We’re used to privacy and security scandals in this day and age. Sony, of course, recently leaked millions of users’ data (including credit card details) from their PlayStation Network just after Apple and Google were accused of tracking their users’ location. In recent years, we’ve come to expect that our data might get leaked at sometime in our online career. The latest revelation, however, comes from Chrome – and it’s accompanying web application store.
The Chrome Web Store was silently purged of two applications recently, both flash-based Super Mario games that were reported to have access to your browsing history, bookmarks and other website data.
So long-eh Browser!
To be honest, that quote has nothing to do with this article, but I thought the pun was too hard to ignore. Nonetheless, Google kicked out two Super Mario games from their online directory of Chrome-compatable web applications following concerns of their data access. Mobile security blogger David Rogers recently posted his concerns over the Chrome Web Store’s security model and deemed it worrying.
According to Rogers, when the Super Mario games were released on the Chrome Web Store, they were heavily advertised as featured apps. Launching a game at the click of a button can be a great way to indulge yourself in a bit of time-wasting and the Mario game is launched by the click of a button to the right of the search bar.
As you can see from the screenshot above, installing this application will allow it to access your data on all websites, your bookmarks and your browsing history. Now, why would a game need all that? Unfortunately, I cannot answer that question, but it’s shocking to think that it has access to this data from anyone who is careless enough to ignore the box (most likely the majority of installers).
The application page for the previously-available Chrome version of Super Mario 2, supplied by Rogers.
Mamma Mia!
The interesting thing is that this game was released as an extension, but not as a web application. Possibly not, but it seems it was done in this way in order to get these permissions. And the permissions aren’t exactly light, either. They could easily find your email address, peruse your browsing history, and spam you with contextual ads or could influence some other sort of scam.
This is a little scary for consumers, especially since they aren’t aware of it from the start. The possibilities of what someone could do with this type of data is unfathomable, and it all stems from a simple flash game.
Google has already responded to the controversy over this particular application.
It appears that the blogger you referenced actually witnessed these protections at work. By looking at the clearly visible permissions that signal the level of access that is being requested, as well as the user reviews featured prominently on the page, users can make a determination if an app is suspicious or not. This transparency helps people make informed decisions about which applications they trust.
Chrome, of course, isn’t the only browser with such extensions; Firefox also has a similar system. The main concern seems to be that these permissions are granted under the restart-less installation of the extension, without any additional prompting other than the small notice on the promo page. Additionally, most users get so used to accepting any terms and conditions, they’re unlikely to pay attention to these warnings without an additional security prompt, and even then many would continue to ignore it.
Apple, of course, are famous for their walled, curated garden of application stores that does help minimise security flaws, no one can doubt. Of course, this isn’t suited to everyone’s taste but openness does come with the price of added security risks. Luckily, they’ve been abolished for this particular application (since it’s disappeared off the store), but the potential and opportunity is still there. And with the unquestioned installation process, the motive is too.
Editor’s Notes: This is also a good reminder that you should pay attention to the alerts, license agreements, notifications, and more that we so carelessly click through daily. A surprising number of security problems can be avoided if users actually realize what they’re installing and what it will do!
Did you download this application while it was up? Do you read the permissions prompt box before installing? Share your thoughts in the comments.