There has been some recent online discussion about games from the Chrome Web Store requesting excessive permissions. These games are extensions for Google Chrome. To access various aspects of Chrome, certain permissions are required; for example, to allow access to the Bookmark manager to update bookmarks. The “Super Mario 2” app is offered by the developer “chromitude”, which is associated with Slice Factory, a company that develops services and browser extensions to remix Web data. The extension requests permissions which seem excessive for simply playing a game. These permissions are:
· Access to bookmarks
· Notification of new tabs being created
· Access to all URLs
To determine why these permissions are required for the game and what the extension actually does, Symantec analyzed the app. The extension consists of two parts. The first is the “Super Mario 2” game, which is a benign Flash-based game. It doesn’t access Chrome in any of the ways the permissions require.
Figure 2. Injected toolbar
The toolbar contains a link to install an extension. When installed, this extension provides a feed to Le Monde, displaying new news articles. The same extension is advertised on the slicefactory.com Web site, as shown in Figure 3.
Figure 3. SliceFactory advertising Le Monde extension
The Super Mario 2 game has since been removed from the Chrome Web Store.
We contacted Slice Factory who stated:
Slice Factory also have published some additional games on the Chrome Web Store under the “chromitude” developer account, including:
- Platform Racing 2
We are currently analyzing these versions of the applications published by chromitude. These versions are not those specifically offered by the owners of the official game brands.
Uninstalling a Chrome web app can be done by opening a new tab, mousing over an app icon, clicking on the wrench icon, and selecting “Uninstall”. Uninstalling an extension can be done by selecting the Tools | Extensions menu in Chrome.
We recommend also reviewing Google's guidance regarding permissions and trusting unknown app developers.
Leave a reply