Google calls time on third-party Chrome extensions to turn security screw

Google Chrome users on Windows can now only install browser extensions through the Web Store, the search giant has announced, fulfilling a long-standing promise to tighten security.

In a follow-up FAQ, the firm urges developers that haven't already done so to either migrate extensions to the Store where users will have to re-enable them or start using inline installation redirecting to Google's servers.

Users of Chrome apps downloaded direct from third-party sites will now see a "Suspicious Extensions Disabled" message, Google said. Extensions would stop working until hosted by Google.

"Malware can change how browsers work by silently installing extensions on your machine that do things like inject ads or track your browsing activity. If you notice strange ads, broken web pages or sluggish browsing after installing some new software or plugins, you could be affected," said Google by way of explaining the security rationale.

It's a security model based on that used to secure the Chrome OS running Google's Chromebooks, which have always required verified software installation via the Web Store. As for Chrome on Windows, Google has been working on this for a while, turning off third-party installs by default as long ago as July 2012.

With Chrome 35 reaching users last week it all sounds like a worthy tightening of security but some issues are worth pointing up. While it's certainly the case that third-party malicious extensions are a known pest (usually installed after some social engineering), the Chrome Web Store has had its problems too.

In 2012, cybercriminals managed to sneak extensions designed to hijack Facebook Likes on to the Store while more recently spammers exploited legitimate extensions that had changed ownership, using them to push ads.

Generally speaking, Google's policing of rogue extensions have improved in line with somewhat better filtering of Android apps. The weakness remains Google's vetting of developers. That will be the new front line in stopping the small but determined industry pushing malicious extensions.

This story, "Google calls time on third-party Chrome extensions to turn security screw" was originally published by Techworld.com.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Related:
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.