How safe are Google Chrome extensions?
Two new reports reveal starkly different opinions on the safety of Chrome browser extensions. Google says that less than 1% of all installations contain malware, while university researchers say that 280 million users installed extensions containing malware over a three-year period. Neither of these numbers fills me with much confidence.
According to Google, there are more than 250,000 extensions available on the Chrome Web Store. Google also says that “less than 1% of all installations from the Chrome Web Store contained malware.” So why don’t I find this as reassuring as it could be?
A recent study by researchers at Stanford University and the CISPA Helmholtz Center for Information Security highlights the worrying proliferation of security-related browser extensions for Chrome. According to the study, over 346 million users installed such extensions between July 2020 and February 2023. Even after deducting 63 million policy violations and three million with vulnerable code, the researchers estimated that there were still 280 million installations of Chrome extensions containing malware.
What researchers say about security-related browser extensions for Chrome
The researchers in question, Sheryl Hsu, Manda Tran and Aurore Fass, published their work on June 18. It is important to note that the research study covers violations of Google’s web store policies and vulnerable code, as well as extensions that contain malware according to the SNE definition. However, I am primarily interested in the malware side of the matter. Not least because extensions often require elevated permissions that can compromise users’ privacy and security, and these requested permissions determine the attack surface for any malicious extension.
“We collected the permissions by analyzing each extension’s manifest.json file,” the study said. Manifest V3’s permissions were divided into “permissions (APIs such as storage or cookies) and host permissions (URLs or URL patterns to which an extension wants to make requests)”, with both combined in the earlier Manifest V2.
Not surprisingly, the researchers found that shady extensions tend to require more permissions than harmless ones. “Ultimately, the more permissions an extension has, the larger the attack surface,” the study concluded.
Also troubling, the study found that extensions containing malware were available on the Chrome Web Store for an average of 380 days. One of them, the study found, remained available from December 2013 to June 2022, when it was found to contain malware and was removed.
What Google says about security with Chrome extensions
In a June 20 post on the Google Security Blog, just 48 hours after the researchers published their study, Benjamin Ackerman, Anunoy Ghosh and David Warren of the Chrome security team acknowledge that “extensions, like any other software, can pose risks.” But it also outlines how a dedicated security team works to protect Chrome users from extensions. Google said this team provides users with a personalized summary of installed extensions, reviews all extensions before they can be published to the Chrome Web Store, and monitors them afterward.
A practical example of this is a safety checkbox at the top of the extensions page that alerts the user to installed extensions that could pose a risk. Google said, “If you don’t see a warning box, you probably don’t have any extensions to worry about,” although the Stanford study rather puts that statement up for debate.
However, Google’s automated process uses machine learning systems to review all extensions to be published to the Web Store, and then a human reviewer checks each extension’s images, descriptions, and public policies. “This review process weeds out the vast majority of bad extensions before they’re even published,” Google said. “In 2024, less than 1% of all installs from the Chrome Web Store were found to contain malware. We’re proud of that record, and yet some bad extensions still get through, which is why we also monitor published extensions.”
Four recommendations to ensure the security of your Chrome extensions
Google recommends four measures that Chrome users take to minimize the risk of malicious extensions:
- Check new extensions before installing them – read the extension information And the developer before installation.
- Uninstall extensions you no longer use.
- Limit the sites an extension is allowed to work on.
- Enable Chrome’s Safe Browsing feature’s enhanced protection mode. This mode provides you with protection against phishing and malware, as well as features that protect you from potentially harmful extensions.