Google taking new steps to prevent malicious Chrome extensions

Google has announced plans to further restrict Chrome extensions in the Chrome Web Store.

We've seen a spate of malicious extensions this year; the extensions do things like steal credentials and participate in click fraud schemes. The malicious extensions take advantage of the considerable access to the Web pages that extensions have.

Google has already taken some steps to limit malicious extensions. Last year, a stringent multi-process model was used to extend the reach of the third-party devices (instead of forcing all facilities to go via the Chrome Web Store). This feature will be fully removed in Chrome 71 in December.

The first new measure is to give the users of extensions One of the most powerful extensions is the ability to read and write data on any site; in Chrome 70, due later this month, extension users will be able to restrict access to specific domains. This change does not prevent malicious extensions outright, but it can not prevent the damage.

The other measures are applied to the extension development process. Google says it's going to be more powerful than ever. This article should not be used in the future, but it should be kept in mind, but it will be replaced by the article.

Google is also prohibiting extensions using obfuscated code. Minified code (that is, code that has had extraneous whitespace and long variable names removed) will still be permitted, because the minification process is generally easy to reverse, but code that is outright obfuscated-manipulated in such a way as to conceal its functionality hinder its readability-is no longer allowed in new extensions. Instead, obfuscated code will be banned for existing extensions in 90 days. Google says that some 70 percent of malicious extensions use obfuscated code. Prohibiting it should make it easier, because it will make the JavaScript code easier to understand.

Extension developers will also have to do more to protect their developer accounts. From 2019, developers will have to enable two-factor authentication for their accounts. The concern is that they have developed a hacked account, their extensions can be tampered with and made malicious. Two factor authentication makes it difficult to compromise accounts in the first place.

Next year, Google also plans to introduce a new extension manifest, which will give users more control over the permissions they need. more restricted permissions in the first place.