After cryptojacking and hacks increased on Google Chrome through extensions, which until now didn’t really have many restrictions, Google made an announcement on Monday, where the web and technology giant stated that they are planning to change the way Chrome handles extensions that request extensive permissions.
In their announcement they have also mentioned that they are planning on tightening the rules for developers. With Chrome 70 which is currently in beta, users will be able to restricts extensions to access only to a custom list of webpages or that the extensions will require permission to access a certain page.
Google also adds that extensions that request powerful permissions will be subject to additional compliance review and that there will be new code readability requirements which mean that hidden codes won’t be allowed for the extensions anymore. This policy will immediately apply to all new extension submissions.
Google said “Today over 70% of malicious and policy violating extensions that we block from Chrome Web Store contain obfuscated code. At the same time, because obfuscation is mainly used to conceal code functionality, it adds a great deal of complexity to our review process. This is no longer acceptable given the aforementioned review process changes.”. Also existing extensions will be able to submit updates over the next one and a half months but will be removed in 2019 if not compliant.
As an additional security measurement, Google announced that Chrome Web Store developers accounts will require a 2-Step-Verification.
Cyber-criminals have used Chrome extensions to provide access to victims computers in the past. Just about a month ago, a malicious version of Mega extension had been uploaded to the Web Store and people who used the official installer over the next few hours had their accounts compromised, including users of the MyEtherWallet and MyMonero crypto wallets and decentralized exchange IDEX.
In April, the Web Store had blocked extensions that mine cryptocurrencies, whether or not mining was a deliberate feature and now Google has made another move with these new rules to protect Chrome users.