Google has announced a stricter policy regarding extensions for its Chrome browser. This gives Chrome 70 the option to set per site to which data an extension has access. Browser extensions may no longer contain hidden code.
Google writes in its announcement that extensions have access to data on a site that a user visits and that they can modify this data. That would have brought about ‘powerful and creative’ extensions, but at the same time have also encouraged ‘malicious or unintentional abuse’. That’s why Chrome 70 gets an option to grant an extension, for example per site, the permission to read and change data. In addition, users can configure that an extension can only do this after clicking the corresponding icon. Google has more information about the introduction of these changes in a separate blog post about host permissions.
This new requirement is linked to a third amendment, which means that Google will perform an additional check on extensions that require ‘powerful permissions’. The company will also pay more attention to extensions that load external code. Finally, in 2019 the search giant introduces the requirement that developers secure their Chrome Web Store account with two-stage authentication. According to Google popular extensions are targets of attackers who want to take over.
With the changes, Google seems to be taking measures to prevent incidents such as the Mega and Hola VPN extensions. In the latter attackers had taken over the corresponding developer account via phishing and published a malicious version of the extension. This stole login data from MyEtherWallet users because it had access to data on pages. Similar incidents also occurred last year. Recently it appeared that extension developers are once again the target of phishing attacks.