How safe are Google Chrome extensions?
Two new reports reveal markedly different opinions about the security of Chrome browser extensions. Google says less than 1% of all installations contain malware, while university researchers say 280 million users installed extensions containing malware over a three-year period. Neither figure gives me much confidence.
According to Google, there are more than 250,000 extensions available in the Chrome web store. Google also says that “less than 1% of all installations from the Chrome Web Store were found to contain malware,” so why don’t I find this as reassuring as I could?
A recent paper from researchers at Stanford University and the CISPA Helmholtz Center for Information Security highlights the concerning prevalence of browser extensions for Chrome that are security notable. According to the study, more than 346 million users installed these types of extensions between July 2020 and February 2023. Even after deducting 63 million policy violations and three million with vulnerable code, the researchers estimate that there were still 280 million installations of Chrome extensions containing malware. .
What the researchers say about security-notable browser extensions for Chrome
The researchers in question, Sheryl Hsu, Manda Tran and Aurore Fass, published their paper on June 18. It is important to note that the investigation includes violations of Google’s online store policies and vulnerable code, along with extensions containing malware in the SNE definition. . However, I’m most interested in the malware side of things. Not least because extensions often require advanced permissions that can impact user privacy and security, and it is these requested permissions that define the attack surface for any malicious extension.
“We collected permissions by parsing the manifest.json file of each extension,” the study reports, dividing the manifest V3 permissions into “permissions (APIs such as storage or cookies) and host permissions (URLs or URL patterns where want to request an extension). )” with both combined in the earlier manifesto V2.
Unsurprisingly, the researchers found that untrustworthy extensions tend to request more permissions than benign extensions. “Ultimately, the more permissions an extension has, the larger its attack surface,” the study concludes.
Also worryingly, the study found that extensions containing malware were available in the Chrome web store for an average of 380 days. One of these, the study said, remained available from December 2013 until June 2022, when it was found to contain malware and was removed.
What Google says about staying safe with Chrome extensions
A June 20 post on the Google Security Blog, just 48 hours after the researchers published their study, by Benjamin Ackerman, Anunoy Ghosh, and David Warren of the Chrome security team, admits that “as with any software, extensions also come with risks.” can bring.” However, it also outlines how a dedicated security team works to keep Chrome users safe when it comes to extensions. Google said this team provides users with a personalized overview of installed extensions, reviews all extensions before they can be published to the Chrome web store, and monitors them afterwards.
An example of this in action is a security control panel at the top of the extension page that warns users of installed extensions that could pose a risk. Google said that “if you don’t see an alert panel, you probably don’t have any extensions to worry about,” although the Stanford study rather challenges this statement.
That said, Google’s automated process using machine learning systems examines all extensions that want to be published on the online store, and then a human review looks at the images, descriptions and public policies of each extension. “This review process removes the vast majority of bad extensions before they are even published,” Google says. “In 2024, less than 1% of all installations from the Chrome Web Store were found to contain malware. We’re proud of this record and yet some bad extensions still get through. That is why we also monitor published extensions.”
Four recommendations to ensure your Chrome extensions are safe
Google recommends that Chrome users do four things to minimize the risk of malicious extensions:
- Check new extensions before installing them – read the extension information And the developer before installing.
- Remove extensions that you no longer use.
- Limit the sites that an extension is allowed to work on.
- Enable the enhanced protection mode of Chrome’s Safe Browsing feature. This mode gives you protection against phishing and malware, as well as features aimed at protecting you from potentially harmful extensions.