Google is shutting down an often used vector for delivering malicious Chrome extensions to users by removing the inline installation option.
What will happen?
The announcement was made by Extensions Platform Product Manager James Wagner, who explained that, from Tuesday onwards, inline installation will be unavailable to all newly published extensions.
“Extensions first published on June 12, 2018 or later that attempt to call the chrome.webstore.install() function will automatically redirect the user to the Chrome Web Store in a new tab to complete the installation,” he noted.
Then, on September 12, 2018, the inline installation option will be disabled for all existing extensions – users who move to install an extension from a third-party site will be automatically redirected to the Chrome Web Store to complete the installation.
Finally, in early December, the inline install API method will be removed from Chrome 71.
The reasoning behind the decision
“We continue to receive large volumes of complaints from users about unwanted extensions causing their Chrome experience to change unexpectedly — and the majority of these complaints are attributed to confusing or deceptive uses of inline installation on websites,” Wagner explained.
Until now, users were able install extensions hosted on the Chrome Web Store from third-party websites. Before installing them, they would see a window with limited information about the plugin:
They would not immediately see user reviews, and negative user reviews are what can tip them off to the extension being not what it seems.
“As we’ve attempted to address this problem over the past few years, we’ve learned that the information displayed alongside extensions in the Chrome Web Store plays a critical role in ensuring that users can make informed decisions about whether to install an extension. When installed through the Chrome Web Store, extensions are significantly less likely to be uninstalled or cause user complaints, compared to extensions installed through inline installation,” he shared.
This change will force writers of deceptive/malicious extensions to work harder to convince users to install their apps and, hopefully, make them fail more often. It is to be hoped that Google will also up their efforts for preventing these extensions being offered in the Chrome Web Store.
Wagner also confirmed that the change will not affect enterprise forced installs of extensions.