Google has announced a number of security changes in the Chrome extensions system: a more thorough extensions review process, better user controls, and a new manifest that should provide stronger security, privacy, and performance guarantees.
The Chrome Web Store will also no longer allow extensions with obfuscated code and, starting next year, Google will require all developer accounts to be additionally secured with 2-step verification.
A number of popular Chrome extensions were hijacked through phishing last year. More recently, an email campaign impersonating a Google employee and asking developers to provide a valid postal address has been mounted with the same goal: lead them to a fake login page.
“If your extension becomes popular, it can attract attackers who want to steal it by hijacking your account, and 2-Step Verification adds an extra layer of security by requiring a second authentication step from your phone or a physical security key,” says James Wagner, Chrome Extensions Product Manager.
Keeping an eye on extensions
Google is giving developers 90 days to clean their extensions of obfuscated code (whether it’s in the extension package or fetched from the web). New extension submissions have to be free of obfuscated code starting immediately.
“Today over 70% of malicious and policy violating extensions that we block from Chrome Web Store contain obfuscated code. At the same time, because obfuscation is mainly used to conceal code functionality, it adds a great deal of complexity to our review process. This is no longer acceptable given the aforementioned review process changes,” Wagner explains.
Minification of code – removal of whitespace, code comments, shortening of variable and function names, etc. – is still allowed as it is much relatively straightforward to review.
Google will also start performing an additional compliance review of extensions that request powerful permissions and will start closely monitoring extensions that use remotely hosted code, to quickly spot malicious changes.
Less-broad access and permission
Starting with Chrome 70 (currently in beta, scheduled to be released this month), users will be able to restrict extension host access to a custom list of sites or to configure extensions to require a click to gain access to the current page.
“While host permissions have enabled thousands of powerful and creative extension use cases, they have also led to a broad range of misuse – both malicious and unintentional – because they allow extensions to automatically read and change data on websites. Our aim is to improve user transparency and control over when extensions are able to access site data,” Wagner explained.