Google has announced plans to further thighten security rules for Chrome browser extensions by banning those ones that contain “obfuscated” source code as a measure to combat crypto-mining malware and hijackers. The term “obfuscated” source referred to the code that’s mainly used to conceal its real functionality and hinder its readability.
Malicious extensions can steal credentials, invade users’ browser privacy and participate in click fraud schemes.
The updates will be introduced in version 70 of the Chrome browser and they will be covering areas including developer accounts and extension permissions.
Google has already taken some measures to limit the impact of security flaws and the ability for extensions to offer installation from third-party websites.
Obfuscated code prohibited
A recent report by McAfee Labs has revealed that more than 2.5 million cases of cryptojacking were detected in the first half of 2018. As one of the most popular browsers, Chrome is often used as common method to infect users’ computers with cryptocurrency-mining malware. Google says that 70 percent of malicious extensions use obfuscated code. So, existing extensions with obfuscated code will be banned in 90 days. All extensions that don’t comply with the new rules will be removed from the Chrome Web Store in early January 2019.
Individual per-site permissions
With the new measures users of browser extensions will get control over which websites extensions can access. In Chrome 70 extension users will be able to restrict access to specific domains, or block all access to a specific website until the extension is explicitly activated. This measure will significantly limit the damage that malicious extensions can do.
Monitoring of extension developers
The other measures are applied to the extension development process. Google will be applying more scrutiny to extensions that require the most powerful permissions, and it will perform ongoing monitoring of extensions that load code from remote sites. This should help to protect users against extensions that replace source code with malicious once the extension has been initially submitted to the Chrome Web Store.
2FA requirement for extension developers
Google also changed the requirements for developers to access their Chrome Web Store accounts. The developers will be required to use two-step verification (2FA) to access their accounts in the store from next year. This is a step to protect developers of popular Chrome extensions from having their accounts hacked by cyber criminals.