Making Extensions safer with Chrome 70 and later

Ink

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Google today announced a number of upcoming changes to how Chrome will handle extensions that request a lot of permissions, as well as new requirements for developers who want to publish their extensions in the Chrome Web Store.
It’s no secret that, no matter which browser you use, extensions are one of the main vectors that malicious developers use to gain access to your data.

Starting with Chrome 70, users can restrict host access to their own custom list of sites. That’s important because, by default, most extensions can see and manipulate any website you go to. Whitelists are hard to maintain, though, so users can also opt to only provide an extension with access to the current page after a click.

“While host permissions have enabled thousands of powerful and creative extension use cases, they have also led to a broad range of misuse – both malicious and unintentional – because they allow extensions to automatically read and change data on websites,” Google explains in today’s announcement.
1538415039499.png
As far as permissions go, Google also notes that in 2019, it’ll introduce new mechanisms and more narrowly scoped APIs that will reduce the need for broader permissions and that will give users more control over the access that they grant to their extensions. Starting in 2019, Google will also require two-factor authentication for access to Chrome Web Store developer accounts to make sure that a malicious actor can’t take over a developer’s account and publish a hacked extensions.
Read more at Google wants to make Chrome extensions safer


From Original Chromium Blog post posted June 12, 2018:
  • Starting today, inline installation will be unavailable to all newly published extensions. Extensions first published on June 12, 2018 or later that attempt to call the chrome.webstore.install() function will automatically redirect the user to the Chrome Web Store in a new tab to complete the installation.
  • Starting September 12, 2018, inline installation will be disabled for existing extensions, and users will be automatically redirected to the Chrome Web Store to complete the installation.
  • In early December 2018, the inline install API method will be removed from Chrome 71.
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,453
What does that mean? That when I reinstall, all synced extensions will not install, unless I install them one by one?
By the way, I just hope, that old extensions will not be removed, I am using one essential, last updated in 2014. :confused:
 

Ink

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
What does that mean? That when I reinstall, all synced extensions will not install, unless I install them one by one?
See image posted above, it helped.

From my understanding Google will allow users to create user-made whitelists.

For example: If you have Google Translate installed on Chrome, the user can let it run (read and change site data) on:
  • all sites (as it is right now)
  • a specific site (run on only that site you're visiting)
  • click-to-run (manually click extension to run on the site)

As for your Chrome extensions settings, they should be sync'd to your linked Google account.
 
5

509322

By far the safest extension is the one you never install.

The prevailing trend here is that one needs 7+ extensions for privacy, security and content filtering.

As for your Chrome extensions settings, they should be sync'd to your linked Google account.

Settings syncing causes issues because there is no per-device opt-out. It is an "all or nothing" feature. Typical garbage feature that was not well thought-out. Consequently the user has to deal with extremely annoying issues.
 

DeepWeb

Level 25
Verified
Top Poster
Well-known
Jul 1, 2017
1,396
The prevailing trend here is that one needs 7+ extensions for privacy, security and content filtering.
Meh. I'm not paranoid about my browser fingerprint anymore and we are not the average joe's. I do keep track of what extensions I have and if they are actively maintained so nobody can hijack them.
Also this feature in Chrome 70 has been available as a Chrome flag for a couple of versions. I get a notification if an extension wants more permissions, and a notification if I want to run an extension on one particular domain or browser-wide, and what type of permissions it requests. I have uninstalled some extensions just based on that.
 

Attachments

  • userconsent.PNG
    userconsent.PNG
    11 KB · Views: 212

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top