Regarding Google Chrome browser extensions’ safety, two recent papers present very different perspectives. A three-year period has seen 280 million people install malicious extensions, according to university researchers, despite Google’s claim that less than 1% of all installs contain malware. I am not particularly confident in either number.
On the Chrome web store, Google claims that there are over 250,000 extensions available. Furthermore, Google claims that ‘less than 1% of all installs from the Chrome Web Store were found to include malware,’ so I guess I shouldn’t be as comforted by that.
Read Also: Chrome FLEDGE update brings PPC and SEO hope
The alarming frequency of security-related Chrome browser extensions is brought to light in a recent report by academics from Stanford University and the CISPA Helmholtz Center for Information Security. Approximately 346 people were found to have During July 2020 and February 2023, millions of users installed these kinds of extensions.
The researchers calculate that there were still 280 million installs of Chrome extensions containing malware, even after removing 63 million policy violations and three million with susceptible code.
The Researchers’ Take on Security-Relevant Chrome Browser Extensions
On June 18, the concerned researchers, Sheryl Hsu, Manda Tran, and Aurore Fass, released their work. Not to mention, extensions with malware in the SNE definition, as well as code vulnerabilities and Google’s web store policy breaches, are all covered in this research study. But the malware aspect of things interests me the most.
In particular, because extensions frequently call for extensive permissions that may compromise user security and privacy, it is essential The permissions of a malicious extension determine its attack surface.
‘We gathered permissions by interpreting each extension’s manifest.json file,’ the study states. Permissions in the manifest V3 were split into ‘host permissions (URLs or URL patterns that an extension wishes to make requests to) and permissions (APIs like storage or cookies),’ with the two combined in the previous manifest V2.
The researchers discovered, predictably enough, that malicious extensions typically request greater rights than trusted ones. Finally, the study found that the attack surface increased with the number of permissions an extension had.
The study also discovered that, on average, malware-containing extensions were accessible from the Chrome online store for 380 days. This finding was concerning. The analysis stated that one was accessible from December 2013 to June 2022. upon removal upon discovery that it contained malware.
Google’s Statement Regarding Security Using Chrome Extensions
Benjamin Ackerman, Anunoy Ghosh, and David Warren from the Chrome security team acknowledge that ‘as with any software, extensions can also introduce risk’ in a post published on the Google Security Blog on June 20, just 48 hours after the researchers revealed their findings.
Yet, it also outlines the steps taken by a committed security team to ensure Chrome users’ safety concerning extensions. According to Google, this team monitors installed extensions after they have been added to the Chrome web store, reviews all extensions before their publication, and gives users a tailored summary of what they have installed.
An illustration of this in operation is the safety inspection panel located at the top of the extension page, which notifies users of any installed extensions that could be dangerous. Google claimed that ‘you probably don’t have any extensions you need to worry about if you don’t see a warning panel,’ but the Stanford study casts doubt on that claim.
Having said that, every extension that wants to be included in the online store is first screened by Google’s automatic machine-learning algorithm and after that,
Each extension’s pictures, descriptions, and public policies are reviewed by a person.
Less than 1% of all installs from the Chrome Web Store in 2024 were found to contain malware, according to Google, which claimed that their review process pulls out the vast majority of malicious extensions before they even get released. Despite our pride in this achievement, some We further watch published extensions because malicious extensions can still be downloaded.
How to Make Sure Your Google Chrome Extensions Are Secure: Four Tips
To reduce the possibility of harmful extensions, Google advises Chrome users to take the following four steps:
Before installing any new extensions, make sure you review them and study the developer and the extension.
1. When you’re done using an extension, uninstall it.
2. The websites that an extension is permitted to work on should be limited.
3. Enable Chrome’s Safe Browsing feature’s Enhanced Protection mode.
4. This mode offers safeguards against malware and phishing, along with features designed to protect you from potentially dangerous extensions.
