Google Introduces Changes to Make Chrome Extensions Safer
Recognizing how important it is for users to be able to trust that the extensions they install are not only performing well but also safe and preserving their privacy, Google has recently taken steps to improve the detection of malicious add-ons to its popular browser using machine learning techniques. Now the company has announced new changes intended to make all Chrome extensions trustworthy by default which means, among other things, successfully preventing cryptojacking and hidden mining.
According to a blog post, starting from Chrome 70, users will have the option to restrict the access of different extensions to a custom list of sites. In addition, they will be able to configure extensions to ask for confirmation when they attempt to gain access to a certain page. Host permissions allow extensions to automatically read and change data on websites, which has led to malicious misuse in many cases, the company said and added:
Our aim is to improve user transparency and control over when extensions are able to access site data. In subsequent milestones, we’ll continue to optimize the user experience toward this goal while improving usability.
Google further detailed that in the future, extensions requesting powerful permissions will be subject to additional compliance review. The team that’s preparing the changes is also closely examining extensions using remotely hosted code. Addressing the developer community, Google says: “Your extension’s permissions should be as narrowly-scoped as possible, and all your code should be included directly in the extension package, to minimize review time.”
Two-Step Verification for Chrome Web Store Developer Accounts
According to another change in the rules governing the review process for new extensions, one that has been introduced already, Chrome Web Store will no longer allow extensions with obfuscated code. The new policy, that applies to all new extension submissions, pertains to code within the extension package as well as any external code or other resource fetched from the web.
Google notes that existing extensions with obfuscated code can continue to submit updates over the next 90 days. However, they will be removed from the Chrome Web Store in January if they are not fully compliant with the new requirements. The company claims that 70% of the extensions it currently blocks contain obfuscated code. Many of them are either malicious or violating the applicable policies.
Other changes that concern extension developers include the introduction of mandatory enrolment in two-Step verification for their accounts. The measure is expected to improve their security and protect them against hijacking. Google also plans to introduce additional security, privacy, and performance enhancing changes in 2019 as part of the next extensions manifest version. Manifest v3 will include more narrowly-scoped APIs, decreasing the need for overly-broad access. It will also feature simplified control mechanisms for user-granted permissions.
Images courtesy of Shutterstock, Google.