News Stay informed about the latest enterprise technology news and product updates.

Google changes Chrome extension policy amid security concerns

Google's new Chrome extension policy mandates that all users and developers must install web browser extensions from the Chrome Web Store.

Google last week announced a new Chrome extension policy amid growing security concerns about potential threats...

from third-party add-ons.

The company changed its Chrome extension policy to require all Windows and Mac users -- including developers -- to install extensions only from the Chrome Web Store. Previously, the company introduced the Chrome Web Store-only policy for Windows users a year ago, but Google still allowed developers and Mac users to install extensions from any source.

However, following the spread of malicious extensions to the developer channel, Google decided to enforce this policy universally. Extensions from outside the Chrome store are not subject to the same rigorous testing that Chrome Web Store extensions are, Google said. As a result, third-party extensions from outside the outside the Chrome Web Store could install spyware or other malware accidentally or intentionally as add-ons for seemingly harmless products.

"We originally did not enforce this policy on the Windows developer channel in order to allow developers to opt out," Jake Leichtling, extensions platform product manager for Chrome, said in a blog post. "Unfortunately, we've since observed malicious software forcing users into the developer channel in order to install unwanted off-store extensions."

Although extensions in the Chrome Web Store will be subjected to more meticulous security scanning, some problematic extensions have been able to slip by the company. Last month, a third-party Chrome extension called Webpage Screenshot was pulled from the Chrome Web Store due to security concerns; a report from researchers at Heimdal Security showed the extension used a delayed installation process to fool security scans and later installed spyware.

"Malware can change how browsers work by silently installing extensions on your machine that do things like inject ads or track your browsing activity," Chrome engineering director Erik Kay said in a blog post in 2014. "Since the bad guys continue to come up with new ways to cause our users headaches, we are always taking additional measures."

Chrome will continue supporting local extension installs during development and installs that follow Chrome for Work and Education's enterprise policy.

Next Steps

Learn how to mitigate browser plug-in threats and improve Web extension security

Dig Deeper on Web application and API security best practices

Join the conversation

4 comments

Send me notifications when other members comment.

Please create a username to comment.

Is Google's new Chrome extension policy the right move for enterprises and developers?
Cancel
I can’t say that I think it’s the right move, especially given that Apple’s approach hasn’t proven to actually be any more secure. It may be problematic, and seems like they would make allowances for enterprises, such as Apple does with a corporate store.
Cancel
I know they are stopping support for the Unity web player plug in for one. I guess this is their way of forcing us to phase out old technology that has been working for newer and possibly more secure ways.
Cancel
Looks like they are taking a similar path to Apple. Hopefully with better results.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close