Google Moves to Protect Chrome Users From Cryptojacking and Hacks

Google is bringing in stricter rules for Chrome extension developers, a move should reduce the risk of crypto hacks and mining malware.

AccessTimeIconOct 2, 2018 at 10:00 a.m. UTC
Updated Sep 13, 2021 at 8:26 a.m. UTC

Google is bringing in stricter rules for Chrome extension developers, a move should reduce the risk of crypto hacks and mining malware.

Announced Monday, the web and technology giant is planning a series of changes to the way Chrome handles extensions that request extensive permissions, and is also tightening the rules for developers distributing extensions via the Chrome Web Store.

Google said in a blog post:

"It's crucial that users be able to trust the extensions they install are safe, privacy-preserving, and performant. Users should always have full transparency about the scope of their extensions' capabilities and data access."

From Chrome 70 (currently in beta), users will have the ability to restrict an extension's access to a custom list of sites, or to set extensions to require permission each time they need to gain access to a page, the company explains.

Google adds that extensions that request "powerful permissions" will be subjected to "additional compliance review."

"We're also looking very closely at extensions that use remotely hosted code, with ongoing monitoring," the post states.

The firm explains the move, saying "While host permissions have enabled thousands of powerful and creative extension use cases, they have also led to a broad range of misuse – both malicious and unintentional ... Our aim is to improve user transparency and control over when extensions are able to access site data."

Google also said that, from Monday, Chrome Web Store will no longer allow extensions with hidden, or obfuscated, code. Existing extensions with obfuscated code have 90 days to comply with the new rule, it adds.

According to the post, more than 70 percent of "malicious and policy violating extensions" that Google blocks from the Web Store contain obfuscated code. Further, as obfuscation is "mainly used to conceal code functionality," it greatly adds to the complexity of the Google's extension review process.

"This is no longer acceptable given the aforementioned review process changes," Google stated.

And in a final security measure, in 2019, all extension developer accounts must be protected by 2-step verification to lower the risk of hackers taking over an account.

In the past, Chrome extensions have been used by cyber-criminals to provide access to victims machines.

For example, just a month ago, hackers uploaded a malicious version of the Mega extension to the Web Store. People who used the official installer over the next few hours had their accounts compromised, according to ZDNet – including users of the MyEtherWallet and MyMonero crypto wallets, and decentralized exchange IDEX.

Google has also been forced to crack down on extensions that used downloaders' devices to mine cryptocurrencies without their knowledge. In April, the Web Store blocked extensions that mine cryptocurrencies, whether or not mining was a deliberate feature.

Chrome icon image via Shutterstock


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.