IDG News Service >
 

Google calls time on third-party Chrome extensions to turn security screw

o John E Dunn
29.05.2014 kl 13:34 | Techworld.com

Google Chrome users on Windows can now only install browser extensions through the Web Store, the search giant has announced, fulfilling a long-standing promise to tighten security.

 

Google Chrome users on Windows can now only install browser extensions through the Web Store, the search giant has announced, fulfilling a long-standing promise to tighten security.

In a follow-up FAQ, the firm urges developers that haven't already done so to either migrate extensions to the Store where users will have to re-enable them or start using inline installation redirecting to Google's servers.

Users of Chrome apps downloaded direct from third-party sites will now see a "Suspicious Extensions Disabled" message, Google said. Extensions would stop working until hosted by Google.

"Malware can change how browsers work by silently installing extensions on your machine that do things like inject ads or track your browsing activity. If you notice strange ads, broken web pages or sluggish browsing after installing some new software or plugins, you could be affected," said Google by way of explaining the security rationale.

It's a security model based on that used to secure the Chrome OS running Google's Chromebooks, which have always required verified software installation via the Web Store. As for Chrome on Windows, Google has been working on this for a while, turning off third-party installs by default as long ago as July 2012.

With Chrome 35 reaching users last week it all sounds like a worthy tightening of security but some issues are worth pointing up. While it's certainly the case that third-party malicious extensions are a known pest (usually installed after some social engineering), the Chrome Web Store has had its problems too.

In 2012, cybercriminals managed to sneak extensions designed to hijack Facebook Likes on to the Store while more recently spammers exploited legitimate extensions that had changed ownership, using them to push ads.

Generally speaking, Google's policing of rogue extensions have improved in line with somewhat better filtering of Android apps. The weakness remains Google's vetting of developers. That will be the new front line in stopping the small but determined industry pushing malicious extensions.

Keywords: Security  
Latest news from IDG News Service

Copyright 2009 IDG Magazines Norge AS. All rights reserved

Postboks 9090 Grønland - 0133 OSLO / Telefon 22053000

Ansvarlig redaktør Henning Meese / Utviklingsansvarlig Ulf Helland / Salgsdirektør Tore Harald Pettersen