Well, better late than never. Google is in the process of a massive sweep targeting malicious chrome extensions where they have been rolling out new security measures and requirements.
Google’s new security requirements will affect existing as well as new developers who want to publish their extension in the chrome web store. Primarily the new rules are introduced to handle extensions, seeking way too many permissions in an efficient way.
These new rules were much needed since until now it was much easier to avoid checks and publish malicious extensions that could collect users private data or carry out phishing attacks. Post this rule change, hackers will have a hard time coding malicious extensions or compromising other extensions.
The new security requirements and measures are as follows:
No Room for Obfuscated Codes!
With this new rule, the developers are completely barred from submitting extensions that include Obfuscated Codes, be it a single or bunch of complicated lines of codes. Google believes that majority of malicious extension lurks behind such obfuscated codes.
Obfuscation is an act of deliberately creating intricate, puzzled source codes which are baffling, and difficult for human comprehension.
Developers often code their programs in obfuscation mainly to abscond malware scans, However, they justify the use of such code saying it will prevent their competitors from analyzing or imitating the functionality of their program.
But the fact is code obfuscation also leads to poor performance, argument surfaces that there’s no actual use of code obfuscation at all. Hence, Google has no mercy on developers making use of such complicated codes. Google has even announced that January 1st will be the deadline for existing developers to get rid of any such obfuscated codes from their extensions to comply with the new requirements.
This new change will be available in Chrome 70 which allows users to be more selective about the sites that the extension can access.
Prior to this change, when the user gave a chrome extension to read and manipulate website data, the extension could use those permissions across all sites which opened a whole new avenue for hackers to execute phishing and social engineering attacks.
Per-site permissions feature in Chrome 70 will enable users to restrict an extension’s DOM manipulation capabilities to a specific website or per-site basis. With Google’s assault on extensions that request ‘powerful permissions’, the review process for such extensions will be more stringent.
Compulsory Two-Step Verification for Developers
Very soon, The developers will have to compulsorily use 2-factor authentication to access their Chrome web store. This change will shut down another avenue for hackers that used to target legitimate developer accounts to gain access to their Chrome web store.
We have already discussed how a malicious hacker can compromise legitimate developer account, Edit their Chrome extension, update it with malicious code and re-publish it in the same web store. This is a very powerful attack because once the legitimate extension is republished with malicious code, the hacker can gain sensitive information from existing chrome extension users or carry out mass phishing attack on them to achieve even bigger goals.
With two-step verification, Google aims at preventing such phishing cases where hackers can masquerade as a legitimate developer.