[Privacy and security bug] Brave not disabling extensions removed from the Chrome Web Store as malware, e.g., Nano Defender

lookmeupunder404 · October 23, 2020, 7:43am

Description of the issue:

I was using the Nano Defender browser extension on Brave. Its Chrome Web Store page was here (currently leads to a 404 not found error page). I’ve just recently launched Chrome which also has this extension installed, it gave me a notification that this extension has been disabled and that it contains malware. Upon further research, I found out that Nano Defender was removed from the Chrome Web Store and marked as malware days ago. More info in this article: Google removes two Chrome ad blockers caught collecting user data

There is no similar warning for Brave nor did it disable Nano Defender, despite me using Brave daily. I even tried updating my Brave extensions. I believe this is a major privacy and security issue.

Steps to Reproduce (add as many as necessary): 1. 2. 3.
Not easily reproducible

Install an extension from the Chrome Web Store for both Brave and Chrome
Find out that it has later been marked as malware and removed from the Chrome Web Store
Notice that Chrome will give a notification that this extension has been disabled and will mark it as containing malware. Brave will not do the same and will keep the extension enabled with no mark of it being malware.

Actual Result (gifs and screenshots are welcome!):

Brave does nothing, no notifications, no marking, nor did it disable the malware extension.

Expected result:

To be like what Chrome does: notify, disable and mark the extension as malware.

Reproduces how often:
This issue is not easily reproducible, but it has happened to me twice already. In Chrome, where I also had the same extensions installed, I always got a notification that the extension has been disabled and that it contains malware.

Operating System and Brave Version(See the About Brave page in the main menu):
Brave Version 1.15.76 Chromium: 86.0.4240.111 (Official Build) (64-bit) on Windows 7

Additional Information:
I’ve reported a similar issue months ago for another extension marked as malware - to no avail: Brave is not disabling or marking extensions that have been removed from the Chrome Web Store as malware

EDIT: Found out that this was also the same case with the Ratings Preview Bar for YouTube extension, which was also removed from the Chrome Web Store and marked as malware.

fmarier · October 23, 2020, 6:54pm

Sorry we missed your first report. We are looking into what we believe is the root cause of that problem: https://github.com/brave/brave-browser/issues/12297

Next time you find a security problem like this, feel free to report it via our security bug bounty program: https://hackerone.com/brave?type=team&view_policy=true

system · November 22, 2020, 6:54pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Brave is not disabling or marking extensions that have been removed from the Chrome Web Store as malware Desktop Support windows	1	846	April 7, 2020
Automatic disabling of extensions Desktop Support windows	2	651	November 2, 2021
Extension store bug of browser information Desktop Support windows	1	296	December 22, 2020
Brave just disabled the LastPass extension Desktop Support windows	4	695	September 22, 2019
How can I prevent Brave from disabling my extensions? Ad-Blocking	1	151	June 29, 2024
How Brave is Going to Handle Google's Chrome Web Store disabling Manifest V2 Extensions? Desktop Support windows	1	557	June 23, 2024
Chrome notifies about dangerous extensions, not Brave? Desktop Support windows	6	411	March 19, 2023
Chrome store extension Browser Support windows	6	2638	July 4, 2022

[Privacy and security bug] Brave not disabling extensions removed from the Chrome Web Store as malware, e.g., Nano Defender

Related topics