Google changes Chrome extension policy amid security concerns

Google's new Chrome extension policy mandates that all users and developers must install web browser extensions from the Chrome Web Store.

Google last week announced a new Chrome extension policy amid growing security concerns about potential threats from third-party add-ons.

The company changed its Chrome extension policy to require all Windows and Mac users -- including developers -- to install extensions only from the Chrome Web Store. Previously, the company introduced the Chrome Web Store-only policy for Windows users a year ago, but Google still allowed developers and Mac users to install extensions from any source.

However, following the spread of malicious extensions to the developer channel, Google decided to enforce this policy universally. Extensions from outside the Chrome store are not subject to the same rigorous testing that Chrome Web Store extensions are, Google said. As a result, third-party extensions from outside the outside the Chrome Web Store could install spyware or other malware accidentally or intentionally as add-ons for seemingly harmless products.

"We originally did not enforce this policy on the Windows developer channel in order to allow developers to opt out," Jake Leichtling, extensions platform product manager for Chrome, said in a blog post. "Unfortunately, we've since observed malicious software forcing users into the developer channel in order to install unwanted off-store extensions."

Although extensions in the Chrome Web Store will be subjected to more meticulous security scanning, some problematic extensions have been able to slip by the company. Last month, a third-party Chrome extension called Webpage Screenshot was pulled from the Chrome Web Store due to security concerns; a report from researchers at Heimdal Security showed the extension used a delayed installation process to fool security scans and later installed spyware.

"Malware can change how browsers work by silently installing extensions on your machine that do things like inject ads or track your browsing activity," Chrome engineering director Erik Kay said in a blog post in 2014. "Since the bad guys continue to come up with new ways to cause our users headaches, we are always taking additional measures."

Chrome will continue supporting local extension installs during development and installs that follow Chrome for Work and Education's enterprise policy.

Next Steps

Learn how to mitigate browser plug-in threats and improve Web extension security

Dig Deeper on Application and platform security