This week, Google stated that its research on Chrome extensions has detected the most malicious code but also acknowledged the risks associated with these add-ons. A study by Stanford University and the CISPA Helmholtz Center for Information Security in Germany found that the risk from browser extensions is higher than Google indicates. Their research paper titled “What’s in the Chrome Web Store? Research into security-worthy browser extensions” will be presented at the ACM Asia Conference on Computer and Communications Security in July.
Google’s Chrome security team mentioned that less than one percent of Chrome Web Store installs contained malware in 2024, despite ongoing efforts to monitor extensions. However, the researchers found that Security Noteworthy Extensions (SNEs) remain a significant problem, with 346 million users installing them over the past three years.
SNEs include extensions that contain malware, violate policies, or have vulnerable code, posing a serious threat to user security. The study analyzed Chrome extensions from July 5, 2020 to February 14, 2023, indicating that many extensions do not last long. Malicious extensions can persist in the store for years, endangering user privacy and security.
The researchers also raised concerns about the effectiveness of the store rating system in identifying harmful extensions, noting that user reviews may not accurately reflect the dangers posed by certain extensions. They suggested that Google should monitor extensions for code similarities and implement better oversight to improve security.
The lack of maintenance in Chrome Web Store extensions was highlighted as a key issue, with many extensions remaining vulnerable even after flaws are disclosed. Over 40,000 extensions were found to use JavaScript libraries with known vulnerabilities, affecting millions of users. The study emphasized the need for better incentives to support developers in fixing vulnerabilities and updating extensions.
Creators of ad blockers and browser privacy extensions expressed concerns about the future, as Manifest v2 extensions are set to stop working in Chrome. Google has launched new tools to inform users about potentially risky extensions and plans to invest more in this area to enhance security.
Article Source
https://www.theregister.com/AMP/2024/06/23/google_chrome_web_store_vetting/
