“The risk of malicious extensions in the Chrome Web Store is high”

The risk of users downloading a malicious browser extension from the Chrome Web Store (CWS) is higher than previously thought, security researchers said. Google points out that it is already taking action on this and that less than 1 percent of extensions currently contain malware.

in Investigation Based on data from 2020-2023, security researchers from Stanford University in the US and the CISPA Helmholtz Center for Information Security in Germany found that CWS contains a fair number of malicious extensions. These are not just browser extensions that spread malware, but they also violate certain policies and are prone to errors.

Long lasting malicious attachments

During the period studied, a total of 346 million Chrome users installed an extension. Of all installed extensions, 280 million contain malware and 63 million violate policies. Another 3 million were at risk.

These specific extensions often remain in CWS for years, which is a possible indicator that Google’s extension evaluation process is not entirely sound.

The researchers also point out that even after malicious, policy-violating and vulnerable extensions are discovered, they remain in the CWS for a long time. About 42 percent of these extensions are still installable two years after their unveiling. The longest malignant extension detected was present in CWS for 8.5 years.

Many of the extensions in question in CWS contain vulnerable JavaScript libraries. One-third of all CWS extensions use a JavaScript library with a known vulnerability. Researchers discovered more than 80,000 cases affecting 500 million end users of the extension.

Possible measures

In their study, the researchers call on Google to do more to improve the security of CWS extensions. For example, by scanning it for an equivalent symbol. Many extensions contain the same code, resulting in poor security. Copy/paste from Stack Overflow, tips from AI assistants, or simply implementing boilerplates or outdated libraries contribute to the spread of vulnerable code.

According to the researchers, it is very important to improve the review process for add-ons, as well as notify potentially affected end users.

Furthermore, Google needs to do something about the lack of maintenance of many extensions. About 60 percent of the add-ons examined would never have received an update and thus missed some security tweaks, including an overhaul to Google’s Manifest V3 add-on platform. Extensions based on the old Manifest V2 extension platform should also be dropped. So there is a lot of work to be done.

Google Reviews

in reaction Google notes that the security of extensions in CWS is good. This year, less than 1 percent of add-ons submitted may be at risk. Google admits that CWS isn’t completely clean, since add-ons — like all software — “can always contain risks.”

The tech giant takes measures such as offering users a personalized overview of all installed extensions, thoroughly vetting extensions (either automatically or by human experts) before they end up in CWS, and continuously monitoring these extensions after deployment.

To respond to Record Google refers to the old Manifest V2 extensions From this month It is no longer supportable Statement V3 It solves many of the problems mentioned. Google also says it recently introduced new tools that better alert users to potentially risky extensions. The company says it will continue to invest in these tools.

Read also: Privacy activist says Chrome extensions platform is ‘misleading’.