Easy solution to any chrome extension possibly getting sold to spam ads is to disable automatic updates and manually inspect and install all updates for all of my extensions?
I mistakenly installed a Minecraft modloader for my son without checking it out first. It silently installed a couple of local Chrome extensions that injected ads in every page. It would reinstall them (again, silently) every time you deleted them. It wasn't detected by Microsoft Defender or Avast until I ran Malwarebytes which took care of the problem.
So, pardon my french, but no freaking way do I want any local Chrome extensions allowed by default anymore.
For extensions from the Chrome store, perhaps Chrome should make updates more like on Android, where you are notified and can click for more info.
If you are running arbitrary code on your box, then local installed Chrome extensions aren't the real problem now, are they?
That code could, I dunno, run a local HTTP/S proxy (install a trusted cert) and MiTM your HTTP requests and inject ads that way. Or about a million other things.
And it's funny Chrome is trying to prevent apps from doing that, when they themselves do the same thing: In Windows, pinning to the taskbar is supposed to be user-only. But Chrome circumvents that and pins anyways, actively avoiding user preference. (And they drop an icon on the desktop, without asking.)
Follow http://superuser.com/questions/290280/how-to-download-chrome... in order to download the crx file manually.
Then unzip it and vet it manually to be clean.
Copy it in a folder, enable extension developer mode in Chrome and install the local copy of the extension.
No autoupdate, everything's fine.
Unfortunately Google plans to disallow local extensions, which is a major disaster and very evil: http://thenextweb.com/google/2013/11/07/google-block-local-c...
What happened to that?