Google has made several new announcements for its Chrome Web Store that aims at making Chrome extensions more secure and transparent to its users.
Over a couple of years, we have seen a significant rise in malicious extensions that appear to offer useful functionalities, while running hidden malicious scripts in the background without the user’s knowledge.
However, the best part is that Google is aware of the issues and has proactively been working to change the way its Chrome web browser handles extensions.
Earlier this year, Google banned extensions using cryptocurrency mining scripts and then in June, the company also disabled inline installation of Chrome extensions completely. The company has also been using machine learning technologies to detect and block malicious extensions.
To take a step further, Google announced Monday five major changes that give users more control over certain permissions, enforces security measures, as well as makes the ecosystem more transparent.
1) New Host Permissions for Chrome Extensions
Until now, if an extension asks for permission to read, write, and change data on all websites, there is no option available using which users can explicitly blacklist or white list a specific set of websites.
“While host permissions have enabled thousands of powerful and creative extension use cases, they have also led to a broad range of misuse—both malicious and unintentional—because they allow extensions to automatically read and change data on websites,” says James Wagner, Chrome extensions product manager.
2.) Google Bans Code Obfuscation for Chrome Extensions
It’s no secret that even after all security measures on a place, malicious Chrome extensions find their ways to get into the Chrome Web Store.
The reason being obfuscation—a technique primarily aimed at protecting the intellectual property of software developers by making programs harder to understand, detect or analyze.
However, malware authors often use packing or obfuscation techniques to make it difficult for Google’s automated scanners to review extension and detect or analyze the malicious code.
3) Mandatory 2-Step Verification for Developers
Last year, we saw a new wave of phishing attacks aimed at hijacking popular browser extensions through phishing, and then updating them with malicious code and distribute to their tens of millions of users.
Well, Two-Step Verification can prevent that from happening. Starting with January, Google will require developers to enable two-step verification on their Chrome Web Store accounts to lower the risk of hackers taking over their extensions.
“If your extension becomes popular, it can attract attackers who want to steal it by hijacking your account, and 2-Step Verification adds an extra layer of security by requiring a second authentication step from your phone or a physical security key,” Wagner says.
4) New Extensions Review Process… and It’s Strict!
With Chrome 70, Google will also start performing a more in-depth review of extensions that ask for “powerful permissions.”
Besides-this, the company will also start closely monitoring extensions with a remotely hosted code to spot malicious changes quickly.
5) New Manifest Version 3 For Chrome Extensions
Google also plans to introduce a new version of the extensions platform manifest, version 3, which aims at enabling “stronger security, privacy and performance guarantees.”
Google will introduce Manifest version 3 in 2019, which will narrow the scope of its APIs, make permission control mechanisms easier for users, and support new web capabilities such as the Service Workers as a new background process.
With more than 180,000 extensions in the Chrome Web Store, Google believes these new changes would make browsing the Web more secure for millions of users.