Google Web Store vs Malicious Chrome Extensions

The latest release of Google’s Chrome browser may not have had a huge amount of changes that were instantly obvious to the average user but that doesn’t mean to say that the search giant have been resting on their laurels. On the contrary, security has been improved, mainly by putting a block on the installation of extensions from outside the confines of the Chrome Web Store.


Prior to this change an extension – a .CRX file – could be installed into Chrome from any web server. If you try it now, however, you will see a yellow warning bar, advising that,

Extensions, apps, and user scripts can only be added from the Chrome Web Store [OK]

Clicking on said OK button will then redirect you to the official Chrome marketplace where you can then continue to install the extension.

Many Chrome users may remain in the dark with regard to this change as they may not install extensions anyway, or may already know all about the Web Store as it is advertised on the browser’s new tab page. For everyone else, there is an added layer of security as extensions should now only be available from the one place, thereby giving Google somewhat more control and severely limiting the opportunities for the bad guys to use this as an attack vector.

Another important factor here which adds to the above is that Google will now be monitoring the extensions that are being submitted by developers. This will allow them to check for malicious behaviour in advance and so, therefore, go a long way in preventing dangerous extensions ever being available in the first place. As Chrome support says,

To help keep you safe on the web, we have started analyzing every extension that is uploaded to the Web Store and take down those we recognize to be malicious. Unfortunately, we don’t have the ability to take down malicious items promoted on other websites. For instance, online hackers may create websites that automatically trigger the installation of malicious extensions. Their extensions are often designed to secretly track the information you enter on the web, which the hackers can then reuse for other ill-intended purposes. (read more)

About Lee Munson

Lee's non-technical background allows him to write about internet security in a clear way that is understandable to both IT professionals and people just like you who need simple answers to your security questions.

Speak Your Mind