New Google policies make Chrome extensions more trustworthy

Shawn Knight

Posts: 13,062   +130
Staff member

Google last year announced Project Strobe, a root-and-branch review of third-party developer access to Android device and Google account data. The search giant has already implemented multiple new policies and is now turning its attention to Chrome.

Moving forward, Google is requiring that extensions only request access to data needed to implement their features. In the event that more than one permission could be used to implement a feature, the dev will need to use the permission that accesses the least amount of data.

This behavior has always been encouraged by developers, said Google fellow and VP of engineering, Ben Smith, but now, it is a requirement for all extensions.

Google is also mandating that extensions which handle user-provided content and personal communications post a privacy policy and handle data in a secure fashion. This is an expansion of existing policies that require extensions dealing in personal and sensitive user data to do the same.

Browser extensions have become a growing attack vector for phishing and social engineering. As Atif Mushtaq, CEO of cybersecurity firm SlashNext, highlights, many attacks are born out of legitimate extensions that are later updated with malicious code.

“This exact scenario happened when Particle – a Chrome extension for enhancing YouTube – was sold to a new developer after the original author planned to abandon the extension due to incompatibilities with a soon to be released updated YouTube UI.”

As Mushtaq recounts, the new developer converted the extension to adware a couple of days after the purchase and sent out an update requesting two intrusive permissions to access data that the extension didn’t need or have any reason to use.

Thanks to changes brought about by Project Strobe, it should be harder for extensions – both legitimate ones and those that go rogue – to collect such personal data.

Permalink to story.


Uncle Al

Posts: 8,001   +6,775
Haven't we heard this before from Google? Starting to sound like those constant apologies from another big IT CEO ...... of course they didn't produce anything either!


Posts: 82   +91
Is this just a way for Google to control the supply of your data so they can sell it for more?$?$?$

You seem to misunderstand their business model. They don't sell your data, it's too valuable for them.

They use it themselves to serve more personalised ads since it increases the odds of you clicking the ads which leads to more advertiser's choosing Google.