Google is taking action on deceptive installation tactics for Chrome Browser Extensions

Pierluigi Paganini June 03, 2019

Google aims at eliminating the use of deceptive installation tactics among Chrome browser extensions introducing a new policy.

Google announced a new policy for Chrome browser extensions to eliminate the use of deceptive installation tactics.

The additional changes are part of the Project Strobe presented by Google in October 2018 in the aftermath of the data breach that exposed data of over 500,000 users of its Google+.

Google aims at ensuring that all Chrome extensions are trustworthy by default

Google says that users’ trust in extensions is greatly influenced by the path to downloading an extension. A single bad experience could affect users’ interest in these applications. 

“Setting the right expectations for what an extension does, from the start, helps create a healthy and thriving ecosystem of extensions, developers, and passionate users.” states Google.

“Last year, to improve user transparency we deprecated inline installation and began requiring all extension installs to go through the Chrome Web Store. This change has helped reduce user complaints about unwanted extensions by 18 percent.”

Unfortunately, Google still receives user feedback about deceptive extension install flows. The company is prohibiting extensions that benefit from deceptive install tactics with the following policy:

Extensions must be marketed responsibly. Extensions that use or benefit from deceptive installation tactics will be removed from the Chrome Web Store.

Deceptive installation tactics include:

  • Unclear or inconspicuous disclosures on marketing collateral preceding the Chrome Web Store item listing.
  • Misleading interactive elements as part of your distribution flow. This includes misleading call-to-action buttons or forms that imply an outcome other than the installation of an extension.
  • Adjusting the Chrome Web Store item listing window with the effect of withholding or hiding extension metadata from the user.

Developers are asked to audit their install traffic to ensure it is compliant before July 1st, 2019.

Google also introduced two additional restrictions on Chrome browser extensions, the most important one requires the use of the “minimum set of permissions necessary” when asking for access to data. Below the two restrictions:The tech giant added the following Chrome Web Store policies.

  1. We’re requiring extensions to only request access to the appropriate data needed to implement their features.  All extensions will now be required to use the “minimum set of permissions necessary” when asking for access to data. If there is more than one permission that could be used to implement a feature, developers must ask for permissions that could give them access to the least amount of data.
  2. We’re requiring more extensions to post privacy policies, including extensions that handle personal communications and user-provided content.  The company is requiring more extensions to post privacy policies in the Chrome Web Store. Even if this requirement is already in place for extensions that require access to “personal and sensitive user data,” now Google is extending the requirement to those Chrome browser extensions that need access to personal communication or user-provided content,


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Chrome Browser Extensions, Google)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment