Google taking action against disguised code in Chrome Web Store

Weary of dealing with malicious Chrome extensions and user complaints, Google is asking developers to lock down their accounts and tightening up security in its Chrome Web Store.

On Monday, the Chocolate Factory announced a handful of changes to reduce the amount of dodgy code in its marketplace and to make the hijacking of developer accounts more challenging.

Last month the Chocolate Factory disabled the inline installation API, by which websites could publish a Chrome extension installation link that redirected users to the Chrome Web Store. Now the search biz continues its clampdown with word that Chrome 70 will allow users to limit permissions beyond the scope sought by extensions during installation.

Starting in Chrome 70, out in beta now and due for stable channel release in mid-October, users will be able to choose to allow extensions to run after requiring a click, on a specific set of sites, or on all sites requested by the code. This capability, designed to reduce the chance an extension could gather unanticipated information, can be accessed via the chrome://extensions page and the extension context menu.

What's more, Google intends to subject extensions to extra scrutiny if they request access to powerful permissions. James Wagner, Chrome Extensions product manager, said in a blog post that Google will watch for extensions that rely on remotely hosted code. He advised developers to scope their extension permissions as narrowly as possible to minimize review time.

No disguises

Google is also banning obfuscated code – code altered to disguise its flow and logic – in Chrome extensions, starting today. The ban takes the form of a Chrome developer content policy that says, "Developers must not obfuscate code or conceal functionality of their extension."

Google actually listens to users, hands back cookies and rethinks Chrome auto sign-in

READ MORE

The readability requirement doesn't extend to minified code, a form of obfuscation designed to compress source code through the shortening of variable and function names and the removal of whitespace, newlines, and comments. Minification makes code less readable, for the sake of smaller files and better performance, but isn't generally an attempt to disguise how it functions.

The company says 70 percent of malicious and policy-violating extensions include code designed to be difficult to read. And it doesn't have the patience to review extension code that's deliberately unfriendly to the eyes. Devs who have Chrome extensions with obfuscated code in release have until New Year's Day to submit a revision.

Come 2019, the Googleplex will require Chrome Web Store developers to use two-step Verification to secure their accounts. The company hopes to make it more difficult for malicious types to hijack accounts associated with popular extensions, a tactic for malware distribution seen elsewhere. This won't do much to prevent devs from selling their accounts to fraudsters, however.

Next year will also see the introduction of a revised spec for extension manifest files, through which devs declare the permissions and resources required by a Chrome extension. Google hasn't yet released details on version 3, but says it aims to narrow the scope of its APIs, make permission control easier for users, and support modern web capabilities like the Service Workers as a background process. ®