Google bans Chrome cryptocurrency mining extensions - gHacks Tech News

Google bans Chrome cryptocurrency mining extensions

James Wagner, Google Chrome Extensions Platform Product Manager, announced yesterday that Google decided to ban cryptocurrency mining extensions in the company's Chrome Web Store.

Cryptocurrency mining in the browser context is a relatively new phenomenon but one that is on the rise. One has to distinguish between mining scripts that run as scripts on websites and mining extensions that get installed in the browser by users or malicious actors.

Website mining scripts make up the bulk of mining activity of browsers. Website mining happens automatically in the background provided that the mining script or connection to mining servers is not blocked.

You have to distinguish between user installed mining extensions that were installed for the purpose, and extensions that were installed by third-parties or downloaded mining components after user installation.

The former type is installed with user approval, the latter without.

cryptocurrency mining chrome

Google allowed mining extensions in the Chrome Web Store provided that mining was "the extension's single purpose" and that the user was "adequately informed" about the mining nature of the extension.

About 90% of all mining extensions uploaded to the Chrome Store did not meet Google's policies in regards to mining extensions. The extensions were either rejected outright or removed from Store after the fact.

The decision was made to ban cryptocurrency mining extensions from the Chrome Web Store because of that. Chrome's Web Store won't accept extensions anymore that mine cryptocurrency in the web browser. Extensions that are listed in the Chrome Web Store currently will be removed by Google in the coming months (late June).

The change won't affect non-mining extensions that deal with blockchain or mining related topics such as cryptocurrency exchange rates or news.

Closing Words

James Wanger, on behalf of Google, failed to disclose how the company wants to ensure that mining extensions won't find their way into the Store anymore. The Store has a track record of being abused by malicious actors, often in form of browser extensions that downloaded additional modules when run by users.

Google's Web Store uses algorithms to check and verify uploaded extensions. Threat actors managed to bypass the automatic checks time and time again; the situation got worse in recent time with the rise of cryptomining extensions and Google promised recently that it would do something about that.

It remains to be seen how well Google's algorithm is at detecting cryptomining extensions. While it will block the bulk of extensions I would not hold by breath that it will have a 100% detection track record.

Now You: have you encountered mining extensions or sites?

Related articles

Summary
Google bans Chrome cryptocurrency mining extensions
Article Name
Google bans Chrome cryptocurrency mining extensions
Description
James Wagner, Google Chrome Extensions Platform Product Manager, announced yesterday that Google decided to ban cryptocurrency mining extensions in the company's Chrome Web Store.
Author
Publisher
Ghacks Technology News
Logo




  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:

    Comments

    1. John Fenderson said on April 3, 2018 at 4:54 pm
      Reply

      “have you encountered mining extensions or sites?”

      I don’t know. I use NoScript to block all scripts by default, and only enable specific ones if they’re absolutely necessary. I may have come across them, but they wouldn’t have been able to run.

      1. Paul(us) said on April 4, 2018 at 11:20 am
        Reply

        I know of the existence of the extension No-Script Suite Lite (Version: 0.2.8 – updated March 28) for Chrome 65 does it do the same as the NoScript (Version 10.1.7.5) I use for Mozilla Firefox 59.0.2?

        Is there already a NoScript (full) version available for chrome 65 if the light version is not capable of the same protection as the for FireFox 59 available version?
        Did I miss that?
        I use Umatrix but I rather use NoScript also in Chrome 65.

        1. Geraldo said on April 4, 2018 at 4:55 pm
          Reply

          No, NoScript can’t exist in Chrome as add-ons don’t have as much control than in Firefox. The author of NoScript is Giorgio Maone, the No-Script Suite Lite is a different extension altogether made by someone else. I’d stay on known ground with uMatrix, if I was a Chrome user.

          That said, uMatrix on Chrome is not quite the same as on Firefox either but I wouldn’t be able to tell you exactly how without wasting time looking at source codes. Either way, I doubt you can find a better content and script blocker on Chrome so that’s what I’d use along with uBlock Origin.

        2. gorhill said on April 7, 2018 at 2:54 pm
          Reply

          > uMatrix on Chrome is not quite the same as on Firefox either but I wouldn’t be able to tell you

          It is the same.

          Side note: one can disable web workers globally (one of the per-scope switches) and allow only if needed. Most cryptominers execute in web workers, some of them as first-party. This way one can allow first-party scripts and still block cryptominers.

        3. Geraldo said on April 4, 2018 at 5:11 pm
          Reply

          Actually I just spent literally one minute in the source and found this:

          send: function(channelName, message, callback) {
          // Too large a gap between the last request and the last response means
          // the main process is no longer reachable: memory leaks and bad
          // performance become a risk — especially for long-lived, dynamic
          // pages. Guard against this.
          if ( this.pending.size > 25 ) {
          vAPI.shutdown.exec();
          }

          On Chrome, the addon can actually stop sending messages to Chrome (assuming vAPI refers to the underlying browser API) if conditions are met regarding the message queue getting too long. The culprit would then be Chrome, not uMatrix, so ditching uMatrix doesn’t seem like a solution.

          If you look at the same code in Firefox’s uMatrix, there is no such shutdown, every message is processed.

          What does not processing messages mean ? I don’t know, I don’t want to dive into the source code. Worst case scenario it means the add-on’s ability to filter web content is hampered in certain edge cases on Chrome.

          We’d either need to look the source code properly or ask author Gorhill to waste some of his time giving insight.

        4. gorhill said on April 7, 2018 at 2:56 pm
          Reply

          > same code in Firefox’s uMatrix

          You are probably looking at the no longer maintained Firefox/legacy version. The Firefox/webext version is under the /platform/webext directory.

    Leave a Reply