Skip to main content

How Google Chrome 25 will tackle malicious extensions

Google's latest steps will make it harder for malicious developers trying to exploit Chrome users via browser extensions.

Extensions are plug-ins for Google Chrome and allow developers to add extra functionality to the web browser. Many Chrome extensions are supremely useful, such as Ghostery - which quickly and easily detects and blocks web trackers tagging your movements across the web - as well as the URL shortener, and ViewThru, which displays the full URL when hovering over a shortened link with your cursor. Others, like the "Change Your Facebook Color" extension pointed out by Webroot, are privacy-violating scams peeping at the browsing history and data from other web sites. Spam-spewing extensions also exist.

While many of the extensions are accidentally installed by users tricked into downloading them, many others are installed without the user's knowledge via Chrome's auto-install feature. To address that problem, Google has removed auto-install in the latest version of Chrome.

No more auto-install

Google originally included the auto-install feature to allow applications to install additional Chrome extensions during its native installation process. This was intended to simplify the installation process so that users didn't have to add the extensions manually afterwards.

"Unfortunately, this feature has been widely abused by third parties to silently install extensions into Chrome without proper acknowledgement from users," Peter Ludwig, a product manager at Google, wrote on the Chromium blog.

The change will take effect in the forthcoming Chrome version 25 release and will now block applications trying to auto-install extensions into Google. An alert will be displayed informing the user about the new extension and offering permission options (such as "Access your data on all Websites" and "Read and modify your bookmarks") for those wishing to proceed..

Chrome 25 will also automatically disable any extensions that were previously installed using the auto-install feature. If the user wants to re-enable the extension, the browser will display a one-time prompt explaining what each extension wants to do before allowing them to be turned back on.

Stopping malicious extensions

Google also appears to have a new service which analyses "every extension that is uploaded to the Web Store and take[s] down those we recognize to be malicious," according to the support pages for the Chrome Web Store.

There isn't a lot of information about the service at this time, so it's not known whether the Internet giant's browser will be using an automated scanner similar to Google Bouncer, or how the changes might relate to Google's recent purchase of online malware scanner VirusTotal.

Google has recently cracked down on extensions. Back in July, Google changed Chrome so that users could only install extensions found in the Chrome Web Store, and not from third-party sites.