Fraud spike prompts Chrome developer lock-out

Google Chrome extension developers have been left high and dry for weeks as the company struggles to cope with a spike in fraud on the Chrome Web Store.

In an announcement posted to the Chromium extensions Google Group on 24 January, an Extensions Developer Advocate said:

Earlier this month the Chrome Web Store team detected a significant increase in the number of fraudulent transactions involving paid Chrome extensions that aim to exploit users. Due to the scale of this abuse, we have temporarily disabled publishing paid items. This is a temporary measure meant to stem this influx as we look for long-term solutions to address the broader pattern of abuse.

Disabling the publishing feature has caused problems for developers with extensions that take one-off payments or subscriptions, or which sell in-app purchases, she added in the post. They might receive rejections from the Chrome store, citing ‘Spam and Payment in the Store’ as the cause. They could fix the problem by replying to the rejection email and asking for an appeal. Google might then invite them to republish the item at its discretion. Developers would have to go through this rigmarole with each new version they published while the company sorted out the problem.

Judging by developers’ responses to the post, though, Google’s pattern of replies was patchy at best. An extension developer going by the name Fatty Noparents said:

I have written multiple times replying to the rejection letter about two of my paid extensions that existed in the Store for more than a year. I have not received any reply, and the extensions are still in the Pending review status.

Other developers responding to the blog post reported that their accounts had been suspended and that they had received emails accusing them of deceptive behaviour or not giving any reason. In some cases, their payment accounts were also cancelled, even if they managed to get their accounts reinstated.

The issue has been ongoing for at least a couple of weeks. On 9 January, Thomas Guillory, senior engineering manager at well-known password management software vendor Dashlane, posted to a Google Group complaining of the problem. He said:

It’s even happening on our internal extension, which is unlisted and only used by employees. We didn’t manage to get a clear answer on what is the issue.

Vincent told him to contact developer support, but according to another developer in the conversation, the team responded that it was unable to help.

Google didn’t elaborate on the nature of the fraud, but on Monday Vincent updated the post to clarify that only items using the Chrome Web Store payments system were affected.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast.