3 min Security

‘Substantial risk of malicious extensions in Chrome Web Store’

‘Substantial risk of malicious extensions in Chrome Web Store’

According to security researchers, the risk of users downloading a malicious browser extension from the Chrome Web Store (CWS) is higher than previously thought. Google says it is already taking action and that less than 1 percent of extensions today contain malware.

In a study based on data from 2020-2023, security researchers from Stanford University in the U.S. and the CISPA Helmholtz Center for Information Security in Germany find that the CWS contains quite a few malicious extensions. Some of these browser extensions contain malware. while others violate certain policies and are vulnerable due to bugs.

Malicious extensions remained available for a long time

During the period studied, 346 million Chrome browser users installed an extension. Of all the installed extensions, 280 million contained malware, 63 million violated policies, and another 3 million were vulnerable.

Often, these particular extensions remain in the CWS for years, a possible indication that Google’s extension review process is not quite up to scratch.

Even after malicious, policy-breaking and vulnerable extensions are discovered, they remain in the CWS for a long time, the researchers further indicate. About 42 percent of these extensions are still installable two years after they are found. The longest period a malicious extension remained in the store after its discovery was 8.5 years.

Many of the extensions in the CWS at issue contain vulnerable JavaScript libraries. A third of all CWS extensions use a JavaScript library with a known vulnerability. The researchers discovered more than 80,000 cases that impacted 500 million end users.

In their study, the researchers call on Google to do more about the security of CWS extensions, for example, by scanning them for equivalent code. Many extensions contain the same code, which encourages poor security. Copying and pasting from Stack Overflow, advice from AI assistants, or the simple implementation of outdated boilerplates or libraries encourage the spread of vulnerable code.

According to the researchers, improving the review process for extensions and notifying potentially affected end users is very important.

Furthermore, Google should address the lack of maintenance of many extensions. About 60 percent of the extensions surveyed reportedly never received an update and missed certain security updates. This includes Google’s Manifest V3 extension platform revision. Also, extensions based on the old Manifest V2 extension platform ought to be scrapped, say the researchers.

Google comments on the issue

In response, Google indicates that the security of extensions in CWS is in good shape. This year, less than 1 percent of extensions were potentially vulnerable. However, Google acknowledges that the CWS is not completely clean, as extensions—like all software—’can always contain some risk’.

The tech giant is taking measures such as providing users with a personal view of all installed extensions, thoroughly examining extensions (both automatically and by human experts) before they enter the CWS, and continually checking them after coming live.

In a response to The Register, Google says it will no longer support outdated Manifest V2 extensions starting this month, and that Manifest V3 fixes many of the aforementioned problems. Google also says it has recently introduced new tooling that better alerts users to potentially risky extensions. The company says it will continue to invest in this tooling.

Also read: Belgian government releases Chrome extension to combat phishing