Google is cracking down on the potential for third-party Chrome extension to go rogue and hack your PC.
The next version of Chrome is adding new controls over what webpages third-party extensions can read and write data to. “Users can choose to allow your extension to run on click, on a specific set of sites, or on all requested sites,” Google said in a note to developers.
The company is making the change to address how some Chrome browser extensions can automatically collect any sensitive data that appears over your browser. Spell-checking or translation products, for instance, need this permission to function. But unfortunately, the same capability can also be abused to steal your data.
That happened last month when a Chrome extension from Mega.nz, a cloud storage provider, was briefly hacked to steal passwords from people’s accounts. The Trojanized extensions worked by lifting the data whenever a select login page appeared. In another incident, a hacker tampered with a Chrome browser extension to mine a cryptocurrency from victims’ computers.
“While host permissions have enabled thousands of powerful and creative extension use cases, they have also led to a broad range of misuse — both malicious and unintentional,” Google said in a blog post on Monday.
However, it appears it’ll be up to users to activate the controls. In Google’s note to developers, the company said the upcoming change will not immediately affect any current permissions users have granted to the browser extensions.
You’ll be able to access the new controls by going to the “chrome://extensions” page or by simply right-clicking on the extension as it appears in the browser’s upper-right hand corner.
In the same blog post, Google said it’s going to enforce an “additional compliance review” for any extensions that request powerful permissions. Extensions on the Chrome Web Store can also no longer run any computer code that’s been deliberately scrambled or “obfuscated” to prevent reverse-engineering. Google said it needs to take a peek to ensure none of the computer code is secretly malicious.
“Today over 70 percent of malicious and policy violating extensions that we block from Chrome Web Store contain obfuscated code,” Google said.
To prevent hackers from taking over legitimate extensions, the company is also forcing all third-party app makers to use two-factor authentication with their Chrome Web Store developer accounts.
Chrome 70 will arrive as a stable release during the week of Oct. 23.