Google this week reiterated assurances that its review of Chrome extensions catches most malicious code, though it acknowledged that "like any software, extensions come with risks."Coincidentally, three researchers from Stanford University in the US and the CISPA Helmholtz Center for Information Security in Germany have just published an article on recent Chrome Web Store data showing that browser extensions pose far greater risks than Google admits to Be big.

The task "What's in the Chrome Webshop? A Survey of Security-Worthy Browser Extensions" is scheduled to be presented at the ACM Asian Conference on Computer and Communications Security (ASIA CCS '24) in July.On Thursday, Benjamin Ackerman, Anunoy Ghosh, and David Warren of the Google Chrome security team claimed that “2024. Malware was detected in the Chrome Web Store. We're proud of this record, but some bad extensions are still out there, so we keep an eye on published extensions as well.

"A few bad extensions" turns out to be quite a lot, as defined and measured by researchers Sheryl Hsu, Manda Tran, and Aurore Fass. As they describe in their research paper, security notable extensions (SNEs) remain a serious problem. SNEs are defined as extensions that contain malware, violate Chrome App Store policies, or include vulnerable code. Therefore, it is a broader category than just a set of malicious extensions.

Browser extensions have long been a matter of concern because they have access to sensitive information. They may be able to see the data going into or out of your web browser, depending upon the permissions granted. They have been used by malicious actors to spread malware, to track and spy on users, and to steal data. But since most extensions are free, there's never been much of a revenue stream that browser store operators can use to fund security. But extended security cannot be ignored. A few years ago, one of the reasons Google worked to redefine its browser extension architecture (an initiative called Manifest v3) was to limit the abuse potential of extensions. Despite this, despite Google's efforts, Chrome online stores are full of risk expanding, despite their efforts.

The authors collected and analyzed data from Chrome extensions that were available from July 5, 2020, to February 14, 2023, during which time nearly 125,000 extensions were available on the Chrome Web Store. As such, these results do not necessarily reflect the current state of the Chrome Web Store. Researchers have found that chrome extensions are usually not long: "Only 51.86-62.98 % of extensions can still be available within one year," the article said.

But malicious extensions can also be durable. According to the document, SNEs remain in the Chrome Web Store for an average of 380 days if they contain malware and 1,248 days if they contain simple vulnerable code. The longest surviving malicious extension was available on the store for 8.5 years. "This 'TeleApp' extension was last updated on December 13, 2013, and was found to contain malware on June 14, 2022," the article says, "This is a very problematic issue as such extensions have been a threat for years user security and privacy. .

The researchers also noted that store rating systems seem ineffective at distinguishing good extensions from bad extensions. This is because user ratings of malicious SNEs are not significantly different from benign extensions."In general, users do not give SNE lower ratings, suggesting that users may not be aware that such extensions are dangerous," the authors say. "Of course, it's also possible that bots are giving fake reviews and high ratings to these extensions. However, given that half of NVEs have no reviews, it seems that the use of fake reviews in this case is not common."

Either way, they say user reviews are useless as a guide to quality, underscoring the need for more Google regulation. One of the author's suggestions is to get Google to monitor extensions for code similarities. They found thousands of extensions that have similar code, which is often a bad practice. Copying and pasting from Stack Overflow at the suggestion of an AI assistant or simply implementing outdated templates or libraries can spread vulnerable code.

"For example, of the approximately 1,000 extensions that use the open source Extensionizr project, 65-80% still use the default and vulnerable version of the library that was originally packaged with the tool six years ago," the authors noted. They also highlight a “critical maintenance gap” for Chrome Web Store extensions — nearly 60 percent of extensions have never been updated, meaning they don't take advantage of security improvements like those built into the Manifest v3 platform version.