Google is introducing more stringent rules for Chrome extension developers, a move that will reduce the risk of password cracking and mining malware.
The network and technology giant announced on Monday that it is planning to modify the way the Chrome browser handles extensions that request extensive permissions, and tightens the rules for developers to distribute extensions through the Chrome Web Store.
Google said in a blog post:
“It is important that users can trust that the extensions they install are secure, privacy-protected, and functional. The functionality of the extension and the scope of data access should be completely transparent to the user.
The company explained that starting with Chrome 70 (currently in beta testing), users will be able to restrict extensions’ access to custom site lists, or set extensions to require permissions each time they visit a page.
Google added that the extension requesting “strong permissions” will be subject to “additional compliance review.”
“We are also paying close attention to extensions that use remote managed code and are constantly monitoring,”
The company explained the move, saying that “although host permissions have allowed thousands of powerful and creative extension use cases, they have also led to widespread misuse – malicious and unintentional… our The goal is to increase user transparency and control when extensions can access site data.
Google also said that starting on Monday, the Chrome Web Store will no longer allow extensions that use hidden or obscured code. It adds that the existing code-confusing extension has 90 days to comply with the new rules.
According to this blog post, more than 70% of “malicious and offending extensions” blocked by Google in the Chrome Web Store contain confusing code. In addition, because this confusion is “mainly used to hide code functionality,” it greatly increases the complexity of the Google extension review process.
Google said: “Considering the changes in the review process mentioned above, this confusion is no longer acceptable.”
In the last security measure of 2019, all extension developer accounts must be protected by two-step verification to reduce the risk of hacking accounts.
In the past, cybercriminals used the Chrome extension to access the victim’s computer.
For example, just a month ago, hackers uploaded a malicious version of the Mega extension to the online store. According to ZDNet, the accounts of people who used the official installer in the next few hours were leaked – including users of MyEtherWallet and MyMonero cryptocurrency wallets, and users of decentralized exchange IDEX.
Google has also been forced to crack down on the use of downloader devices to unknowingly exploit cryptocurrency extensions. In April of this year, the Chrome Web Store blocked the expansion of the cryptocurrency extension, regardless of whether the mining was intentional.