In short: Google has plans to start making Chrome extensions much more secure beginning in Chrome 70 with the addition of more extensive user control over when extensions can access a page. Effectively, a user will be able to manage the host permissions of an extension, restricting access to a specific list of sites or even requiring that the extension is clicked before it can access any given site. Meanwhile, any extensions that require a wider scope of permissions will be required to undergo more stringent compliance reviews and, as of this writing, the company is no longer accepting extensions with ‘obfuscated code.’ That means that extensions that instantiate code from an external source or other sources will no longer be approved. Beginning in January, the rule will also apply retroactively to current extensions that use obfuscated code.
Background: As of this writing, Google says its Web Store has hosted over 180,000 extensions. Some of those have previously either been found to be malicious or were latched onto and hacked by bad actors. That’s led to a number of changes including the introduction of out-of-process iframes and the removal of inline installations. The latter of those effectively ensures that extensions are placed on the Chrome Web Store and, by proxy, pass under the oversight of the company. It also ensures that the installation process starts and ends with Google. That hasn’t stopped all of the issues associated with Chrome extensions from occurring. In fact, the browser has been susceptible to quite a few breaches of security as a result of the extensions over the past several years. The search giant is, as a result, looking for more ways to keep its end users even more secure while also allowing them to add the features and functions they need to get the most out of Chrome.
That also means that, in addition to the above-listed changes, further restrictions will be put in place as well. For starters, in 2019, the company will both begin to require 2-Step Verification on all Chrome Web Store developer accounts and release Manifest v3. The former of those changes should go a long way toward addressing problems with hijacked extensions and is likely a response to at least one of the more recent breaches to have occurred. Namely, a popular extension called MEGA was effectively replaced with malware at the beginning of September. That update was live and rolling out automatically to users for around four hours before it was caught and was sending captured user credentials to Ukraine. Google hasn’t provided many details with regard to the latter of those but the overarching goal will be to focus developers toward more narrowly-scoped and declarative APIs. At the same time, it will encourage developers to implement more comprehensive mechanisms for permissions that can be granted to an extension by users. Finally, the new manifest will bring in support for modern web standards such as the use of Service Workers for background processing.
Impact: The changes will likely end up causing some contention with prominent developers on the Chrome Web Store platform, however, who could be forced to rewrite a substantial amount of code in return for the peace-of-mind for users. Moreover, they’ll essentially be forced onto the search giant’s platform despite several privacy issues that the company is facing in its own right. Bearing that in mind, at very least, the changes should greatly reduce at least some of the problems with extensions and make security better for everybody.