Google is taking action to improve the trustworthiness of the Chrome Web Store, adding new security controls and clamping down on insecure practices.
The Chrome Web Store, which allows users to add extensions to their desktop browser, has a somewhat patchy reputation for security, and has frequently been found to be hosting malicious extensions that silently spy on users and steal their data.
The tech giant is aiming to stamp this out, and is introducing new privacy and security features such as a more stringent permissions system. The new system will allow users to specify if they want to allow extensions to run on all sites, on specific sites, or to only run when the extension is clicked.
The change is part of Google Chrome Version 70, which is due to hit general release this month.
Google is also keeping a closer eye on extensions, effective immediately, and the more permissions an extension asks for, the longer Google will take to review it. The company is placing particular importance on extensions that rely on remotely-hosted code, Chrome Extensions product manager James Wagner said in a blog post, and advised that developers make sure their extensions ask for as few permissions as possible.
Effective immediately, obfuscated code is also banned from the Chrome Web Store altogether.
"Today over 70% of malicious and policy violating extensions that we block from Chrome Web Store contain obfuscated code," Wagner said. "At the same time, because obfuscation is mainly used to conceal code functionality, it adds a great deal of complexity to our review process. This is no longer acceptable given the aforementioned review process changes."
Extensions that feature obfuscated code will not be allowed to be submitted to the web store, and existing extensions that use it have 90 days to replace it before they are removed.
In addition to the security benefits, the removal of obfuscated code will likely bring performance benefits, as obfuscation usually incurs increased execution times on the host machine.
From next year, the company will also force Web Store extension developers to use two-factor authentication to protect their accounts, with a view to preventing criminals from hacking the accounts of popular extension developers and using their extensions to deliver malware.
-
Cleo attack victim list grows as Hertz confirms customer data stolenNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
Lateral moves in tech: Why leaders should support employee mobilityIn-depth Encouraging staff to switch roles can have long-term benefits for skills in the tech sector
-
Spanish spyware outfit uncovered, develops exploits for Windows, Chrome, and FirefoxNews Google was only able to discover the company after an anonymous submission was made to its Chrome bug reporting programme
-
Google adds new security vendor plugins for Chrome, improved Chrome OS policy controls for IT adminsNews New integrations across various security pillars aim to improve Chrome OS and Chrome browser security for enterprise customers
-
Google patches second Chrome browser zero-day of 2022
News Google acted quickly to secure against the type confusion vulnerability that was under active exploitation
-
Acer Chromebook Spin 513 review: Cheap and mostly cheerfulReviews An affordable Chromebook convertible with good looks but mediocre performance
-
Google says Chrome is now faster than Safari on Apple SiliconNews According to Apple's own benchmarks, Chrome 99 scored the highest out of any browser ever tested
-
Google Chrome update fixes zero-day under active exploitation
News Google releases a fresh wave of patches for severe vulnerabilities that could facilitate code execution and system takeover via Google Chrome
-
Asus Chromebook CX9 (CX9400CE) review: The most stylish Chromebook on the marketReviews A sleek, expensive Chromebook that tries to bring professional style to Google’s OS
-
Chromebook shipments plunge due to 'shift in demand'News Sales of Chrome OS devices fell 29.8% in the third quarter of 2021 to 6.5 million units, according to IDC
