Home | Security | About | Contact | Links

In May 2015, Google changed its chrome extension policy forcing all users to install web browser extensions only from the Chrome Web Store. This was done due to growing security concerns from third party add-ons. A year ago, they introduced the a policy for Windows users to use extensions only from the webstore. However, they still allowed developers and Mac users to install extensions from any third party source.

In recent times there has been an increase in the number of malicious extensions that are released to the developer channels and this has forced Google to adopt such a strict policy. Google has also increased the amount of time spent in manually reviewing the thousands of daily updated to extensions, thereby ensuring malicious code does not make its way into extensions through a hacked developer account

Jake Leichtling is the extensions platform product manager for Chrome at Google stated on his blog that they have noticed an increase in the malicious software making its way into the developer channel. Google is getting stricter with its review after a few extensions used a delayed installation pricess to install spyware after the security scans were complete.

Chrome engineering director Erik Kay stated on his blog that the bad guys are always coming up with new ways to inject ads or track browsing activity and that Google has therefore needed to take additional measures to combat this.

Users can take care to combat this by making sure to vet extensions carefully. Only install extensions from trusted sources you know. Checking my list of extensions I see that I have only the following three extensions installed, since I trust the companies behind them - Moz Bar from Moz, Keyword Search Tool from KeywordKeg and Site Traffic Source from SimilarWeb.

Often, users will look solely at the total number of users who have installed an extension and use that number to gauge the trustworthiness of an extension. A lot of malicious code has found its way into extensions that have been installed by thousands of users through a hacked Google account. A better metric to judge an extension's trustworthiness is by the date it was last updated. Be wary of extensions that have not been updated in years as the original developer may have lost interest in keeping track of his extension and this maybe ripe for an attacker to either buy (read Amit Agarwal's story on why selling his chrome extension was a bad decision) to or hack into.

If you notice strange ads on webpages where you did not see ads before, or different ads on Google or Facebook, you should disable all your extensions and then enable each one to see which extension is injecting ads in your web pages