Google assured this week that its review of Chrome extensions detects most of the malicious code, but acknowledged that “extensions, like any other software, can pose risks.”
Coincidentally, a trio of researchers from Stanford University in the US and the CISPA Helmholtz Center for Information Security in Germany have just published an article about recent data from the Chrome Web Store that suggests that the risk posed by browser extensions is far greater than Google admits.
The paper, “What’s in the Chrome Web Store? Investigating security-related browser extensions,” is scheduled to be presented at the ACM Asia Conference on Computer and Communications Security (ASIA CCS ’24) in July.
On Thursday, Benjamin Ackerman, Anunoy Ghosh and David Warren of Google’s Chrome Security Team said: “In 2024, less than one percent of all installations from the Chrome Web Store were found to contain malware. We are proud of this record, and yet some malicious extensions get through, which is why we also monitor published extensions.”
Well, “some bad extensions” is quite a lot, as researchers Sheryl Hsu, Manda Tran, and Aurore Fass define and measure. As they describe in their research paper, Security-Noteworthy Extensions (SNE) still pose a serious problem.
An SNE is defined as an extension that contains malware, violates Chrome Web Store policies, or contains vulnerable code, so it’s a broader category than just a set of malicious extensions.
Browser extensions have long been a cause for concern because they have access to sensitive information. Depending on the permissions granted, they may be able to see the data going in or out of your web browser. Criminals have used them to distribute malware, track and spy on users, and steal data. However, because most extensions are free, there has never been a major revenue stream for browser store operators to fund security.
However, extension security cannot be overlooked. One of the reasons why Google began redefining its browser extension architecture a few years ago – an initiative called Manifest v3 – was to limit the potential for abuse of extensions.
Nevertheless, despite Google’s efforts, the Chrome Web Store is well filled with risky extensions, say the researchers.
These SNEs pose a significant problem: over 346 million users have installed an SNE in the last three years
“We find that these SNEs represent a significant problem: over 346 million users have installed an SNE in the last three years (280 million malware, 63 million policy violations, and three million vulnerabilities),” the authors claim. “In addition, these extensions remain in the [Chrome Web Store] it is all the more important to thoroughly review extensions and notify affected users.”
The authors collected and analyzed data from Chrome extensions available between July 5, 2020, and February 14, 2023. At that time, there were nearly 125,000 extensions available in the Chrome Web Store, so these results do not necessarily reflect the current state of the Chrome Web Store.
The researchers found that Chrome extensions often do not remain available for very long: “Only 51.86–62.98 percent of extensions are still available after one year,” the document states.
But malicious extensions can also be long-lived. SNEs stay in the Chrome Web Store for an average of 380 days if they contain malware and 1,248 days if they simply contain vulnerable code, according to the document. The malicious extension that survived the longest was available in the store for 8.5 years.
“This extension, ‘TeleApp,’ was last updated on December 13, 2013, and contained malware on June 14, 2022,” the paper says. “This is extremely problematic because such extensions put the security and privacy of their users at risk for years.”
The experts also point out that the Store’s rating system does not seem to be effective in distinguishing good extensions from bad ones. This is because user ratings for malicious SNEs do not differ significantly from those of harmless extensions.
“Overall, users do not give SNE lower ratings, suggesting that users may not be aware of the danger of such extensions,” the authors state. “Of course, it is also possible that bots give these extensions false ratings and high ratings. However, considering that half of SNE has no ratings, the use of false ratings does not seem to be widespread in this case.”
They argue that the uselessness of user ratings as a measure of quality underscores the need for greater oversight by Google.
One of the authors’ suggestions is that Google monitor extensions for code similarities. They found thousands of extensions that use similar code, which they say is generally bad practice. Copying and pasting from Stack Overflow, following advice from AI assistants, or simply implementing outdated boilerplate or libraries can spread vulnerable code.
“For example, about 1,000 extensions use the open source Extensionizr project, of which 65–80 percent still use the default and vulnerable library versions originally packaged with the tool six years ago,” the authors note.
They also criticize the “critical lack of maintenance” of Chrome Web Store extensions – nearly 60 percent of extensions have never been updated, meaning they miss out on security improvements like those built into the Manifest v3 platform revision.
While identifying vulnerable extensions is critical, we also need better incentives to encourage and support developers to fix vulnerabilities.
The lack of maintenance means that extensions can remain in the store for years after vulnerabilities are disclosed. “At least 78 of 184 extensions (42 percent) are still in the CWS two years after the vulnerabilities were disclosed and are still vulnerable,” the researchers said. “This shows that while identifying vulnerable extensions is critical, we also need better incentives to encourage and support developers to fix vulnerabilities after the vulnerabilities are disclosed.”
And many extensions contain vulnerable JavaScript libraries. The team found that a third of extensions (~40,000) use a JavaScript library with a known vulnerability. “We found over 80,000 uses of vulnerable libraries, affecting nearly 500 million extension users,” they claim.
Sheryl Hsu, a Stanford University student and co-author of the study, said The registry in an email that she believes the security of extensions has improved. “I think we are more aware of the risks today (especially thanks to many researchers who have discovered vulnerabilities) than we were, say, 10 years ago when extensions were just emerging,” she said.
Hsu said she believes it would be useful to flag extensions that have been updated or contain vulnerable libraries.
Manufacturers of ad blockers and browser privacy extensions fear the imminent end
FROM 2022
“But it’s also important to exercise some caution, as things that aren’t updated may not be vulnerable (for example, a super simple app that never actually needs to be updated) and just because an extension uses a vulnerable library doesn’t mean the vulnerability can be exploited,” she said. “It really depends on what parts of the library an extension uses.”
“I think a difficult aspect of cybersecurity is always figuring out how to give the user the right information so they can make informed decisions, but at the same time you have to be aware that many users don’t have the technical knowledge or the time to delve deeper into this kind of thing.”
Hsu added: “I think disabling Manifest v2 should definitely help with these issues. I hope that happens soon.”
Unless there are further delays, Chrome Manifest v2 extensions will stop working in the general release version of Chrome (stable channel) in early 2025.
A Google spokesman said The registry on Friday:
“We have also recently launched new tools to further alert users to potentially risky extensions and will continue to invest in this area,” the spokesperson added. ®