Google cracks down on malicious Chrome extensions

A more rigorous review process that includes more humans seeks to better scrutinize extensions that demand lots of power.

Stephen Shankland Former Principal Writer
Stephen Shankland worked at CNET from 1998 to 2024 and wrote about processors, digital photography, AI, quantum computing, computer science, materials science, supercomputers, drones, browsers, 3D printing, USB, and new computing technology in general. He has a soft spot in his heart for standards groups and I/O interfaces. His first big scoop was about radioactive cat poop.
Expertise Processors, semiconductors, web browsers, quantum computing, supercomputers, AI, 3D printing, drones, computer science, physics, programming, materials science, USB, UWB, Android, digital photography, science. Credentials
  • Shankland covered the tech industry for more than 25 years and was a science writer for five years before that. He has deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and more.
Stephen Shankland
3 min read
Google Chrome dominates the browser market.
Stephen Shankland/CNET

Chrome extensions are great for customizing the web browser, but Google is cracking down to try to keep them from seizing more control than you want to give them.

On Monday, the company announced a host of actions to keep extensions in hand:

  • Google will let you restrict extensions that seek to modify web pages so they only work on particular websites. You'll also be able to require them to seek your permission each time they run.
  • Google will scrutinize more closely extensions that ask for a lot of power over your browser and will reject extensions whose underlying programming code has been obfuscated so it's hard to read.
  • Google will require extension developers to use two-step authentication starting in 2019 to make it harder for someone to hijack the account to distribute a bad version of an extension.

Extensions have been a boon to the billion-plus people who use Chrome. More than 180,000 extensions are available, and nearly half of us use them in the browser for things like blocking ads, checking grammar, managing passwords, managing multiple Gmail accounts, translating text in other languages and collapsing tabs into a list for later use.

Chrome extension restrictions

You'll be able to restrict extensions that want to modify websites so they'll have to get your permission each time.


But the openness of Chrome extensions and the Chrome Web Store that Google uses to distribute them have also opened a new door to malware, spyware, cryptocurrency miners, Facebook account hijackers and other bad extensions. That's what Google is trying to fix here.

"It's crucial that users be able to trust the extensions they install are safe, privacy-preserving, and performant," said James Wagner, Chrome's extensions product manager, in a blog post.

It's a big problem. In 2015, Google found thousands of malicious extensions, and one out of 10 Chrome extensions submitted were malware.

The higher level of scrutiny will involve more humans, Chrome leader Rahul Roy-Chowdhury tweeted Tuesday.

"We do some manual reviews today, and we will ramp that up as these changes roll out," he said in tweet. "Basically we're moving to a model where we publish only 'known good' with a high bar, specially for extensions with sensitive permissions."

Chrome extension checking process

For years, Google has used computers to check for malicious Chrome extensions. Now it's adding more scrutiny.


Monday's move isn't the first crackdown. Google also has automated checks on extensions, and this year, it's shutting down a process called inline installation that let you install extensions from buttons on third-party websites. Now you have to go to the Chrome Web Store, where you can see more details about an extension you're considering installing.

And in 2019, Google will overhaul Chrome extension manifests -- the documentation that developers must write to describe things like the computing privileges extensions need. With the new version, "writing a secure and performant extension ... should be easy, while writing an insecure or non-performant extension should be difficult," Wagner said.

First published Oct. 1 at 10 a.m. PT.
Update, Oct. 2 at 9:17 a.m. PT: Updates with comment from Chrome leader Rahul Roy-Chowdhury.

NASA turns 60: The space agency has taken humanity farther than anyone else, and it has plans to go further.

Taking It to Extremes: Mix insane situations -- erupting volcanoes, nuclear meltdowns, 30-foot waves -- with everyday tech. Here's what happens.