Might at least make these attacks harder if users could disable extension updates, or had to opt into them. Most of these extensions are simple and don't really need to be updated, yet the update mechanism is silent full auto bada bing bada boom no rollbacks. I can't think of any updates more aggressive, not even Steam.
Yet another opportunity to recommend Firefox to readers.
I'm not sure I advise doing it, but you can go to about:addons and hit the gear icon and you can uncheck "Update Addons Automatically". Even better, click on an extension and under the "details" tab there's an option per-addon to set whether you want automatic updates or not, so you can disable updates just for the one addon you don't trust (or enable updates just for the one addon you do trust).
Also, want to run older version of an extension? The Mozilla Addons page for each extension has a list of every release and you can download each version independently as a signed XPI file if you want to sideload it.
The big thing I wish Mozilla would add is self-compiled releases like F-Droid does, especially since their ill-advised signing process means it's hard for users to compile an extension from source -- it's way too easy for a submitted extension to deviate from its source code. But that (admittedly large) issue aside, Firefox offers a lot of control for users who want to manage their own extension versions. Forced automatic updates are a Chrome problem.
Yeah, that's very nice. The only reason I'm even aware of how Chrome does it is because we're forced to use Chrome at work. We're allowed to use some vetted internal extensions with it, and I do, but someone pushed an update that broke an extension by accident. Then I was like, why is this a thing.
