New Chrome extension rules aim to tackle questions over trustworthiness

Google is rolling out new rules and vetting processes for Chrome extensions to restrict untrustworthy apps. 

Google has outlined a number of incoming changes that will give users more control over extension access to browser data, tighten the extension review process, prevent extensions from using obfuscated code. The changes are intended to ensure that "Chrome extensions are trustworthy by default", according to Google.   

Also, beginning in 2019, Google will also require developer accounts on the Chrome Web Store to have enrolled in Google’s two-step verification system, which should reduce the risk of compromised extensions being published.

While the new rules have been in the works for some time, it follows a recent incident affecting users of the popular Mega.nz Chrome extension, which attackers trojanized to steal usernames and passwords for Amazon, Google, Microsoft and GitHub accounts, as well as private keys for several cryptocurrency wallets.   

Mega.nz criticized Google for preventing Chrome Web Store publishers from submitting cryptographically signed extensions -- a rule that may have been exploited by the attackers to upload a compromised version of the extension. The company noted that Firefox add-on was signed, and therefore could not have fallen victim to the same attack technique. 

The new user controls will be available in Chrome 70 due out later this month and will let users whitelist the sites they wish to give extensions permission to access. The control is aimed at extensions that request permission to read and change site data.  

Users will also be able to configure extensions so that a click is needed when the extension attempts to access the current page. The controls will be available in the chrome://extensions page and the extension’s context menu. 

Extensions whitelisted for certain sites will require the user to click to grant permission to access sites they’ve not been approved for. If an extensions has been approved to run on all sites, it will be able to access any site. 

The extension review process will now include additional checks that will focus on extensions that use remotely hosted code. Google notes that all extension code should be included directly in the extension package. Most of the extensions banned from the store use obfuscated code, according to Google.

And beginning today, all new extensions are banned from including obfuscated code within the extension package itself and externally hosted code. Google is giving developers of existing extensions 90 days to comply and will move them from the Chrome Web Store in early January if they don’t by then. The ban on obfuscated code should help streamline Google’s more stringent review process.