Google to tighten up Chrome extension security on Windows

In order to impede the spread of malicious Chrome extensions on Windows, Google will start requiring all extensions to the stable and beta Windows versions to load from the Chrome Web Store.

According to Google, the leading cause of complaints from Chrome users on Windows is a malicious extension the user installed. To make things harder for the authors of these malicious programs, Google will, starting in January, require that all extensions installed in the stable or beta channel products come from the Chrome Web Store.

Currently, by default, users can install extensions from anywhere. This makes it easy for attackers to post malicious code and lure users to it. After the change, users running the Chrome Dev channel will still be able to install extensions from locations other than the Chrome Web Store.

Google advises developers of extensions to begin migrating their code to the Store immediately. The changes should have no direct impact on users.
A typical Chrome extension


Chrome Apps, as distinct from extensions, are not affected by this change.  Enterprises which use Group Policy to manage and deploy Chrome will also be able to deploy extensions to the beta and stable channels that way, as well as through inline installation.

We have seen complaints of malicious Chrome extensions, specifically adware, for Mac OS X. We asked Google whether they had plans to extend the rule to other platforms and they replied:

This change is planned for Windows only, as that’s where we receive the most user complaints of bad behavior. We may apply to other platforms but have nothing to announce at this time.