Chrome must tackle faulty security as it dominates market
Feb 15, 2021
This past week, the web browser that is nearly ubiquitous at 64% of the entire market has faced a few security incidents.
First there was a malicious extension called the “Great Suspender” that had been downloaded over 2 million times from the Chrome store. Shortly, after there was a zero-day exploit that prompted Google to issue an update outside its normal release schedule. In that same week, a security researcher discovered malware that abused Chrome’s sync feature to bypass firewalls.
With how much of the market Google’s Chrome browser commands, it makes for a prime target for bad actors to circumvent its security. As such, it’s important for Google to take steps to protect its ecosystem, especially as its competitors such as Microsoft Edge use the same underlying platform now. Even with all their tech-savviness and precautions, all it takes is a simple mistake or rogue update to break that chain of trust.
To that end, I had the misfortune to be part of that malicious campaign both before with another extension I used regularly in October and last week with “The Great Suspender”. In both cases, the lead developer had sold the rights to a third party after many years of maintaining the extension. With the way Chrome handles silent updates to extensions, I was unaware of the sudden change of hands until the news broke out and/or Google remotely deactivating the extension.
In the case of the extension from October, the malicious update was an unfortunate turn of events; The original developer explained they were looking for someone to take their role as they no longer had time to maintain it themselves. In the case of last week’s incident, a similar situation had occurred with the extension changing hands and promptly being abused by its new owners.
For one, I am glad Google has systems in place to stop these attacks quickly, but on the other hand, I would have liked to have more control over what gets automatically installed onto my system. As showcased, an extension can be working fine until a single update is compromised, and without that control, we are at the mercy of the developers of these extensions. Other platforms such as iOS, Android and even Windows have auto-update systems with the option to manually review updates.
Google for now is currently laying the groundwork for a new method of handling extensions it calls Manifest V3. Beginning last month, it will accept these new types of extensions that have more stringent security requirements and will slowly replace the older system of extensions. These new requirements will limit the amount of access extensions have to user data as well blocking some of the methods malicious extensions have used.
My general word of advice is to go through your list of installed apps or extensions and make sure you are actually using them. If not, remove it as this will not only clear up your space or improve speed, but it will also reduce the number of places you can be compromised.