Google announced late last week it would begin halting the silent installation of extensions on its flagship Chrome browser.

In a post on the company’s Chromium Blog, Chrome’s Product Manager Peter Ludwig described the problem that led to the change and two new features present on the latest iteration of the browser, Chrome 25, released last week.

Before the change, users could have had extensions installed on their browser silently, without their permission via Windows registry mechanism, a feature that allows the installation of extensions alongside other applications. This was more or less a way for third party companies to get users to unknowingly opt-in to these extensions.

Now when third party programs want to install extensions, any “external extension deployment options” will be disabled by default. Instead a dialog box will pop up and detail how the extension will modify Chrome’s performance, what information it access and so forth. At this time the user will be asked to choose whether they wish to enable the extension or remove it entirely.

The new feature goes ahead and automatically disables any extensions installed using external deployment options in the past as well.  If a user wants to re-enable any of these, they’ll be shown a one-time prompt making the security ramifications of each known before re-launching the extension.

Ludwig goes on to note that going forward, to keep legitimacy concerns at bay, Windows application and extension developers should ensure their programs are installed through Chrome.

Malicious Chrome extensions were found giving users in Brazil a hard time earlier this year. Kaspersky Lab researcher Fabio Assolini discovered an extension that was tricking users into thinking they could use it to remove a virus from their Facebook profiles. Instead the app gave attackers free reign over the victim’s profile, allowing them to spread the app further through Facebook’s messaging system.

Following this and other attacks, Google changed Chrome in July so users could only install extensions from the Google Chrome store, eliminating the ability for third party companies to push their extensions to users directly.

Categories: Web Security