Google is bringing in stricter rules for Chrome extension developers, a move should reduce the risk of crypto hacks and mining malware.
Announced Monday, the web and technology giant is planning a series of changes to the way Chrome handles extensions that request extensive permissions, and is also tightening the rules for developers distributing extensions via the Chrome Web Store.
Google said in a blog post:
“It’s crucial that users be able to trust the extensions they install are safe, privacy-preserving, and performant. Users should always have full transparency about the scope of their extensions’ capabilities and data access.”
From Chrome 70 (currently in beta), users will have the ability to restrict an extension’s access to a custom list of sites, or to set extensions to require permission each time they need to gain access to a page, the company explains.
Google adds that extensions that request “powerful permissions” will be subjected to “additional compliance review.”
“We’re also looking very closely at extensions that use remotely hosted code, with ongoing monitoring,” the post states.
The firm explains the move, saying “While host permissions have enabled thousands of powerful and creative extension use cases, they have also led to a broad range of misuse – both malicious and unintentional … Our aim is to improve user transparency and control over when extensions are able to access site data.”
Google also said that, from Monday, Chrome Web Store will no longer allow extensions with hidden, or obfuscated, code. Existing extensions with obfuscated code have 90 days to comply with the new rule, it adds.
According to the post, more than 70 percent of “malicious and policy violating extensions” that Google blocks from the Web Store contain obfuscated code. Further, as obfuscation is “mainly used to conceal code functionality,” it greatly adds to the complexity of the Google’s extension review process.
“This is no longer acceptable given the aforementioned review process changes,” Google stated.
And in a final security measure, in 2019, all extension developer accounts must be protected by 2-step verification to lower the risk of hackers taking over an account.
In the past, Chrome extensions have been used by cyber-criminals to provide access to victims machines.
For example, just a month ago, hackers uploaded a malicious version of the Mega extension to the Web Store. People who used the official installer over the next few hours had their accounts compromised, according to ZDNet – including users of the MyEtherWallet and MyMonero crypto wallets, and decentralized exchange IDEX.
Google has also been forced to crack down on extensions that used downloaders’ devices to mine cryptocurrencies without their knowledge. In April, the Web Store blocked extensions that mine cryptocurrencies, whether or not mining was a deliberate feature.