This week, Google offered reassurance that Chrome’s extension check catches most malicious code, although it acknowledged that “as with any software, extensions can also introduce risk.”
Coincidentally, a trio of researchers associated with Stanford University in the US and the CISPA Helmholtz Center for Information Security in Germany have just published a paper on recent Chrome Web Store data that suggests the risk posed by browser extensions is much more -larger than Google admits.
The report What’s on the Chrome Web Store? A Survey of Security-Notable Browser Extensions’ is scheduled to be presented at the ACM Asia Conference on Computer and Communications Security (ASIA CCS ’24) in July.
On Thursday at Google, Benjamin Ackerman, Anunoy Ghosh and David Warren of the Chrome security team said: “In 2024, less than one percent of all installations from the Chrome Web Store were found to contain malware. We’re proud of that record, and yet some bad extensions still get through, which is why we’re also monitoring published extensions.”
Well, “some bad extensions” turn out to be quite a few, as determined and measured by researchers Cheryl Hsu, Manda Tran, and Auror Fass. As they describe in their research paper, security notable extensions (SNEs) are still a serious problem.
An SNE is defined as an extension that contains malware, violates the Chrome Web Store policy, or contains vulnerable code. Therefore, it is a broader category than just a set of malicious extensions.
Browser extensions have long been a cause for concern because they have access to sensitive information. They may be able to see the data coming in or out of your web browser, depending on the permissions granted. They have been used by criminals to distribute malware, track and spy on users, and steal data. But since most extensions are free, there’s never been much of a revenue stream that browser store operators can use to fund security.
But the security of extensions cannot be ignored. One of the reasons Google undertook its effort to redefine its browser extension architecture a few years ago—an initiative known as Manifest v3—was to curb extension abuse.
Nevertheless, the Chrome Web Store, despite Google’s efforts, was well-stocked with risky extensions, according to researchers.
These SNEs are a significant problem: over 346 million users have installed SNEs in the past three years
“We find that these SNEs are a significant problem: over 346 million users have installed SNEs in the past three years (280 million malware, 63 million policy violations, and three million vulnerabilities),” the authors say. “Furthermore, these extensions remain in the [Chrome Web Store] for years, which makes thoroughly testing extensions and notifying affected users even more critical.”
The authors collected and analyzed data from Chrome extensions available between July 5, 2020 and February 14, 2023, at which time there were almost 125,000 extensions available on the Chrome Web Store. So these findings don’t necessarily reflect the current state of the Chrome Web Store.
The researchers found that Chrome extensions often didn’t stick around very long: “only 51.86-62.98 percent of extensions were still available after one year,” the report said.
But malicious extensions can also be permanent. SNEs remain in the Chrome Web Store for an average of 380 days if they contain malware and 1,248 days if they simply contain vulnerable code, according to the paper. The longest surviving malicious extension was available in the store for 8.5 years.
“This ‘TeleApp’ extension was last updated on December 13, 2013, and was found to contain malware on June 14, 2022,” the paper claimed. “This is extremely problematic because such extensions have been putting the security and privacy of their users at risk for years.”
Boffins also point out that the store’s rating system doesn’t seem effective at separating the good extensions from the bad ones. This is because user ratings for malicious SNEs are not significantly different from benign extensions.
“Overall, users did not give SNE lower ratings, suggesting that users may not know that such extensions are dangerous,” the authors state. “Of course, it’s also possible for bots to give fake reviews and high ratings to these extensions. But given that half of SNEs have no reviews, it seems that the use of fake reviews is not widespread in this case.”
In any case, they say, the uselessness of user reviews as a guide to quality underscores the need for more oversight by Google.
One of the authors’ suggestions is that Google monitor extensions for code similarity. They found thousands of extensions that share similar code, which they point out as generally bad practice. Copying and pasting from Stack Overflow, taking advice from AI assistants, or simply implementing outdated boilerplate or libraries can spread vulnerable code.
“For example, approximately 1,000 extensions use the open source Extensionizr project, 65–80 percent of which still use the standard and vulnerable library versions originally packaged with the tool six years ago,” the authors note.
They also point out the “critical lack of support” of Chrome Web Store extensions — nearly 60 percent of extensions have never been updated, meaning they miss security improvements like those built into the Manifest v3 platform revision.
While detecting vulnerable extensions is critical, we also need better incentives to encourage and support developers to fix vulnerabilities
The lack of support means that extensions can remain in the store for years after vulnerabilities are disclosed. “At least 78/184 extensions (42 percent) are still in CWS and still vulnerable two years after disclosure,” the researchers said. “This shows that while the discovery of vulnerable extensions is critical, we also need better incentives to encourage and support developers to patch vulnerabilities once they are discovered.”
And many extensions include vulnerable JavaScript libraries. The team found that a third of the extensions (~40,000) used a JavaScript library with a known vulnerability. “We detect over 80,000 uses of vulnerable libraries affecting almost 500 million extension users,” they claim.
Cheryl Hsu, a Stanford researcher and co-author of the paper, said The register in an email that she thinks the extension’s security is improving. “I think we’re more aware of the risks now (especially thanks to a lot of researchers finding vulnerabilities) compared to say 10 years ago when extensions were just starting,” she said.
Hsu said he believes flagging extensions that have been updated or contain vulnerable libraries would be worthwhile.
Makers of ad blockers and browser privacy extensions fear the end is near
FROM 2022
“But it’s also important to exercise some caution, because things that don’t get updated might not be vulnerable (like a super simple app that should never actually be updated) and just because an extension uses some vulnerable library, doesn’t means the vulnerability can be exploited,” she said. “It really depends on what parts of the library an extension uses.
“I think a difficult part of cybersecurity is always figuring out how to give the user the right information to make an informed choice, but we also realize that many users don’t have the technical knowledge or time to dig into things like this.”
Hsu added: “I think disabling Manifest v2 should definitely help with these issues, hopefully they will soon.”
Chrome Manifest v2 extensions should stop working in the general version of Chrome (stable channel) in early 2025, barring further delays.
A Google spokesperson said The register in Friday:
“We’ve also recently launched new tools that bring even more awareness to users about potentially risky extensions, and we’ll continue to invest in this area,” the representative added. ®
