Google has announced a complete ban on any browser extension that does cryptocurrency mining in the Chrome Web Store.
The news came in a blog post from James Wagner, Extensions Platform Product Manager. The announcement appears to be driven by a rise in malicious extensions. These extensions do not disclose that they are mining cryptocurrencies and run without user consent.
This has prompted Google to review its existing policies. The policies that have previously allowed cryptocurrency mining did so based on two conditions. These were:
- Cryptocurrency mining was the only thing that the extension did
- The user is informed about what the extension did
Wagner writes that: “Unfortunately, approximately 90% of all extensions with mining scripts that developers have attempted to upload to Chrome Web Store have failed to comply with these policies, and have been either rejected or removed from the store.”
The new policy came into force yesterday. It means that any extensions submitted to the store will now be rejected. Google will also start delisting existing crypto mining extensions from the store in late June. This allows developers three months to find another way to get their code into browsers.
What does this mean?
For those developers who played by the rules and delivered crypto mining extensions this is a blow. A number of those developers worked with charities who got a percentage of anything mined. There were also a number of website owners who saw this as an alternative to carrying ads on their website. It will be interesting to see if Google now opens a conversation with them to find an alternative way of generating revenue.
The news will come as a relief for users and IT administrators. They have all see a significant rise in resource usage from Internet to CPU cycles and power consumption. The key for Google is not just making these announcements but following through.
Blocking and removing is easy. The bigger challenge for Google will be stopping this from happening again. Google admits that much of this happens without user knowledge. It needs to do more testing of extensions before they are allowed in the Chrome Web Store. This means not only rigorously checking v1 of an extension but all of its updates. As Google knows only too well from Android, malware developers often release well behaved versions to app stores only to later add in the malware code.
Another question for Google will be detection. The reality is that it won’t stop all the cryptojacking code getting through. Will it now add code into Chrome to detect when code is injected from a malicious app or extension? That remains to be seen. For now, at least it is doing something.