Google calls time on third-party Chrome extensions to turn security screw

After trailing since 2012, Web Store download now mandatory

Google Chrome users on Windows can now only install browser extensions through the Web Store, the search giant has announced, fulfilling a long-standing promise to tighten security.

In a follow-up FAQ, the firm urges developers that haven't already done so to either migrate extensions to the Store where users will have to re-enable them or start using inline installation redirecting to Google's servers.

Users of Chrome apps downloaded direct from third-party sites will now see a "Suspicious Extensions Disabled" message, Google said. Extensions would stop working until hosted by Google.

"Malware can change how browsers work by silently installing extensions on your machine that do things like inject ads or track your browsing activity. If you notice strange ads, broken web pages or sluggish browsing after installing some new software or plugins, you could be affected," said Google by way of explaining the security rationale.

It's a security model based on that used to secure the Chrome OS running Google's Chromebooks, which have always required verified software installation via the Web Store. As for Chrome on Windows, Google has been working on this for a while, turning off third-party installs by default as long ago as July 2012.

With Chrome 35 reaching users last week it all sounds like a worthy tightening of security but some issues are worth pointing up. While it's certainly the case that third-party malicious extensions are a known pest (usually installed after some social engineering), the Chrome Web Store has had its problems too.

In 2012, cybercriminals managed to sneak extensions designed to hijack Facebook Likes on to the Store while more recently spammers exploited legitimate extensions that had changed ownership, using them to push ads.

Generally speaking, Google's policing of rogue extensions have improved in line with somewhat better filtering of Android apps. The weakness remains Google's vetting of developers. That will be the new front line in stopping the small but determined industry pushing malicious extensions.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags GooglePersonal Tech

More about FacebookGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

More videos

Blog Posts