up until now? Has there been no testing?

- I was, though, impressed by this in the ZDNet story: "When Google banned the extensions from the official Web Store, it also deactivated them inside every user's browser, while also marking the extension as "malicious" so users would know to remove it and not reactivate it."

- In part, I answered my own question by reading the parts of the Duo report, which was clearly enough written that a non-programmer like me could follow most of it.... It goes into more detail about how elaborate some of the extension infrastructure was. That said, considering the numbers of users exposed, I'm not completely reassured.

From the point I started using software, it seems to me, I've been a beta-tester all my life.

- CRXcavator, the new tool used to explore extensions, was assumed as a known quantity in all of the above material. A good elaboration on what it's for, also found by search, is here:

"Democratizing Chrome Extension Security"
[duo.com...]

Here's a chunk of text that gives the flavor...

...CRXcavator fills the gap between what Google deems safe enough for distribution via the Web Store, and what users or businesses deem safe for their own use based on their own individual risk preferences.

Duo scanned 120,463 Chrome extensions and apps in January 2019 and found that many developers are not consistently ensuring the security of their third-party libraries, reducing their access to user data to the minimum needed for the extension to function, or providing information about the privacy implications of their extensions.

Specifically, Duo found that 38,289 extensions (31.8 percent) use third-party libraries that contain publicly known vulnerabilities. Another area where we hope to see extensions (including apps) improve for administrators is ensuring that privacy policies and support sites are available and easily accessible. Currently, 102,029 extensions (84.7 percent) do not have a privacy policy listed, and 93,080 (77.3 percent) do not have a support site listed. These are easy fixes that will drastically improve the security and transparency for administrators evaluating extensions for their organizations....

Again, I'm glad they've now got such a thing... but the numbers are really frightening.

It cannot be said often enough: Ordinary housekeeping is essential!

500? Whew!