Google has added a new experiment to the Chrome browser that is designed to educate users about the malicious behavior and performance issues that can be caused by browser extensions.
Cybersecurity firm Awake released a report on Thursday that detailed how 111 Google Chrome extensions capable of malicious behavior were downloaded over 32 million times.
“These extensions can take screenshots, read the clipboard, harvest credential tokens stored in cookies or parameters, grab user keystrokes (like passwords), etc.,” Awake’s report stated.
Google has stated that they have since removed 77 of the extensions.
Google launches Chrome extensions checkup experiment
Whether it is coincidence or a result of this report, Google has released a new experiment in Chrome 83 called ‘Extensions Checkup’.
When enabled, this experiment will display information boxes at the top of the chrome://extensions page or as a small message at the bottom of New Tab Pages that try to educate users about the risks of using browser extensions.
To enable this experiment in Chrome 83, go to chrome://flags and search for ‘extensions checkup’. When the experiment appears, you can select one of the ‘Enabled’ options to start displaying these educational alerts.
The message boxes shown by this experiment are meant to illustrate that browser extensions can be malicious or can slow down your browser experience, and in some cases, your PC if too much CPU is used.
The messages then prompt you to check your extensions and make sure you recognize them and meant to install them.
The ‘Performance’ message explains how browser extensions can slow down your PC.
A healthier, happier Chrome Some extensions can slow you down - especially ones you didn't mean to install. If you don’t recognize an extension, or if your browser isn’t working as expected, you can turn off or customize extensions here.
The ‘Privacy’ message will explain that browser extensions can see your browsing activity, including what you enter into a browser.
What they are not saying is that there is little to stop an extension from stealing anything you type into your browser or performing other unwanted behavior.
Check your extensions Some extensions can see your browsing activity - including personal information. If you don’t recognize an extension, or if your browser isn’t working as expected, you can turn off or customize extensions here.
The ‘Neutral’ message just asks you to check your extensions and remove any that you do not remember installing.
Manage your extensions On this page you can see all the extensions installed in Chrome. If you don't recognize an extension, or if your browser isn't working as expected, you can turn off or customize extensions here.
Finally, if you enable the experiment on NTP pages, a small message will appear on New Tab Pages that ask you to check your extensions, as shown below.
This experiment is a good start as many people blindly install extensions without understanding the risks behind them.
Unfortunately, it is not enough, and more has to be done in the review process for the Chrome Web Store to prevent malicious extensions from being available in the first place.
Google has not announced anything related to this experiment, but as shown by this Chrome Gerrit post, they are starting to enable it in field trials on ChromeOS, Windows, Linux, and macOS.