KEYWORD SPAM Heres how hucksters are manipulating Google to promote shady Chrome extensions How do you stash 18,000 keywords into a description? Turns out it's easy. Dan Goodin Jan 8, 2025 6:46 pm | 7 Welcome to the Chrome Web Store Welcome to the Chrome Web Store Story textSizeSmallStandardLargeWidth *StandardWideLinksStandardOrange* Subscribers only Learn moreThe people overseeing the security of Googles Chrome browser explicitly forbid third-party extension developers from trying to manipulate how the browser extensions they submit are presented in the Chrome Web Store. The policy specifically calls out search-manipulating techniques such as listing multiple extensions that provide the same experience or plastering extension descriptions with loosely related or unrelated keywords.On Wednesday, security and privacy researcher Wladimir Palant revealed that developers are flagrantly violating those terms in hundreds of extensions currently available for download from Google. As a result, searches for a particular term or terms can return extensions that are unrelated, inferior knockoffs, or carry out abusive tasks such as surreptitiously monetizing web searches, something Google expressly forbids.Not looking? Dont care? Both?A search Wednesday morning in California for Norton Password Manager, for example, returned not only the official extension but three others, all of which are unrelated at best and potentially abusive at worst. The results may look different for searches at other times or from different locations. Search results for Norton Password Manager. Its unclear why someone who uses a password manager would be interested in spoofing their time zone or boosting the audio volume. Yes, theyre all extensions for tweaking or otherwise extending the Chrome browsing experience, but isnt every extension? The Chrome Web Store doesnt want extension users to get pigeonholed or to see the list of offerings as limited, so it doesnt just return the title searched for. Instead, it draws inferences from descriptions of other extensions in an attempt to promote ones that may also be of interest.In many cases, developers are exploiting Googles eagerness to promote potentially related extensions in campaigns that foist offerings that are irrelevant or abusive. But wait, Chrome security people have put developers on notice that theyre not permitted to engage in keyword spam and other search-manipulating techniques. So, how is this happening?One way is by abusing a language translation feature built into the extension description system. For reasons that arent clear, Google allows descriptions to be translated into more than 50 different languages. Rather than blanket a description with a wall of text in the language of users the developers want to target, they stash it in the description of an alternative tongue. Developers trying to reach Europeans often sacrifice some Asian languages such as Bengali, Palant said. Developers targeting Asians, by contrast, tend to choose European languages like Estonian.Even when a description is tailored to a specific language, the keywords included get swept into descriptions for other languages. This allows developers to plaster tens of thousands of misleading keywords into descriptions without the appearance they run afoul of Google policies.Palant wrote:Apparently, some extension authors figured out that the Chrome Web Store search index is shared across all languages. If you wanted to show up in the search when people look for your competitors for example, you could add their names to your extensions descriptionbut that might come across as spammy. So what you do instead is sacrificing some of the less popular languages and stuff the descriptions there full of relevant keywords. And then your extension starts showing up for these keywords even when they are entered in the English version of the Chrome Web Store. After all, who cares about Swahili other than maybe five million native speakers?An example of this technique in action can be found in the extension using the name Charm - Coupons, Promo Codes, & Discounts. When viewed in languages including English, the description is concise and gives the impression of a legitimate, privacy-focused extension for receiving discounts.Viewing the entire descriptions file the developers provided to Google tells a very different story. Descriptions specified for languages such as Armenian, Bengali, and Filipino list the extension names as "RetailMeNot Retail Me Not Fakespot Fake spot Slickdeals," "promo code The Camelizer wanteeed Cently Acorns Earn," and "Coupert Karma CouponBirds Coupon Birds Octoshop discount." The name in Telugu even invokes the names of PayPal and CNET, both of whom develop competing extensions. Description showing extension names. More misleading still are keywords loaded into language-specific long descriptions. There are more than 18,000 of them. The keywords arent displayed when viewing the description in most languages, but they nonetheless affect the results of extension searches in the Chrome Web Store. A small sampling of more than 18,000 keywords for the extension Palant identified 920 Chrome extensions that use the technique. He traced them back to a handful of clusters, meaning those that appear to come from related developers. They are:Palant said most of the extensions used other approaches to manipulate Chrome Web Store placement, including: using competitors names, using different names for the same extension, and keywords within or at the end of descriptions.In an interview, Palant said he has alerted Google to these sorts of coordinated manipulations in the Chrome Web Store in the past. And yet, they persist and are easy to spot by anyone with an interest in doing so.Google isnt monitoring spam, he wrote. It wasnt that hard to notice, and they have better access to the data than me. So either Google isnt looking or they dont care. Google didnt respond to an email asking if it's aware of the spam or has plans to stop it.Dan GoodinSenior Security EditorDan GoodinSenior Security Editor Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82. 7 Comments