Security News > 2024 > March > Chrome users – get an alert when extensions are in danger of falling into wrong hands

Millions of Chrome users now have a way to guard against the threat of extension subversion, that is, if they don't mind installing yet another browser extension.

As we reported last August, those who develop Chrome extensions that become popular often receive solicitations to sell their code or to partner with a third-party in order for the new owner or partner to insert dubious, scammy, or malicious code in the extension.

One such request cited by a Chrome extension developer on the Chrome Extensions mailing list sought the modification of the user's search provider in order to capture all the search terms the user enters into the browser's omnibox.

While the majority of that usage nowadays occurs on mobile devices - where, on iOS devices at least, Chrome extensions aren't currently an option - many desktop and Android-based Chrome users have extensions installed.

The last time Google offered an official number was in 2010, when a third of Chrome users were said to have at least one extension installed.

Changes of ownership are particularly problematic for browser extensions, Frisbie explained, because of a confluence of factors: they're more powerful than most people realize; they're difficult to monetize; the Chrome Web Store doesn't disclose a lot of details about extension developers; extensions tend to be installed for a long time and get automatic updates; and transferring ownership is easy and done without meaningful oversight.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/03/07/chrome_extension_changes/