Google cracks down on malicious Chrome extensions

Chrome extensions are great for customizing the web browser, but Google is cracking down to try to keep them from seizing more control than you want to give them.

On Monday, the company announced a host of actions to keep extensions in hand:
-Google will let you restrict extensions that seek to modify web pages so they only work on particular websites. You'll also be able to require them to seek your permission each time they run.
-Google will scrutinize more closely extensions that ask for a lot of power over your browser and will reject extensions whose underlying programming code has been obfuscated so it's hard to read.
-Google will require extension developers to use two-step authentication starting in 2019 to make it harder for someone to hijack the account to distribute a bad version of an extension.

Extensions have been a boon to the billion-plus people who use Chrome. More than 180,000 extensions are available, and nearly half of us use them in the browser for things like blocking ads, checking grammar, managing passwords, managing multiple Gmail accounts, translating text in other languages and collapsing tabs into a list for later use.
But the openness of Chrome extensions and the Chrome Web Store that Google uses to distribute them have also opened a new door to malware, spyware, cryptocurrency miners, Facebook account hijackers and other bad extensions. That's what Google is trying to fix here.

"It's crucial that users be able to trust the extensions they install are safe, privacy-preserving, and performant," said James Wagner, Chrome's extensions product manager, in a blog post.

It's a big problem. In 2015, Google found thousands of malicious extensions, and one out of ten Chrome extensions submitted were malware.

The higher level of scrutiny will involve more humans, Chrome leader Rahul Roy-Chowdhury tweeted Tuesday.

"We do some manual reviews today, and we will ramp that up as these changes roll out," he said. "Basically we're moving to a model where we publish only 'known good' with a high bar, specially for extensions with sensitive permissions."
Monday's move isn't the first crackdown. Google also has automated checks on extensions, and this year, it's shutting down a process called inline installation that let you install extensions from buttons on third-party websites. Now you have to go to the Chrome Web Store, where you can see more details about an extension you're considering installing.

And in 2019, Google will overhaul Chrome extension manifests -- the documentation that developers must write to describe things like the computing privileges extensions need. With the new version, "writing a secure and performant extension ... should be easy, while writing an insecure or non-performant extension should be difficult," Wagner said.

First published October 1, 10 a.m. PT.