Google is cracking down again on deceptive Chrome extension installation practices. The browser maker listed new rules yesterday that extension developers must follow, or face the possibility of having their extension removed from the official Chrome Web Store.
These new rules come after last year, Google banned the installation of Chrome extensions via third-party sites (called inline installs) and limited the installation process to users visiting the extension's official Chrome Web Store page only.
The decision to block the installation of Chrome extensions from third-party sites curtailed the number of malicious extensions, but not enough.
Developers of malicious Chrome extensions simply shifted to using new tactics for tricking users into installing malicious extensions.
The new rules
But yesterday, Google announced plans to remove all Chrome extensions that abuse the following tactics to trick users towards pressing the "Add to Chrome" button:
- Extensions that lack a clear "disclosure" that explains to users what they can expect by installing the Chrome extension.
- Extensions that use misleading disclosures or explanations for the extension's purpose.
- Hiding disclosure texts (extension's purpose) in large blocks of text, down the page, or using text and fonts that make the disclosure unreadable.
- Using misleading interactive elements (such as buttons or forms) that trick the user into believing they're taking an action, but unknown to them, they are actually installing a Chrome extension.
- Using iframes to show only a portion of an extension's Web Store page on a remote site, enough to trigger an extension installation, but also enough show misleading text, overwriting the original Chrome Web Store description.
Google added this last rule because many scam sites in recent months have abused this tactic, and have used iframes to embed the extension's legitimate Web Store page on sites with misleading descriptions.
"The [Chrome Web Store] window should be sized such that the user can easily review all the content on the extension listing, not just the title and 'Add to Chrome' button," Google said.
"Unfortunately, we have seen bad actors make the listing window smaller to trick users into installing an extension."
Cracking down on misleading marketing
Furthermore, Google is also cracking down on extension developers that run misleading marketing campaigns, even if the user eventually lands on the official Chrome Web Store, where the proper information about an extension is listed.
Google said extension developers are responsible for promoting their tools using accurate information.
Furthermore, extension developers who allow affiliates and other partners to promote an extension using misleading tactics will also see their extensions removed from the Chrome Web Store, even if they have not engaged in deceptive tactics themselves.
"Extensions must be marketed responsibly, and it is up to the developer to ensure that all parts of your extension and all installation flows are compliant with all our program policies. We will remove extensions from the Chrome Web Store irrespective of whether the developer or its contractors or affiliates engage in deceptive installation tactics," Google said.
The browser maker said that depending on how severe an infringing extension's violation might be, it will either send a warning email, or proceed to immediately remove the extension from the Chrome Web Store, and disabling it in users' browsers.
The new rules will enter into effect starting July 1, 2019.
These new rules were announced yesterday, when Google also announced two other new rules for Chrome extensions:
- Chrome extensions that request more permissions than they need will be removed from the Web Store and users' browsers.
More browser coverage:
- Google still plans to cripple ad-blocking in Chrome, but enterprises will be exempt
- Privacy concerns raised about upcoming Client-Hints web standard
- First official version of Tor Browser for Android released on the Play Store
- Google changes how the Escape key is handled in Chrome to fight popup ads
- Google takes a stance against permission-grabbing Chrome extensions
- Mobile Chrome, Safari, and Firefox failed to show phishing warnings for more than a year
- How to use the Tor browser on an Android device TechRepublic
- Brave's privacy-first browser ads arrive with promised payout for you CNET