Google assured this week that its Chrome extension monitoring detects most malicious code, while acknowledging that “as with any software, extensions can also pose risks.”
Coincidentally, a trio of researchers affiliated with Stanford University in the United States and the CISPA Helmholtz Center for Information Security in Germany have just published a paper on recent Chrome Web Store data that suggests the risk posed by browser extensions is much bigger than Google admits.
The document titled “What’s in the Chrome Web Store?” Survey of Noteworthy Browser Extensions for Security” is expected to be presented at the ACM Asia Conference on Computer and Communications Security (ASIA CCS ’24) in July.
At Google on Thursday, Benjamin Ackerman, Anunoy Ghosh and David Warren of the Chrome security team said: “By 2024, less than 1% of all Chrome Web Store installs included malware. We are proud of this record and yet some bad extensions still pass, which is why we also monitor the released extensions.”
Well, “a few bad extensions” turns out to be a lot, as defined and measured by researchers Sheryl Hsu, Manda Tran, and Aurore Fass. As they describe in their research paper, Security Remarkable Extensions (SNE) still represent a serious problem.
An SNE is defined as an extension that contains malware, violates Chrome Web Store policy, or contains vulnerable code. So this is a broader category than just a set of malicious extensions.
Browser extensions have long been a concern because they have access to sensitive information. They may be able to see data entering or leaving your web browser, depending on the permissions granted. They have been used by criminals to spread malware, track and spy on users, and steal data. But because most extensions are free, there has never been a revenue stream that browser store operators can use to fund security.
But extension security cannot be ignored. One of the reasons why Google set out several years ago to redefine the architecture of its browser extensions – an initiative known as Manifest v3 – was to limit the abusive potential of the extensions.
However, despite Google’s efforts, the Chrome Web Store is full of risky extensions, researchers say.
These SNEs pose a significant problem: more than 346 million users have installed an SNE in the last three years.
“We see that these SNEs are a significant problem: more than 346 million users have installed an SNE in the last three years (280 million malware cases, 63 million policy violations and three million vulnerabilities),” say authors. “Additionally, these extensions remain in the (Chrome Web Store) for years, making thorough verification of extensions and notification of affected users even more crucial.”
The authors collected and analyzed data from Chrome extensions available between July 5, 2020 and February 14, 2023, when nearly 125,000 extensions were available in the Chrome Web Store. These results therefore do not necessarily reflect the current state of the Chrome Web Store.
Researchers found that Chrome extensions often don’t last very long: “Only 51.86 to 62.98 percent of extensions are still available after a year,” the paper says.
But malicious extensions can also be long-lasting. SNEs stay in the Chrome Web Store for an average of 380 days if they contain malware, and 1,248 days if they simply contain vulnerable code, according to the paper. The oldest malicious extension was available in the store for 8.5 years.
“This extension, ‘TeleApp,’ was last updated on December 13, 2013 and was found to contain malware on June 14, 2022,” the newspaper claims. “This is extremely problematic, because such extensions endanger the security and privacy of their users for years.”
Experts also point out that the store rating system does not seem to be effective in distinguishing good extensions from bad ones. Indeed, user ratings of malicious SNEs do not differ significantly from those of harmless extensions.
“Overall, users do not rate SNE lower, suggesting that they may not be aware that such extensions are dangerous,” the authors say. “Of course, it is also possible that bots are giving fake reviews and high ratings to these extensions. However, given that half of SNEs have no reviews at all, it seems that the use of fake reviews is not widespread in this case.”
Either way, they say, the uselessness of user reviews as a guide to quality highlights the need for increased oversight from Google.
One of the authors’ suggestions is for Google to monitor extensions to check code similarity. They found thousands of extensions sharing similar code, which they say is generally bad practice. Copying and pasting from Stack Overflow, following advice from AI assistants, or simply implementing boilerplate or outdated libraries can spread vulnerable code.
“For example, approximately 1,000 extensions use the open source Extensionizr project, of which 65 to 80 percent still use the default and vulnerable library versions originally shipped with the tool six years ago,” the authors observe.
They also denounce the “critical lack of maintenance” of extensions in the Chrome Web Store: almost 60% of extensions have never been updated, meaning they lack security improvements such as those built into the revision of the Manifest v3 platform.
While detecting vulnerable extensions is essential, we also need better incentives to encourage and help developers fix vulnerabilities.
Lack of maintenance means extensions can sit in the store for years after vulnerabilities are disclosed. “At least 78 out of 184 extensions (42%) are still in the CWS and still vulnerable two years after their disclosure,” the researchers say. “This shows that while detecting vulnerable extensions is essential, we also need better incentives to encourage and help developers fix vulnerabilities after they are disclosed.”
And many extensions integrate vulnerable JavaScript libraries. The team found that a third of extensions (around 40,000) use a JavaScript library with a known vulnerability. “We detect more than 80,000 uses of vulnerable libraries, affecting nearly 500 million extension users,” they claim.
Sheryl Hsu, an undergraduate researcher at Stanford and co-author of the paper, said The register in an email stating that she thinks the security of the extensions has improved. “I think we are more aware of the risks today (especially thanks to the many researchers who have discovered vulnerabilities) than 10 years ago, when expansions were just starting,” she said.
Hsu said she thought it would be helpful to flag extensions that have been updated or contain vulnerable libraries.
Makers of ad blockers and browser privacy extensions fear the end is near
FROM 2022
“But it’s also important to exercise some caution, because things that aren’t updated may not be vulnerable (e.g. a very simple application that doesn’t really need to be updated day) and just because an extension uses a vulnerable library does not mean the vulnerability can be exploited,” she said. “It really depends on what parts of the library an extension uses.
“I think a difficult part of cybersecurity is always figuring out how to give the user the correct information so they can make informed choices, but also realizing that many users don’t have the knowledge techniques or time needed to delve into things like this.”
Hsu added: “I think disabling Manifest v2 should definitely help resolve these issues, I hope they do that soon.”
Chrome Manifest v2 extensions are expected to stop working in the general Chrome release (stable channel) in early 2025, barring further delays.
A Google spokesperson said The register Friday:
“We also recently launched new tools that make users even more aware of potentially risky extensions, and we will continue to invest in this area,” the representative added. ®