One more step in the endless fight against malicious extensions!
The Google anti-Abuse Team published a blog post announcing one more step against malicious extensions – this time, by adding limitations on deceptive inline installation methods.
Inline installation was introduced in 2011 as a way for users to seamlessly install extensions from developers’ websites. This mechanism has been abused by deceptive sites and ads that trick users into installing unwanted extensions.
A good example of a deceptive use of inline installation is this one-
The innocent user thinks he’s about to update a software, and instead he installs a new extension, via the inline installation mechanism (the blue “click here” link).
Starting September 3 Google’s anti abuse team will begin disabling inline installation for extensions that employ these deceptive tactics.
These extensions inline installation attempts will be redirected to the extension’s product details page in the Chrome Web Store, allowing the user to make an informed decision about whether to install.
We think they should completely remove those extensions off the Chrome store, so the lesson will be learned!
According to the blog post, less than 0.2% of all extensions will be affected by this change.
We write a lot about Google efforts to make this ecosystem more secure, and we’re happy to see the steps they take almost every month, but we personally think they should be more aggressive.
Sometimes, those “only” 0.2% can hurt an entire industry…