Over a couple of years, we have seen a significant rise in malicious extensions that appear to offer useful functionalities, while running hidden malicious scripts in the background without the user's knowledge.
However, the best part is that Google is aware of the issues and has proactively been working to change the way its Chrome web browser handles extensions.
Earlier this year, Google banned extensions using cryptocurrency mining scripts and then in June, the company also disabled inline installation of Chrome extensions completely. The company has also been using machine learning technologies to detect and block malicious extensions.
To take a step further, Google announced Monday five major changes that give users more control over certain permissions, enforces security measures, as well as makes the ecosystem more transparent.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
Here are the new changes Google has included in Chrome 70, which is scheduled to arrive later this month, to make extensions more secure:
1) New Host Permissions for Chrome Extensions
Until now, if an extension asks for permission to read, write, and change data on all websites, there is no option available using which users can explicitly blacklist or white list a specific set of websites.
"While host permissions have enabled thousands of powerful and creative extension use cases, they have also led to a broad range of misuse—both malicious and unintentional—because they allow extensions to automatically read and change data on websites," says James Wagner, Chrome extensions product manager.
However, starting from Chrome 70 (currently in-beta), users will be able to control when and how Chrome extensions can access site data, allowing them to restrict access for all sites and then grant temporary access to a specific website when required, or enable permissions for a specific set of websites or all sites.
Chrome extension Developers are advised to make these changes to their extension as soon as possible.
2.) Google Bans Code Obfuscation for Chrome Extensions
It's no secret that even after all security measures on a place, malicious Chrome extensions find their ways to get into the Chrome Web Store.
The reason being obfuscation—a technique primarily aimed at protecting the intellectual property of software developers by making programs harder to understand, detect or analyze.
However, malware authors often use packing or obfuscation techniques to make it difficult for Google's automated scanners to review extension and detect or analyze the malicious code.
According to Google, more than 70% of "malicious and policy violating extensions" that it blocks contain obfuscated code. However, with Chrome 70, the Chrome Web Store will no longer allow extensions with obfuscated code.
New extension submissions to the Chrome Web Store have to be free of obfuscated code starting immediately, and developers have 90 days to clean their Chrome extensions of obfuscated code, whether it is in the extension package or fetched from the web.
3) Mandatory 2-Step Verification for Developers
Last year, we saw a new wave of phishing attacks aimed at hijacking popular browser extensions through phishing, and then updating them with malicious code and distribute to their tens of millions of users.
Well, Two-Step Verification can prevent that from happening. Starting with January, Google will require developers to enable two-step verification on their Chrome Web Store accounts to lower the risk of hackers taking over their extensions.
"If your extension becomes popular, it can attract attackers who want to steal it by hijacking your account, and 2-Step Verification adds an extra layer of security by requiring a second authentication step from your phone or a physical security key," Wagner says.
4) New Extensions Review Process… and It's Strict!
With Chrome 70, Google will also start performing a more in-depth review of extensions that ask for "powerful permissions."
Besides-this, the company will also start closely monitoring extensions with a remotely hosted code to spot malicious changes quickly.
5) New Manifest Version 3 For Chrome Extensions
Google also plans to introduce a new version of the extensions platform manifest, version 3, which aims at enabling "stronger security, privacy and performance guarantees."
Google will introduce Manifest version 3 in 2019, which will narrow the scope of its APIs, make permission control mechanisms easier for users, and support new web capabilities such as the Service Workers as a new background process.
With more than 180,000 extensions in the Chrome Web Store, Google believes these new changes would make browsing the Web more secure for millions of users.