Google announced a new Chrome extension policy that only allows users and developers to install extensions from...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
the Chrome Web Store. Is this a good move that will improve security? What affect will this have on future apps?
Google Chrome extensions are small software programs that can customize and enhance the functionality of Google Chrome. Users can download them from the extensions gallery of the Chrome Web Store -- the online marketplace for Chrome apps, extensions and themes. While the extension platform unlocks powerful features that can increase the browser's functionality, it can also be abused by malware writers to capture user data, display ads or redirect users to malicious sites.
Prior to this latest policy update, users could install extensions directly from a developer's website. However, this installation method allowed malicious developers to avoid Google's automated review process -- which Chrome Web Store extensions have to pass through -- allowing them to distribute their malware directly to unsuspecting users. Google halted the silent installation of extensions by applications installed on a user's machine some time ago, as this was another method being used to distribute malware.
In response to growing concerns about Chrome users being infected by malicious extensions, Google has made a series of changes to its Chrome extension policy. In May last year, the company introduced a Chrome Web Store-only policy for Windows users whereby only extensions hosted on the Store could be installed; developers and Mac users could still install extensions from any source. Following this change in how extensions could be distributed to Windows users, Google saw a 75% drop in customer support help requests for uninstalling unwanted extensions. Despite these policy changes, some users were still being infected by malicious extensions -- the policy was not initially enforced on the Windows developer channel, so hackers started tricking users into the developer channel in order to install their malicious extensions.
Google's new policy mandates that all Windows and Mac users -- including developers -- must install Web browser extensions from the Chrome Web Store. There is also a new application-vetting feature called Enhanced Item Validation, which runs additional checks before an extension is published in the Store and made available to users. This is aimed at preventing malicious extensions such as Webpage Screenshot, which slipped through the existing vetting process. Google is also beta testing a software removal tool, which will scan and remove software that may cause problems with Chrome.
Chrome will continue to support local extension installs during development, as well as installs that follow Chrome for Work and Education's enterprise policy. Although some extension developers have complained that these moves penalize the genuine developer by making them go through the time and trouble of submitting their extension for review, it should help make the Chrome Web Store a safer place, and if users have more confidence in software available in the store, then developers can only benefit.
Enterprises can specify a list of extensions that will be pushed silently to their users via group policy, the registry or the master_preferences file. Extensions request permissions before they are installed, and administrators should understand what data an extension will access. There are 10 different permissions, divided into three alert levels -- a high-level alert means the extension will have access to everything on a user's computer and the websites they visit. This level of access needs to be fully risk-assessed.
Ask the Expert:
SearchSecurity expert Michael Cobb is ready to answer your application security questions -- submit them now. (All questions are anonymous.)
Don't miss SearchSecurity's Web browser security tutorial
Dig Deeper on Web browser security
Related Q&A from Michael Cobb
Android for Work's sandboxing tools, which split work and personal profiles, can be bypassed with a proof-of-concept attack. Expert Michael Cobb ...continue reading
Yahoo claimed a vulnerability in its email service enabled attackers to use forged cookies to gain access to user accounts. Expert Michael Cobb ...continue reading
A researcher discovered 76 iOS apps containing sensitive user data that were vulnerable to man-in-the-middle attacks. Expert Michael Cobb explains ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.