Starting with version 25 of Google Chrome, browser extensions installed offline by other applications will not be enabled until users give their permission through a dialog box in the browser interface.
At the moment developers have several options to install extensions offline -- not using the browser interface -- in Google Chrome for Windows. One of them involves adding special entries in the Windows registry that tell Chrome that a new extension has been installed and should be enabled.
[ InfoWorld's expert contributors show you how to secure your Web browsers. Download the free PDF guide today! | Learn how to protect your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]
"This feature was originally intended to allow users to opt-in to adding a useful extension to Chrome as a part of the installation of another application," Peter Ludwig, Google's product manager of Chrome Extensions, said Friday in a blog post. "Unfortunately, this feature has been widely abused by third parties to silently install extensions into Chrome without proper acknowledgment from users."
In order to prevent this type of abuse, starting with Chrome 25, the browser will automatically disable all previously installed "external" extensions and will present users with a one-time dialog box to choose which ones they want to re-enable.
In addition, all extensions that are installed using the offline methods will be disabled by default and the user will be asked if they want to enable them when the browser is restarted.
Mozilla implemented a very similar mechanism over a year ago in Firefox to prevent extensions installed offline by other programs from being enabled without user confirmation.
There have been many attacks that used malicious browser extensions, including Chrome extensions. For example, in May, the Wikimedia Foundation issued an alert about a Google Chrome extension that was inserting rogue ads into Wikipedia pages.
In July, Google stopped allowing Chrome extensions to be installed from third-party websites, restricting online installations only to extensions found in the official Chrome Web Store.
This made it harder for attackers to distribute malicious extensions, but didn't prevent malware from installing rogue Chrome extensions on an already compromised system using the offline methods. The upcoming Chrome 25 changes aim to address that.
"I think it is a good step in the right direction, which is a more secure browsing experience," Zoltan Balazs, an IT security researcher from Hungary, said Monday via email. Balazs previously created proof-of-concept malicious extensions for Firefox, Chrome and Safari in order to demonstrate how powerful such tools can be in the hands of attackers.
Balazs' research, which was presented at several security conferences this year, showed how remotely controlled rogue browser extensions can modify the content of Web pages, take screen shots through the computer's webcam, act as a reverse HTTP proxy into the internal network, download, upload and execute files, be used for distributed password hash cracking and more.
