Mario and Luigi are out to get you.
It sounds ludicrous, but it's a real fear if you plan on downloading two new versions of the classic Nintendo games "Super Mario World" or "Super Mario World 2," both reformatted as apps for Google's Chrome Web Store.
In exchange for letting you squash angry turtles on the way to saving Princess Peach, these apparently unauthorized "Super Mario" apps can access your data on all websites, your browsing history, all your bookmarks and possibly even other apps you've installed and your physical location.
(There is no indication Nintendo is involved with either of these apps; both apps were developed by someone calling himself "chromitude." Requests to Nintendo for comment were not immediately returned.)
If you think that what Evil Mario and Luigi want sounds like a gross invasion of privacy, you're not alone.
Game wants more than just your participation
"WAAAAY too much permissions asked. Why need bookmarks, browse history and all website data? I recommend not to use this app," a March 23 comment on the "Super Mario" app download page reads.
A May 11 post expresses similar bewilderment at the game, which already has more than 42,000 users: "Why does this game require access to my data on all web pages?? Not reasonable with those accesses. Will not install this. Looks like some scam to me."
A March 7 user comments for "Super Mario 2" — 13,726 users — highlights the severity of an app that has such complete access to your Web habits.
"This item can read every page that you visit — your bank, your web email, your Facebook page and so on."
"This gives your computer a virus," reads a comment posted five days ago.
Mikko Hypponen, chief research officer for the Finnish security firm F-Secure, told SecurityNewsDaily that he believes these rogue-looking "Super Mario" apps are not fraudulent, but rather cases of "aggressive marketing" designed to profile "your online use so they can market to you better."
What is Google doing to keep the Web store safe?
It doesn't take much certification to get an app in Google's Chrome Web Store. Developers are required to a pay a one-time $5 registration fee "in order to verify developer accounts and better protect users against fraudulent activity," Google writes in a Chrome Web store blog.
After that, the floodgates are open, and developers can publish as many apps as they want.
This, of course, could be a huge problem if a developer happens to have a mean streak. So what else, then, does Google to do ensure the safety of its Chrome apps?
"You agree that if you use the Web Store to distribute Products, you will protect the privacy and legal rights of users," section 4.3 of Google's Chrome Web Store Developer Agreement reads.
The agreement explains that if developers collect sensitive data provided by users, "it must do so securely and only for as long as it is needed."
Google's hands-off approach
Google, however, retains the right to take a decidedly lax security stance when it comes to policing the Chrome apps.
Although it retains the right to review or test products, Google said it "is not obligated to monitor the Products or their content."
"We don't make a habit out of commenting on individual apps," a Google spokesperson told SecurityNewsDaily in an email. "That said, we can ask our teams to investigate this one, and we will take the appropriate action in accordance with our policies."
The Google spokesperson added, "By making user rating and reviews available for all apps in the store, we believe the community will also flag these apps, either for removal, or with poor ratings."
"They are pushing the responsibility away from themselves onto the end users ... who can't handle it," Hypponen told SecurityNewsDaily.
Google, of course, isn't the only company to put the burden of security on app developers.
"It's too easy to criticize Google," Hypponen added. "Remember, Microsoft is not reviewing Windows apps either."
What could possibly go wrong?
Google's policy toward the Chrome Web Store mirrors its approach to the Android Market, which distributes apps for Google's Android smartphone and tablet platform. (Android and Chrome are separate products.)
Each Android device fully informs the user, before installation, which permissions each app will give itself. The Chrome Web Store does the same. But the warnings haven't stopped Android malware from spreading, and it's not clear the Chrome warnings will either.