A joint study conducted by Stanford University and the CISPA Helmholtz Center for Information Security has found notable security shortcomings in Chrome Web Store extensions. The investigation highlights that many extensions harbor malware, violate user policies, or contain insecure code, posing risks to millions of users.
Detailed Examination of Chrome Extensions
The research paper, titled “What is in the Chrome Web Store? Investigating Security-Noteworthy Browser Extensions,” is set to be presented at the ACM Asia Conference on Computer and Communications Security (ASIA CCS ’24) in July. By analyzing data from July 5, 2020, to February 14, 2023, the researchers found that over 346 million users have downloaded extensions classified as Security-Noteworthy Extensions (SNE). These include extensions containing 280 million instances of malware, 63 million instances of policy violations, and three million extensions with vulnerable code.
The Researchers found that numerous extensions reuse code from public repositories and forums, leading to widespread dissemination of insecure code. The investigation also pointed out that many extensions are rarely, if ever, updated. About 60 percent of extensions have never received an update, and half of the known vulnerable extensions remain in the store two years post-disclosure. Furthermore, a third of these extensions use outdated code libraries.
To improve security, the study advocates for better monitoring practices by Google. This includes detecting code similarities, as many extensions share unsafe and outdated code.
Persistence of Malicious Extensions
Many harmful extensions remain available for significant periods, as noted in the study. Extensions categorized as malware typically last around 380 days, while those with vulnerable code persist for approximately 1,248 days. For instance, the extension “TeleApp” was accessible for 8.5 years before its malware content was identified.
The investigation also found that user ratings do not effectively indicate the safety of extensions. Malicious and benign extensions often received similar ratings, indicating a need for enhanced user education and stricter monitoring from Google. The researchers suggested flagging extensions using outdated libraries and recommended the complete deactivation of Manifest V2 extensions by early 2025.
Google’s Perspective on Security Challenges
Benjamin Ackerman, Anunoy Ghosh, and David Warren from Google’s Chrome Security Team wrote in a blog post about the issue that fewer than one percent of all installs in 2024 included malware. Nonetheless, they stressed the need for ongoing vigilance in monitoring extensions. In a response to the research findings shared with The Register, a Google spokesperson thanked the research community for their input and mentioned the company’s measures to tackle these issues, including moving to Manifest V3 to mitigate risks from remotely hosted code:
“We appreciate the work of the research community, and always welcome suggestions for ways to maintain the safety of the Chrome Web Store. We agree that unmaintained extensions are often less secure, which is one of the reasons we are taking steps to remove support for outdated Manifest V2 extensions. Manifest V3 addresses many of the concerns highlighted in the report, including the risks posed by remotely hosted code, so we are glad to see researchers supporting the importance of that transition.”
Last Updated on November 7, 2024 3:49 pm CET