Google has announced in the Chromium blog that it plans to better protect Chrome users when installing extensions. The idea has to do with preventing the abuse of the system to install extensions outside the Chrome Web Store, that is, using the inline installations.
Since 2012 Chrome does not allow to install extensions in the browser that are not uploaded to the official browser store, but with the inline system it is possible for a developer to offer the installation from their website through a flow that calls the extension that is in the Chrome Web Store. However, it is possible to abuse that system and this is where Google is focusing its efforts.
The company has said that less than 3% of extensions still abuse confusing or deceptive flows to take advantage of users, but that those extensions generate 90% more complaints than the average in the Chrome Web Store.
So, from the next few weeks they will expand the protections to reduce the damage to users through this system. They will also use machine learning to evaluate the facilities in search of website signals or malicious, deceptive or confusing ads.
Why is not enough?
If this type of facility generates 90% more complaints from users than the average, it would also be good to know the amount of complaints generated by malicious extensions installations that live happily in the Chrome Web Store.
The Chrome Web Store has other problems perhaps as or more urgent to solve, such as its system of veto. In the official Google Chrome extension store we can find from fraudulent clones of popular extensions, to extensions that can become adware without you knowing it , through extensions that sell our data to the highest bidder , until we reach the extensions that use us without our permission to mine cryptocurrencies.
All those types of malicious plugins have gone through the Chrome Web Store apparently fulfilling all the requirements to be published by Google in your store , and have been installed not hundreds, but thousands and millions of times by users.
They have remained in the store for days after multiple reports and have affected lots of users around the world, and continue to do so.
Just a week ago we talked about the case of Archive Poster an extension that had been trying to undermine cryptocurrencies for weeks with the CPU of its more than 100,000 users and remained perfectly happy in the Chrome Web Store, no abuse of inline installations.
It was only eliminated after appearing in headlines in multiple media and making noise, despite having been reported multiple times by users of the Chrome Web Store much earlier.
The percentage of malicious extensions in Chrome is about 10% of the entire store, about 40,000 suspicious extensions in 2015 according to the findings of a researcher.
Google Chrome is the most widely used browser in the world, at the desktop it reaches almost 60% of the market share if you average between data from different sources such as NetMarketShare or StatCounter.
Your extension store is the primary place where users search for browser add-ons, and they do so trusting that Google has been responsible for filtering the plugins and is not offering products under its brand name for malicious purposes. But, the reality is that they do.