malicious chrome extensions

Google today announced the latest set of policy changes to limit extensions abuse and improve security of the Chrome Web Store. This includes requiring 2FA for Chrome Web Store developers and cracking down on deceptive installations.

Similar to the Play Console for Android apps just yesterday, Chrome Web Store developers need to enable 2-Step Verification (2SV or 2FA) on their Google Accounts before being able to publish new extensions or update existing ones. This is meant to make it harder for nefarious parties to hijack an account and release a malicious extensions update.

Meanwhile, Google is cracking down on “multiple extensions with highly similar functionality, content, and user experiences.” The company says these repetitive and spammy extensions should be combined into one tool rather than aim for high download counts:

If these extensions are each small in content volume, and provide the same single purpose, developers should create a single extension that aggregates all the content. For example, publishing multiple wallpaper extensions, when these would be better served as a single extension, is prohibited.

On the “Deceptive Installation Tactics” front, Google has four updates today:

  1. Offering multiple extensions as part of the same installation flow isn’t allowed. Similarly, extensions can’t disruptively upsell other extensions or apps. Such behaviors violate our Deceptive Installation Tactics and Notification Abuse policies.
  2. The set of functionalities promised by extensions must be stated clearly and in a transparent manner. All principal and significant features of your extension must be clear to the user and not buried in unrelated text.
  3. The outcome of any user interaction should match the reasonable expectations that were set with the user.
  4. Requiring unrelated user action to access advertised functionality is not allowed.

The changes were communicated to developers in an email this morning. These policies go into effect on August 2, 2021, when developers without 2FA will no longer be able to upload/update extensions, while programs that violate these two new policies can be removed from the Chrome Web Store and disabled.

More about Chrome Web Store:

Dylan Roussel contributed to this article

FTC: We use income earning auto affiliate links. More.

Check out 9to5Google on YouTube for more news:

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Abner Li

Editor-in-chief. Interested in the minutiae of Google and Alphabet. Tips/talk: