Google this week reassured that vetting Chrome extensions catches most malicious code, even as it acknowledged that “as with any software, extensions can also pose risks.”
Coincidentally, a trio of researchers from Stanford University in the US and the CISPA Helmholtz Center for Information Security in Germany have just published a paper on recent data from the Chrome Web Store showing that the risk from browser extensions is much greater than Google admits.
The article ‘What is in the Chrome Web Store? Investigating Security-Noteworthy Browser Extensions’ is expected to be presented at the ACM Asia Conference on Computer and Communications Security (ASIA CCS ’24) in July.
On Thursday, Benjamin Ackerman, Anunoy Ghosh and David Warren of the Chrome Security Team at Google claimed: “By 2024, less than one percent of all installations from the Chrome Web Store were found to contain malware. We are proud of this record and yet there are still some bad extensions coming through, which is why we also monitor published extensions.”
Well, “some bad extensions” turns out to be quite a lot, as defined and measured by researchers Sheryl Hsu, Manda Tran, and Aurore Fass. As they describe in their research paper, Security-Noteworthy Extensions (SNE) are still a serious problem.
An SNE is defined as an extension that contains malware, violates Chrome Web Store policies, or contains vulnerable code. So it is a more extensive category than simply a series of malicious extensions.
Browser extensions have long been a concern because they can access sensitive information. They may be able to see what data enters or leaves your web browser, depending on the permissions granted. They have been used by miscreants to spread malware, track and spy on users, and steal data. But because most extensions are free, there has never been a large revenue stream that browser store operators can use to fund security.
But extension security cannot be ignored. One of the reasons why Google attempted several years ago to redefine the architecture of its browser extensions – an initiative known as Manifest v3 – was to limit the extensions’ potential for abuse.
Yet, despite Google’s efforts, the Chrome Web Store is well stocked with risky extensions, according to the researchers.
These SNEs pose a significant problem: more than 346 million users have installed an SNE in the past three years
“We find these SNEs to be a significant problem: more than 346 million users have installed an SNE in the last three years (280 million malware, 63 million policy violations, and three million vulnerable),” the authors claim. “Furthermore, these extensions remain in the [Chrome Web Store] This makes thorough checking of extensions and notifying affected users all the more important.”
The authors collected and analyzed data from Chrome extensions available between July 5, 2020 and February 14, 2023. At that time, there were almost 125,000 extensions available in the Chrome Web Store. Thus, these findings do not necessarily reflect the current status of the Chrome Web Store.
The researchers found that Chrome extensions often don’t last long: “only 51.86-62.98 percent of extensions are still available after a year,” the paper says.
But malicious extensions can also be durable. SNEs stay on the Chrome Web Store for an average of 380 days if they contain malware, and 1,248 days if they contain only vulnerable code, the paper said. The longest-lived malicious extension was available on the store for 8.5 years.
“This extension, ‘TeleApp’, was last updated on December 13, 2013 and was found to contain malware on June 14, 2022,” the paper claimed. “This is extremely problematic, as such extensions compromise the security and privacy of their users for years.”
The experts also point out that the store rating system doesn’t seem to be effective at separating good extensions from bad ones. That’s because user ratings for malicious SNEs are not significantly different from benign extensions.
“In general, users do not give SNE lower ratings, suggesting that users may not be aware that such extensions are dangerous,” the authors say. “It’s also possible, of course, that bots are giving fake reviews and high ratings to those extensions. But given that half of SNE has no reviews, it doesn’t appear that the use of fake reviews is widespread in this case.”
Either way, they say, the uselessness of user reviews as a guide to quality underlines the need for more oversight from Google.
One of the authors’ suggestions is that Google check extensions for code similarity. They found thousands of extensions sharing similar code, which they say is generally bad practice. Copying and pasting from Stack Overflow, seeking advice from AI assistants, or simply implementing outdated boilerplate or libraries can spread vulnerable code.
“For example, approximately 1,000 extensions use the open-source Extensionizr project, of which 65 to 80 percent still use the default and vulnerable library versions that were initially shipped with the tool six years ago,” the authors note.
They also point out the “critical lack of maintenance” of the Chrome Web Store extensions – nearly 60 percent of extensions have never been updated, meaning they lack security improvements like those built into the Manifest v3 platform overhaul.
While detecting vulnerable extensions is critical, we also need better incentives to encourage and support developers to fix vulnerabilities
The lack of maintenance means extensions can remain on the store for years after vulnerabilities are exposed. “At least 78/184 extensions (42 percent) are still in the CWS and are still vulnerable two years after disclosure,” the researchers said. “This shows that while detecting vulnerable extensions is critical, we also need better incentives to encourage and support developers to fix vulnerabilities after disclosure.”
And many extensions contain vulnerable JavaScript libraries. The team found that a third of extensions (~40,000) use a JavaScript library with a known vulnerability. “We detect over 80,000 instances of vulnerable library usage, impacting nearly 500 million extension users,” they claim.
Sheryl Hsu, a Stanford researcher and co-author of the paper, shared The register in an email saying she believes extension security has been improved. “I think we are more aware of the risks now (particularly thanks to many researchers discovering vulnerabilities) compared to, say, a decade ago, when the expansions were just starting,” she said.
Hsu said she believes it would be worthwhile to flag extensions that have been updated or contain vulnerable libraries.
Makers of ad blockers and browser privacy extensions fear the end is near
FROM 2022
“But it’s also important to exercise some caution, because things that aren’t updated may not be vulnerable (for example, a super simple app that never actually needs to be updated) and just because an extension uses a vulnerable library doesn’t mean it case. means the vulnerability can be exploited,” she said. “It really depends on which parts of the library an extension uses.
“I think a difficult part of cybersecurity is always figuring out how to give the user the right information to make informed choices, but also realizing that many users don’t have the technical knowledge or time to delve deeply into this kind of stuff.”
Hsu added: “I think deactivating Manifest v2 should definitely help with these issues, I hope they do this soon.”
Chrome Manifest v2 extensions are expected to stop working in general release Chrome (stable channel) in early 2025, barring further delays.
This is what a Google spokesperson said The register on Friday:
“We also recently launched new tools that further increase user awareness of potentially risky extensions, and we will continue to invest in this area,” the representative added. ®