Skip to main content

Google to Start Locking Down Chrome Extensions

(Image credit: Piotr Swat/Shutterstock)

Browser extensions have become a core part of the browsing experience. People use extensions to improve their security, protect their privacy and enable features that browser makers have yet to include with their core offerings. But the popularity of browser extensions has also made them a prime target for bad actors (not the Shakespearean kind) which is why Google announced that it's locking down Chrome extensions.

Google revealed several changes, some of which are effectively immediately and some of which are taking effect in the coming months, regarding Chrome extensions. The one that most directly affects Chrome users is the ability to restrict host access to a list of specific websites and force extensions to request access to the current page. Here's how Google explained the reasoning behind this change in its blog post:

"While host permissions have enabled thousands of powerful and creative extension use cases, they have also led to a broad range of misuse - both malicious and unintentional - because they allow extensions to automatically read and change data on websites. Our aim is to improve user transparency and control over when extensions are able to access site data. In subsequent milestones, we’ll continue to optimize the user experience toward this goal while improving usability."

That change is set to arrive with Chrome 70 in mid-October. (It is also set to bring shape detection features, web authentication support and some compromises to Google's decision to automatically sign people into the browser when they accessed its services.) Other changes to the Chrome Web Store went into effect today: an updated review process and a requirement for extensions not to use obfuscated code.

The updated review process will increase scrutiny of extensions that "request powerful permissions" or "use remotely hosted code." Google said this is supposed to help it make sure extensions released via the Chrome Web Store aren't requesting access to unnecessary information or exposing user data by using remote code. The company also plans to subject extensions using remote code to "ongoing monitoring."

More extensive reviews will require greater access to extensions' code. That's part of the reason why Google will no longer let developers use obfuscated code for new extensions, and even developers whose extensions are already available will have to remove any obfuscated code within the next 90 days. Those who don't will have their extensions removed from the Chrome Web Store sometime in early January.

This restriction will also directly affect user security and privacy. Google said that 70 percent of "malicious and policy violating extensions" it doesn't allow into the Chrome Web Store feature obfuscated code. There's a chance that some of the extensions released to the store also violate the company's rules; they just aren't caught because their code was better hidden. Requiring everything to be out in the open could prevent that.

Aside from those changes, Google also said that extension developers wold be required to enable two-factor authentication starting in 2019. This is supposed to make it harder for attackers to compromise popular extensions and use them to steal user data. The company will also release Manifest v3 in 2019 with "additional platform changes that aim to create stronger security, privacy, and performance guarantees."

All of these changes are meant to help people trust Chrome extensions. That's a laudable effort -- companies that offer centralized distribution systems need to make sure they're actually preventing bad actors from making their way in. Most have failed in the past, just like Google has with the Play Store and Apple did with the Mac App Store, and these improvements could help prevent similar problems from reoccurring.

Google's timing is also convenient, of course, given the backlash it received for the sign-in changes made in Chrome 69. Nothing makes people forget a privacy issue (or, depending on who you ask, a breakdown in communications) quite like promising to protect them from other threats. That doesn't mean the changes aren't necessary or weren't in the works for a while. It just means that Chrome probably could use the goodwill.

  • shrapnel_indie
    The company also plans to subject extensions using remote code to "ongoing monitoring."

    There goes some performance. How much depends on how deeply the monitor and the algorithms used.

    Google also said that extension developers wold be required to enable two-factor authentication starting in 2019.
    shouldn't would be spelled with a u?

    It just means that Chrome probably could use the goodwill.
    Chrome can use all the goodwill it can get. Google threw out the "do no evil" mantra... Google has been known to sell our data themselves. That means that this can also be seen as a possible snuff the competition as well... yeah it's an extreme take admittedly, but not completely out of the question.
    Reply
  • alan_rave
    Two-factor authentication.That s another way to collect users data.
    Reply
  • beoza
    Browser, security is only as strong as the end user. Lets face it people are stupid, not the average Toms reader but the general population out there. Hackers and those with malicious intent will find ways around the security. Google can design a better mouse trap while those with bad intentions are building a better mouse; which has always been the case throughout history.

    On a side note I stopped using Chrome months ago after it kept telling me sites were not reachable or had some other issue. I tried multiple solutions found around he web but none worked. The same sites it couldn't reach worked fine in Firefox, Edge, IE 11 and Opera.
    Reply
  • Peter Martin
    lol, yeah, this will only build better hackers and bigger idiots.
    Reply
  • Christopher1
    BEOZA, it might be good to post the names of the actual sites in question so that Chrome devs can fix the issue or inform them that "Hey, these websites are not working anymore!"
    Reply
  • secretxax
    None of this matters anymore, Google. You screwed up the browser with the sign-in crap, and noone smart will continue to use it.
    Reply
  • velocityg4
    "While host permissions have enabled thousands of powerful and creative extension use cases, they have also led to a broad range of misuse - both malicious and unintentional - because they allow extensions to automatically read and change data on websites. Our aim is to improve user transparency and control over when extensions are able to access site data. In subsequent milestones, we’ll continue to optimize the user experience toward this goal while improving usability."

    Does this concern anyone? This could easily be interpreted as. Adblockers and script blockers won't work as well. Especially if they try to block Google Ads.
    Reply
  • cryoburner
    21374390 said:
    "While host permissions have enabled thousands of powerful and creative extension use cases, they have also led to a broad range of misuse - both malicious and unintentional - because they allow extensions to automatically read and change data on websites. Our aim is to improve user transparency and control over when extensions are able to access site data. In subsequent milestones, we’ll continue to optimize the user experience toward this goal while improving usability."
    Does this concern anyone? This could easily be interpreted as. Adblockers and script blockers won't work as well. Especially if they try to block Google Ads.
    This was the first thing I thought of as well. It seems like not so much a security feature as an attempt by one of the largest online advertising corporations to discourage people from blocking their ads and tracking scripts by spamming them with an endless stream of popup dialogs as extensions are required to "request access to the current page". Maybe these kinds of annoyances will encourage people to move on to better browsers that are not run by companies with such questionable motives. Chrome is arguably worse for user privacy than IE ever was, and has successfully taken its place as the most widely used garbage browser that people probably shouldn't be using.
    Reply