2. I don't work on Chrome anymore and have not for 8 years. I should have made that more clear.
3. I was responding to the claim: 'the entire chain of people working on this has been asleep at the wheel'. OP was assuming this bug has existed forever. I know for a fact it hasn't, because I remember caring about getting this right and implementing custom UI for it. I also listed some other things we improved over status quo at the time, which refute this claim.
4. Based on my knowledge of how this all used to work, it's not as big an issue as the original article and several people in this thread are making it seem, because the review process is really the primary safety check in the system. It needs to be because, as many have noted, most users don't read the dialog. Extensions are required to have a single purpose and extraneous permissions aren't allowed. And if an extension with a large number of permissions was approved, extensions (and updates) are reviewed both with automated and manual processes, and it would be difficult to get a malicious extension through the process or to get large numbers of users on it.
I still agree the bug should be fixed. We cared a lot about getting this UI right when we originally implemented it, and it's unfortunate that it regressed.
1. I agree the bug should be fixed.
2. I don't work on Chrome anymore and have not for 8 years. I should have made that more clear.
3. I was responding to the claim: 'the entire chain of people working on this has been asleep at the wheel'. OP was assuming this bug has existed forever. I know for a fact it hasn't, because I remember caring about getting this right and implementing custom UI for it. I also listed some other things we improved over status quo at the time, which refute this claim.
4. Based on my knowledge of how this all used to work, it's not as big an issue as the original article and several people in this thread are making it seem, because the review process is really the primary safety check in the system. It needs to be because, as many have noted, most users don't read the dialog. Extensions are required to have a single purpose and extraneous permissions aren't allowed. And if an extension with a large number of permissions was approved, extensions (and updates) are reviewed both with automated and manual processes, and it would be difficult to get a malicious extension through the process or to get large numbers of users on it.
I still agree the bug should be fixed. We cared a lot about getting this UI right when we originally implemented it, and it's unfortunate that it regressed.