By Alexandra Burlacu email: firstname.lastname@example.org | Dec 31, 2012 06:42 PM EST
When Google Chrome reaches version 25, browser extensions installed offline by other applications will no longer be enabled without user permission.
Developers currently have several options to install extensions offline, i.e. without using the browser interface, in Google Chrome for Windows. One of these options entails adding special entries in the Windows registry, telling Chrome that a new extension has been installed and should be enabled.
"This feature was originally intended to allow users to opt-in to adding a useful extension to Chrome as part of the installation of another application," Google's product manager of Chrome Extensions Peter Ludwig said in a blog post on Friday, Dec. 28. "Unfortunately, this feature has been widely abused by third parties to silently install extensions into Chrome without proper acknowledgement from users."
Chrome 25 aims to prevent this type of abuse by prompting users to give their permission through a dialog box in the browser interface. In other words, the browser will automatically disable all previously installed "external extensions" and will present users with a one-time dialog box to select which extensions they want to re-enable. All extensions installed through offline methods will be disabled by default, and users will be asked whether they want to enable them when they restart the browser.
Mozilla made a similar move over a year ago, when it implemented such a mechanism in Firefox to ensure extensions installed offline by other programs are not enabled without user confirmation.
Security is a big concern nowadays, especially as many attacks have used malicious browser extensions in the past, including Google Chrome extensions. Back in May, for instance, Wikimedia Foundation issued an alert regarding a Chrome extension that was filling Wikipedia pages with rogue ads. In July, Google decided to stop allowing Chrome extensions to be installed from third-party Web sites, limiting online installations only to extensions found in the official Chrome Web store. At the time, the company also said it would start analyzing all extensions listed in the Chrome Web Store for malicious behavior and remove any offending instance.
While this made it harder for criminals to distribute malicious extensions, it could prevent malware from installing rogue Chrome extensions on already compromised systems using offline methods. The new changes to the upcoming Chrome 25 version aim to address this issue.