Google Is Finally Making Chrome Extensions More Secure
After years of issues with rogue Chrome extensions, hijacks, and malware, Google announced a slew of new policies Thursday to ensure the little browser applets are secure. The improvements come as part of a wider company push to evaluate how much user data third-party applications can access. Google launched the audit, known as Project Strobe, in October alongside an announcement that Google+ had suffered data exposures and would be shuttered.
Later this year, Google will begin requiring that extensions only request access to the minimum amount of user data necessary to function. The company is also expanding its requirements around privacy policies: Previously, only extensions that dealt with personal and sensitive user data had to post the policies, but now extensions that handle personal communications and other user-generated content will need to articulate policies, as well. Google says it is announcing these changes now so developers have time to adapt before the new rules take effect this fall.
Lily Hay Newman covers information security, digital privacy, and hacking for WIRED.
"To make this ecosystem successful, people need to be confident their data is secure, and developers need clear rules of the road," Google Fellow and vice president of engineering Ben Smith wrote on Thursday. "There are more than 180,000 extensions in the Chrome Web Store, and nearly half of all Chrome desktop users actively use extensions.… Last October, we shared our intention to ensure that all Chrome extensions are trustworthy by default. Today, as part of Project Strobe, we’re continuing that effort with additional Chrome Web Store policies."
Project Strobe has also tightened developer access to Gmail data, and on Thursday Google expanded those protections to constrain third-party access to Google Drive.
Google is known for robust account security, but its open ecosystems on Android and Chrome can present problems. Third-party app and Chrome extension developers don't always build their software with user security best practices in mind, potentially exposing user data. And rogue developers can exploit the open system to sneak malicious apps into Google Play or simply distribute their nasty Chrome extensions and apps outside of Google's protected channels.
The changes announced Thursday will make it harder for Chrome extensions distributed through Google's Chrome Web Store to quietly grab user data. More universal privacy policy requirements will force developers to describe how exactly data is being used within their applet. And the new rules about collecting the smallest amount of data needed to function will reduce the chance that users unintentionally grant Chrome extensions access to a broad array of unnecessary data. Google says it will enforce the policies as part of its regular extension review process.
Some users may be surprised that privacy policies and minimal data access weren't already requirements for all Chrome extensions. Google says that it had strongly encouraged developers to take these steps before making them mandatory. But the slow pace of improvements for Chrome extension security has become a real industry concern as problems continue to crop up with the unassuming applets.
"It's as if Google assumes all Chrome extensions are malicious, but they run the store anyway," says Matthew Green, a cryptographer at Johns Hopkins University. "I feel like Google treats their extensions like radioactive waste. Maybe they are."
Gloss