Sophos Cloud Optix
Google has announced a range of security changes to its Chrome browser that will make the use of extensions more secure. The updates, to be introduced in version 70 of the popular browser, cover areas including extension permissions and developer accounts.
Browser extensions are small programs that enhance its functionality. The problem is that misbehaving extensions can steal data or invade users’ browser privacy. Chrome is a trusted application in most operating systems, meaning that if you give an extension permission to do things, the operating system will usually wave it through. This can leave users vulnerable to malicious extensions.
In the past, Google has taken steps to keep extensions in line by limiting what they can do. Late last year, for example, it introduced an optional site isolation feature that made it more difficult for malicious code on one site to steal secrets from another when open in the browser. It also enabled administrators to block extensions based on the kinds of permissions they request, such as access to the webcam or the clipboard.
Per-site permissions
Now, it has announced plans to take things further. In Chrome 70, the company will enable users to restrict an extension’s permissions to manipulate website data and services on a per-site basis. When users gave a Chrome extension permission to read and change website data in the past, the extension could use those permissions across all sites. The change allows users to be more selective about the sites that the extension can access.
While you may want a screen clipping extension to read information from a handful of news sites that you visit, say, you might want it to avoid reading anything else, including your online bank account. Chrome 70 will restrict host access permissions to specific sites allowed by the user, or it can be configured to request approval for host access when visiting any site. The user can also enable host permissions on all sites by default if they wish.
Google will also make the review process more stringent for extensions that request ‘powerful permissions’, it said, and will also monitor extensions that use code hosted remotely.
Obfuscated code banned
The company is also banning the use of obfuscated code. This is JavaScript code that is scrambled to avoid others finding out what it does, and while this can be a way for developers to protect their IP, a good reverse engineer would eventually work out what it was doing, Google pointed out.
In the meantime, obfuscated code also enables cybercriminals, such as cryptojackers, to execute nefarious code under the hood. From now on, Google’s Chromium team is having none of it. Not only will all new extension submissions have to carry usable code, but existing extensions with obfuscated code will be removed from the Chrome Web Store in early January if they don’t fix the issue. The company said:
Today over 70% of malicious and policy violating extensions that we block from Chrome Web Store contain obfuscated code. At the same time, because obfuscation is mainly used to conceal code functionality, it adds a great deal of complexity to our review process. This is no longer acceptable given the aforementioned review process changes.
Minification, which reduces side code by removing comments and unused code and shortening variables, is still fine, it added.
2FA for extension developers
Google also changed the requirements for developers to access their online accounts. They will be expected to use two-step verification (or 2FA) to access their accounts in the Chrome Web Store from next year, the company stated. This is a bid to protect developers of popular extensions from having their accounts hijacked and their published extensions tampered with by malicious actors.
These enhancements may go some way towards mitigating malicious Chrome extensions, of which there have been a few.
One popular legitimate extension called Web Developer for Chrome was hijacked last year after criminals compromised the developer’s account.
Another extension named “Desbloquear Conteúdo” was evil from the start, inserting a perfect overlay of username, password, and one time pad form fields on a bank’s site.
The security changes are a precursor to version 3 of Google’s extensions manifest, which will make it harder to write insecure extensions, the company claimed. These changes will include more narrowly-scoped application programming interfaces (APIs) so that developers can give extensions more selective access to webpages. Expect those new changes next year.