Friday, January 11, 2013

Google Acts Against Malicious Chrome Extensions

Google's latest steps will make it harder for malicious developers trying to exploit Chrome users via browser extensions.

Extensions are plugins for Google Chrome and allow developers to add extra functionality to the Web browser. Many Chrome extensions are supremely useful, such as Ghostery, which quickly and easily detects and blocks Web trackers tagging your movements across the Web, the goo.gl URL shortener, and ViewThru, which displays the full URL when mouse-overing a shortenend link. Others, like the "Change Your Facebook Color" extension pointed out by Webroot, are privacy-violating scams peeping at the browsing history and data from other Web sites. Spam-spewing extensions also exist.

While many of the extensions are accidentally installed by users who were tricked into downloading it, many were installed without the user's knowledge by other dodgy applications using Chrome's auto-install feature. To address that problem, Google has removed auto-installs in the latest version of Chrome.

No More Auto-Installs
Google originally included the auto-install feature to allow applications to install an additional Chrome extension during its own installation process. This was intended to simplify the installation process so that users didn't have to add the extension manually afterwards.?

"Unfortunately, this feature has been widely abused by third parties to silently install extensions into Chrome without proper acknowledgement from users," Peter Ludwig, a product manager at Google, wrote on the Chrmoium blog.?

Chrome (version 25 for those counting) will now block an application trying to auto-install an extension Google and display an alert informing the user about the new extension and list some of the things it can do (such as "Access your data on all Websites" and "Read and modify your bookmarks").

Chrome 25 also automatically disables any extensions that were previously installed using the auto-install feature. If the user wants to re-enable the extension, the browser will display a one-time prompt explaining what each extension wants to do before allowing them to be turned back on.?

Stopping Malicious Extensions
Google also appears to have a new service?which analyzes "every extension that is uploaded to the Web Store and take down those we recognize to be malicious," according to the support pages for the Chrome Web Store. There isn't a lot of information about the service at this time, so it's not known whether Google is using an automated scanner similar to Google Bouncer checking app in Google Play (or if Bouncer itself is handling both markets).

Google has recently cracked down on extensions. Back in July, Google changed Chrome so that users could only install extensions found in the Chrome Web Store, and not from third-party sites.?

Source: http://securitywatch.pcmag.com/web-browsers/306341-google-acts-against-malicious-chrome-extensions

dave matthews band solar flares 2012 whitney houston will toyota recall northern lights sign of the times keystone pipeline

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.