In a bid to ensure that the Chrome Web Store doesn’t host any malicious Chrome extensions, Google routinely updates the platform’s privacy policies. Back in October 2018, the company announced one such update which was aimed at making extensions more secure. As part of the update, Google introduced new user controls for host permissions, made changes to the extensions review process, added new code readability requirements, and made 2-Step Verification necessary for Chrome Web Store developer accounts. While such changes are great for keeping malicious extensions off the platform, they now seem to be affecting legit Chrome extensions like Pushbullet and Join.
The developers behind Pushbullet and Join were recently alerted by Google that their extensions didn’t comply with the Chrome Web Store’s privacy policy and violated the “Use of Permissions” section. When the developers reached out to Google inquiring how their extensions violated the privacy policy, the company reverted back with a generic reply that states:
“Your product violates the “Use of Permission” section of the policy, which requires that you:
- Request access to the narrowest permissions necessary to implement your product’s features or services.
- If more than one permission could be used to implement a feature, you must request those with the least access to data or functionality.
- Don’t attempt to “future proof” your product by requesting a permission that might benefit services or features that have not yet been implemented.”
In response to the aforementioned reply, Pushbullet’s developer reduced the extension’s permission requests and resubmitted the extension for review. However, the updated extension was rejected once again and the company gave the same reason as before. When asked for further clarification, Google didn’t respond to the developer’s email. The developer now plans to make a few other changes to the permission requests and submit the extension for review again. But that brings up another issue. Chrome Web Store’s privacy policy states that multiple resubmission “may also result in the suspension of related Google services associated with your Google account” as Google’s automated system might think that the developer is trying to find a way around the rules with multiple submissions.
Just submitted an updated extension for another review! This attempt removes our optional clipboard permissions (which disables feature they are needed for sadly) and limits our localhost request to only the port we need. Fingers crossed we hit the mark this time!
— Pushbullet (@pushbullet) May 13, 2020
Sadly though, the developer is left with no other option and has submitted another update with more changes to Pushbullet’s permissions requests. It’s also worth noting that even if the developer’s Google account isn’t suspended due to multiple submissions, they have less than 7 days to update the extension or it will be removed from the Chrome Web Store. When the developer shared this issue on Twitter, two Google developer advocates for Chrome developers had this to say:
Will take a proper read through this, but @DotProto may already have thoughts.
— Rowan Merewood (@rowan_m) May 13, 2020
Yeah, that’s where I’m still catching up. The changes you’ve made look good at first blush, so I’m a little lost on the follow-up rejection. I’m going to open an appeal to get a second opinion.
— Simeon.__proto__ (@DotProto) May 13, 2020
Similarly, Join’s developer also reached out to Google for clarification but received the same generic response. What’s even worse is that when the developer tried to justify Join’s permission requests to the company, he received the same responses over and over again. Despite several attempts, Google didn’t explain what exactly needed to be changed in the extension and said that it couldn’t “provide any additional information regarding the issue.”
While both the Join and PushBullet Chrome extensions may very well violate Google’s User Data Privacy guidelines, it’s inarguable that the company could have done a better job of communicating exactly how both are in violation, so that the developers can easily fix the issue. At the time of writing, there were no further updates from the developers regarding the matter. We’ll update this post as and when we learn more about the situation.
Source: Pushbullet blog, Joaoapps
