Enterprise security firm Secure Annex identified a network of 57 browser extensions, many distributed non-traditionally, that potentially exposed nearly 6 million users to significant security risks like cookie theft and pervasive tracking.
The findings, detailed by researcher John Tuckner, stemmed from an investigation into “unlisted” Chrome extensions discovered during a client review. Unlisted extensions are not discoverable through standard Chrome Web Store searches and require a direct URL for installation, a method sometimes exploited to distribute potentially unwanted or malicious software under the radar.
Working with fellow security firm Obsidian Security, Secure Annex compiled the list of 57 suspect extensions. Analysis revealed these add-ons requested broad permissions allowing them access to user cookies – potentially including sensitive authentication tokens used to maintain login sessions – alongside capabilities to monitor browsing habits, alter search results, inject and execute remote scripts, and deploy advanced tracking techniques.
A common element linking many extensions was communication with the domain unknow.com, suggesting a coordinated command-and-control structure. Tuckner noted that while direct data exfiltration wasn’t observed during their analysis, the extensions’ capabilities and use of obfuscated code strongly pointed towards spyware potential. The ability to steal session cookies is particularly concerning as it can allow attackers to bypass multi-factor authentication and hijack accounts.
A Pattern of Extension Security Challenges
The discovery highlights ongoing security issues within browser extension ecosystems. The sheer scale of the problem was detailed 2024 in a study finding notable security shortcomings in the Chrome Web Store, conducted by researchers from Stanford University and the CISPA Helmholtz Center for Information Security.
Their research paper, analyzing data from mid-2020 to early 2023, found over 346 million downloads of what they termed “Security-Noteworthy Extensions,” encompassing malware, policy violators, and extensions with vulnerable code.
The academic study identified common issues contributing to the risk, including the tendency for developers to reuse code from public sources, which can propagate security flaws, and a lack of updates – around 60% of studied extensions had never received one.
This neglect allows vulnerabilities to persist; the researchers found half of known vulnerable extensions remained available two years post-disclosure. Furthermore, the investigation concluded that “user ratings do not effectively indicate the safety of extensions. Malicious and benign extensions often received similar ratings”, suggesting users cannot easily discern safe add-ons from risky ones based on community feedback alone. The researchers recommended enhanced monitoring by Google, including practices like “detecting code similarities” and “flagging extensions using outdated libraries.”
Delayed Detection and Platform Response
Problematic extensions often linger before removal, compounding the risk. The Stanford/CISPA study found malware typically persisted for about 380 days, while vulnerable extensions averaged an alarming 1,248 days. A stark illustration provided was the extension “TeleApp,” which was accessible for 8.5 years before its malware content was identified. Following the Secure Annex report earlier this year, Google was notified and reportedly investigated, removing some, but not all, of the identified extensions.
While acknowledging the challenges, Google maintains that active threats represent a small fraction of overall activity. Benjamin Ackerman, Anunoy Ghosh, and David Warren from Google’s Chrome Security Team wrote 2024 in a blog post that fewer than one percent of all installs in 2024 included malware. Nonetheless, they stressed the need for ongoing vigilance in monitoring extensions.
Responding specifically to the Stanford/CISPA research via The Register, a Google spokesperson stated: “We appreciate the work of the research community, and always welcome suggestions for ways to maintain the safety of the Chrome Web Store. We agree that unmaintained extensions are often less secure, which is one of the reasons we are taking steps to remove support for outdated Manifest V2 extensions.”
The Push Towards Manifest V3
Google emphasizes its transition to the Manifest V3 extension platform as a key part of its security strategy. Manifest V3 introduces stricter rules for extensions, notably limiting their ability to execute remotely hosted code – code downloaded from a server after installation, which has been a common mechanism for introducing malicious behavior post-review.
The spokesperson added, “Manifest V3 addresses many of the concerns highlighted in the report, including the risks posed by remotely hosted code, so we are glad to see researchers supporting the importance of that transition.” Google intends to phase out support for the older Manifest V2 platform completely by early 2025, pushing developers towards the more restricted, and theoretically safer, V3 architecture.
