Google Underplaying Risk Of Compromised Extensions To Chrome

Half the extensions known to feature vulnerabilities in Google Chrome are still available in the Web Store two years after disclosure, claim researchers

clock • 3 min read
Google Underplaying Risk Of Compromised Extensions To Chrome

Compromised extensions for the Chrome web browser affect almost 350 million users worldwide, despite Google's claims that insecure or malicious code affects under one percent of all extensions in the Chrome Web Store. 

The claims were made in a recently published research paper by security specialists at Cornell University, researchers Sheryl Hsu, Manda Tran and Aurore Fass. 

"Security-noteworthy extensions are a significant issue: they have pervaded the Chrome Web Store for years and affect almost 350 million users," they wrote. Moreover, there are clusters of extensions sharing a similar code base, often cut and pasted from public repositories and forums, including code from vulnerable JavaScript libraries. These issues indicate that Google's Chrome security reviews might be flawed. 

Security-noteworthy extensions encompass both out-and-out malicious extensions, as well as extensions running dated code that could include vulnerabilities. Indeed, 60 percent of the extensions in the Chrome Web Store have never been updated, and half the extensions known to feature vulnerabilities are still there two years after disclosure. 

Browser extensions are a particular security concern for both individuals and corporates as they can access sensitive information, propagate malware, keep tabs on users, and even to steal data. 

In response to security concerns, Google developed the Manifest v3 initiative, an API specification intended to limit the potential for extensions to perpetrate such abuses. For example, one of the security enhancements of Manifest v3 was blocking extensions from downloading and running external code – all code must be packaged within the extension. 

But critics claim that it was as much about preventing users from blocking adverts as it was about security, while the researchers note that extensions based on Manifest v2 still account for the majority of Chrome extensions. 

Nevertheless, in a Google Security blog, published in response, Chrome Security Team members Benjamin Ackerman, Anunoy Ghosh, and David Warren were keen to defend the company and its technology. 

"Before an extension is even accessible to install from the Chrome Web Store, we have two levels of verification to ensure an extension is safe," they wrote. 

These include, first, an automated review to identify potentially suspicious code in an extension. This is followed by a review by a team member, which also includes an examination of the images, descriptions, and public policies of each extension. 

"Depending on the results of both the automated and manual review, we may perform an even deeper and more thorough review of the code. 

"This review process weeds out the overwhelming majority of bad extensions before they even get published. In 2024, less than one percent of all installs from the Chrome Web Store were found to include malware. We're proud of this record and yet some bad extensions still get through, which is why we also monitor published extensions." 

They added that updates are also monitored – but, it appears, in a much less thorough manner – by "periodically reviewing what extensions are actually doing and comparing that to the stated objectives defined by each extension in the Chrome Web Store." 

This article originally appeared on our sister site, Computing

 

You may also like
The 2024 MES Midmarket 100: Top Companies Serving The Midmarket

MES Research

MES Computing is proud to present this year's list of the key vendors and service providers serving the midmarket.

clock 07-15-2024 • 1 hour 20 min read
Access Point: Weekly News Roundup For IT Executives – July 12, 2024

Column

Access Point is a weekly roundup of major tech news for IT executives on the go. This edition covers July 8-July 12.

clock 07-12-2024 • 1 min read
Mammoth Microsoft Patch Tuesday Fixes Four Zero-Days, Five Critical Bugs

Security

142 holes plugged this month

clock 07-12-2024 • 3 min read

More on Security

Malicious Python Packages Found Exfiltrating User Data To Telegram Bot

Malicious Python Packages Found Exfiltrating User Data To Telegram Bot

Appears to be part of a wider operation by crime gang based in Iraq, say Checkmarx researchers

John Leonard
clock 07-16-2024 • 2 min read
Mammoth Microsoft Patch Tuesday Fixes Four Zero-Days, Five Critical Bugs

Mammoth Microsoft Patch Tuesday Fixes Four Zero-Days, Five Critical Bugs

142 holes plugged this month

John Leonard
clock 07-12-2024 • 3 min read
Remote Access Firm TeamViewer Hit By Russian Intelligence Cyberattack

Remote Access Firm TeamViewer Hit By Russian Intelligence Cyberattack

The intrusion was restricted to internal systems, the company said.

clock 07-01-2024 • 2 min read