Chrome’s inline extension install ban already bypassed

0
16

by Martin Brinkmann on October 11, 2018 in Google Chrome – Last Update: October 11, 2018 – 2 comments

Developers of Chrome extensions had two main options when it came to getting Chrome users to install their extensions for the browser.

They could rely on the Chrome Web Store presence and link to it from third-party sites to get users to install the extension or use inline installations instead.

Inline installations kept the install process on a third-party website; convenient on the one hand as it meant that users could install the extension from the developer’s website or another third-party site. Problematic on the other as the system was abused by malicious actors to push installations of extensions.

All it took was to upload the extension to Chrome and integrate it on third-party websites so that the extension would install without users leaving that site or having to visit the Chrome Store. Malicious actors used various methods to push extensions to user versions of Chrome that way.

Google revealed in early 2018 that it would add more protections against deceptive inline installations by retiring the functionality in June 2018.

chrome inline installation dialog

Retirement of inline installation functionality meant that extension developers could no longer push extension installations directly on their sites if the extensions were hosted on the Chrome Web Store.

Chrome extensions need to be installed from the Chrome Web Store website but that has not kept malicious developers from pushing extensions on to user systems.

While they can’t use inline installations for that anymore, they soon came up with an ingenious workaround as reported by Bleeping Computer that works similarly.

Users are asked to click on an install button on the third-party website to start the process. The site loads the Chrome Web Store page the extension is hosted on in a popup and places it on top of the loaded webpage in a way that only some information on the Chrome Web Store page such as the title of the extension and the “add to Chrome” button are visible.

integrated chrome store window via Bleeping Computer

While it is possible to scroll the window to see information such as the extension’s rating or installs, it is likely that some users will just activate the “add to Chrome” button to install the extension without paying attention to these things or the fact that a popup window was just spawned on their device.

The workaround offers an experience that is very similar to inline installs. While it is necessary to click on the “add to Chrome” button to display the installation prompt known from inline installs and Chrome installations from the Chrome Web Store, it is unlikely that this will stop most users exposed to the scheme from continuing with the installation.

Closing Words

While it may sound good on paper to recommend to Chrome users that they install extensions only directly from the Chrome Web Store, it is not something that is 100% safe either considering that these deceptive extensions are stored there as well.

Google has more control over extensions and options to prioritize some over others but it has happened in the past that malicious extensions landed in the Chrome Web Store.

We suggest that users verify Chrome extensions before they install them in the browser.