Google says it has taken extra steps to counter the threat posed by malicious extensions to its Chrome Web browser, after incidents in which malicious extensions were used to power online scams.
The search giant announced on its Web page that it has changed the way users can add third party browser extensions that are not hosted int he Chrome Web Store. Google now requires Chrome users to add third party extensions using the Chrome Extensions page. It has made it impossible for third party Web sites to push extensions to users directly.
Chrome extensions are browser plug-ins that add new features and capabilities to Chrome. In recent months, cybercriminals and scammers have used the extensions to power online scams. In March, for example, a Kaspersky Lab researcher discovered a Brazilian social engineering campaign that used a Chrome extension to “remove a virus from their Facebook profile.” The extension in question was a Trojan horse application that gave the attackers control over the users Facebook profile and spammed messages to that user’s friends.
With the latest version of Chrome, users who want to install third party plug-ins obtained outside of the Web Store must add them through the Extensions page, Google said.
Google said it analyzes extensions that are uploaded to the Web store and removes those it considers suspicious. However, the company can’t police third party Web sites that offer their own extensions. “Unfortunately,” the company said “we don’t have the ability to take down malicious items promoted on other websites. The updated installation process will block third party websites from automatically triggering unauthorized extension installations, giving users more control, Google said.
Chrome is now the most popular Web browser, surpassing Microsoft’s Internet Explorer. That popularity has put increased pressure on Google to address security issues in the browser. Last week, Google released an updated version of Chrome 20, fixing three high-risk security vulnerabilities. The update comes just two weeks after Google released Chrome 20, which included patches for 20 bugs.