Google Cracks Down on Malicious Chrome Extensions in Major Update

Google on Monday announced major changes to its Chrome Web Store as the company tries to ax the malicious extensions that have continuously popped up on its platform over the years.

The array of security improvements include a stricter extension review process, new code-readability requirements that block extensions with obfuscated code, required two-step verification, user controls for host permissions and a future new extensions manifest version (which is aimed at helping developers write secure extensions).

“We’ve recently taken a number of steps toward improved extension security with the launch of out-of-process iFrames, the removal of inline installation and significant advancements in our ability to detect and block malicious extensions using machine learning,” said James Wagner, Chrome Extensions product manager, in a Monday post. “Looking ahead, there are more fundamental changes needed so that all Chrome extensions are trustworthy by default.”

As a first step, kicking off today, the Chrome Web Store will no longer allow extensions with obfuscated code – a method which is mainly used to conceal code functionality. Wagner said that obfuscation is used in over 70 percent of malicious extensions blocked from Chrome Web Store.

Developers who have extensions in the store with obfuscated code can instead submit a new compliant version that uses “minification” – the process of removing unnecessary or redundant data without impacting how the resource is processed by the browser.

“Extension developers will now face a new crop of requirements when submitting extensions for approval to Google,” Jessica Ortega, web security analyst at SiteLock, told Threatpost. “Immediately this includes requiring developer accounts to utilize two-factor authentication and disallowing extensions to use obfuscated code. Extensions that currently include obfuscated code will have to display the actions their code is executing and resubmit for approval.”

Also launching this week is a renewed extensions-review process – requiring extensions that request powerful permissions to undergo additional compliance review.

“We’re also looking very closely at extensions that use remotely hosted code, with ongoing monitoring,” said Wagner. “Your extension’s permissions should be as narrowly-scoped as possible, and all your code should be included directly in the extension package, to minimize review time.”

Beginning in Chrome 70 (the next version of Google Chrome to be released in mid-October), users will have a new option to restrict host access to a custom list of websites, as well as require extensions to wait for a user click before accessing the homepage.

Wagner said that Google hopes the move will decrease extension misuse: “Our aim is to improve user transparency and control over when extensions are able to access site data,” he said.

In 2019, the final two Google Chrome changes will roll out. Google in 2019 will require Chrome Web Store developer accounts to enroll in two-step Verification. This feature adds an extra layer of security to popular extensions by requiring a second authentication step from a mobile device or a physical security key.

“It’s great and absolutely necessary that they are now requiring two-step verification,” Andrew Proctor, network engineer with OpenVPN. “This essential security step will help protect developers’ accounts from being compromised and, in that way, will help protect users from possible malicious extensions.”

Also in 2019, Google plans to introduce the next extensions manifest version, dubbed Manifest v3. This version will promote more narrowly-scoped APIs, which will to decrease the need for overly-broad access, as well as additional, easier mechanisms for users to control the permissions granted to extensions.

“Manifest v3 will entail additional platform changes that aim to create stronger security, privacy and performance guarantees,” said Wagner. “We want to help all developers fall into the pit of success; writing a secure and performant extension in Manifest v3 should be easy, while writing an insecure or non-performant extension should be difficult.”

Chrome has time and again been a target of malicious extensions. In January, researchers discovered four malicious extensions in the official Google Chrome Web Store with a combined user count of more than 500,000. An extension in 2017 was used infamously by Brazilian criminals to commit banking fraud, while another one, found in 2017, downloaded and installed a .cab file on victims’ computers, which captured all the information they entered on any website and sent it to a remote server.

Google has also recently come under fire for privacy issues, after a researcher discovered that in Chrome 69, Google automatically signs users into the Chrome browser when they sign into any other Google service.

Zach Koch, Chrome product manager at Google, responded after the company faced backlash, vowing change in Chrome 70 to “better communicate our changes and offer more control over the experience.”