Chrome 70 lets users set permissions for extensions per site
Google has announced a stricter policy regarding extensions for its Chrome browser. This gives Chrome 70 the option to set per site to which data an extension has access. Browser extensions may no longer contain hidden code.
Google writes in its announcement that extensions have access to data on a site that a user visits and that they can modify this data. That would have brought about ‘powerful and creative’ extensions, but at the same time have also encouraged ‘malicious or unintentional abuse’. That’s why Chrome 70 gets an option to grant an extension, for example per site, the permission to read and change data. In addition, users can configure that an extension can only do this after clicking the corresponding icon. Google has more information about the introduction of these changes in a separate blog post about host permissions.
Another change is that the Web Store with immediate effect no longer allows extensions that contain hidden or obfuscated code. This applies to code in the extension itself and to code that is externally loaded. Google substantiates the decision by stating that 70 percent of blocked malicious extensions contain hidden code and that the presence of this type of code makes the audit process more difficult. In addition, it states that JavaScript code runs locally and that obfuscation will not stop a dedicated reverse engineer anyway. ‘Minification’ of code is still permitted, such as the elimination of white spaces and comments.
This new requirement is linked to a third amendment, which means that Google will perform an additional check on extensions that require ‘powerful permissions’. The company will also pay more attention to extensions that load external code. Finally, in 2019 the search giant introduces the requirement that developers secure their Chrome Web Store account with two-stage authentication. According to Google popular extensions are targets of attackers who want to take over.
With the changes, Google seems to be taking measures to prevent incidents such as the Mega and Hola VPN extensions. In the latter attackers had taken over the corresponding developer account via phishing and published a malicious version of the extension. This stole login data from MyEtherWallet users because it had access to data on pages. Similar incidents also occurred last year. Recently it appeared that extension developers are once again the target of phishing attacks.