Chrome 25 will disable 'silently installed' extensions

All Chrome extensions installed using offline methods will be disabled until the users decide otherwise, Google says

Starting with version 25 of Google Chrome, browser extensions installed offline by other applications will not be enabled until users give their permission through a dialog box in the browser interface.

At the moment developers have several options to install extensions offline -- not using the browser interface -- in Google Chrome for Windows. One of them involves adding special entries in the Windows registry that tell Chrome that a new extension has been installed and should be enabled.

"This feature was originally intended to allow users to opt-in to adding a useful extension to Chrome as a part of the installation of another application," Peter Ludwig, Google's product manager of Chrome Extensions, said Friday in a blog post. "Unfortunately, this feature has been widely abused by third parties to silently install extensions into Chrome without proper acknowledgment from users."

In order to prevent this type of abuse, starting with Chrome 25, the browser will automatically disable all previously installed "external" extensions and will present users with a one-time dialog box to choose which ones they want to re-enable.

In addition, all extensions that are installed using the offline methods will be disabled by default and the user will be asked if they want to enable them when the browser is restarted.

Mozilla implemented a very similar mechanism over a year ago in Firefox to prevent extensions installed offline by other programs from being enabled without user confirmation.

There have been many attacks that used malicious browser extensions, including Chrome extensions. For example, in May, the Wikimedia Foundation issued an alert about a Google Chrome extension that was inserting rogue ads into Wikipedia pages.

In July, Google stopped allowing Chrome extensions to be installed from third-party websites, restricting online installations only to extensions found in the official Chrome Web Store.

This made it harder for attackers to distribute malicious extensions, but didn't prevent malware from installing rogue Chrome extensions on an already compromised system using the offline methods. The upcoming Chrome 25 changes aim to address that.

"I think it is a good step in the right direction, which is a more secure browsing experience," Zoltan Balazs, an IT security researcher from Hungary, said Monday via email. Balazs previously created proof-of-concept malicious extensions for Firefox, Chrome and Safari in order to demonstrate how powerful such tools can be in the hands of attackers.

Balazs' research, which was presented at several security conferences this year, showed how remotely controlled rogue browser extensions can modify the content of Web pages, take screen shots through the computer's webcam, act as a reverse HTTP proxy into the internal network, download, upload and execute files, be used for distributed password hash cracking and more.

Even though the upcoming changes in Chrome 25 will make life harder for attackers, a piece of malware could still potentially replace the whole Chrome installation with a backdoored one, Balazs said. He pointed to the first of the "10 Immutable Laws of Security" as published by Microsoft, which reads: "If a bad guy can persuade you to run his program on your computer, it's not your computer anymore."

In July, when Google banned Chrome extension installations from third-party websites, the company also said that it will start analyzing all extensions listed in the Chrome Web Store for malicious behavior and will remove the offending ones.

However, malicious extensions have been found in the Chrome Web Store on multiple occasions since then, suggesting that Google's extension scanning and review mechanism can be bypassed. On Aug. 30, researchers from Barracuda Networks warned that Facebook scammers managed to trick over 90,000 users to install several malicious Chrome extensions hosted in the Chrome Web Store before the extensions were removed by Google.

A Dec. 20 alert from Facecrooks, a group that monitors Facebook threats, warned about a scam that tricked users into installing a rogue Chrome extension by claiming that it changes the color scheme of their Facebook profile.

According to Balazs, the fact that malicious extension developers manage to bypass the Chrome Web Store's malware detection systems is not that surprising.

Obfuscating JavaScript code or hiding malicious functions inside other non-malicious functions, or creating non-malicious extensions and adding malicious functions in an update, is very easy, Balazs said. "It is the same cat and mouse game that we see between malware developers and the AV industry."

"Right now Google is the security standard when it comes to browser extension security," Balazs said. However, one big step forward for Google would be to disable the old NPAPI (Netscape Plugin Application Programming Interface) plugin architecture everywhere -- it is now disabled in Chrome for Windows 8 Metro and Chromebook -- and promote the more secure and sandboxed Native Client architecture, he said.

Join the PC World newsletter!

Error: Please check your email address.

Tags applicationsonline safetyGooglesecuritybrowserssoftwarescamsmalwaremozilla

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?