Google just announced today that it will be implementing new policies on how developers publish their extensions. Google Chrome will also handle extensions that need a lot of permissions, differently from now on. This is to increase security of their browser.
It shouldn’t come as a surprise to anyone that extensions are one of the main sources of a cyberattack. Hackers use malicious extensions to gain access to users’ private data. Chrome has vastly improved Chrome’s security features over the years.
Chrome has been able to detect potentially harmful extensions even before they are released to the Web Store. Google has also ensured that when the extensions do get installed, they are unable to cause any more damage.
In Chrome version 70, users can limit access given to host from their own custom lists. This is to prevent extensions from tracking users’ site visits. Everybody knows that extensions can manipulate the way webpages interact with the users.
Malicious extensions can manipulate websites in a way that can harm computers. Keeping a check and balance on every extension and every website visited is near impossible.
To ease this situation, users will be able to choose to only provide an extension with an access to the current webpage with just a click.
Google explained, “While host permissions have enabled thousands of powerful and creative extension use cases, they have also led to a broad range of misuse — both malicious and unintentional — because they allow extensions to automatically read and change data on websites.”
Extensions that require permissions to the sensitive information, which Google terms as “Powerful permissions”, will now be open to stricter scrutiny. Naturally, the company will also be closely monitoring extensions who have hosted their code on a remote server.
Since extension creators can remotely alter their code, it leaves a lot of potential for the disaster.
In other avenues, Google says that it will be refining APIs and release more sophisticated algorithms. This will give users more control over the data they share with the extensions they use.
From 2019, Google will require developers to secure their accounts using 2-factor authentication. This will prevent hackers from gaining access to a developer’s account and injecting malware into the code.
Developers will no longer be able to upload their extensions having obscure code (official term is obfuscated code) from today. There are still a few months to go before this change goes live.
Programmers jumble their source code so as to make it harder for other to steal it. The programmer might not have any ill-intent while obfuscating their code, but it still creates problems for Google.
This process makes it hard for the Silicon giant to decipher what the code is meant to do. Moreover, 70 percent of malware-infested extensions and those that try to get around Google’s monitoring system use obfuscated code.
Google will remove all extensions from the Web Store within the next 3 months, 90 days to be precise.
As if Chrome couldn’t get any better, they are introducing such policies to ensure the safety of their users. No wonder Chrome is the most popular web browser in the world.