Google this week offered reassurance that its vetting of Chrome extensions catches most malicious code, even as it acknowledged that "as with any software, extensions can also introduce risk."

Coincidentally, a trio of researchers affiliated with Stanford University in the US and the CISPA Helmholtz Center for Information Security in Germany just published a paper about recent Chrome Web Store data that suggest the risk posed by browser extensions is far greater than Google admits to.

The paper, "What is in the Chrome Web Store? Investigating Security-Noteworthy Browser Extensions," is scheduled to be presented at the ACM Asia Conference on Computer and Communications Security (ASIA CCS ’24) in July.

On Thursday, over at Google, Benjamin Ackerman, Anunoy Ghosh, and David Warren on the Chrome Security Team claimed, "In 2024, less than one percent of all installs from the Chrome Web Store were found to include malware. We're proud of this record and yet some bad extensions still get through, which is why we also monitor published extensions."

Well, "some bad extensions" turns out to be rather a lot, as defined and measured by researchers Sheryl Hsu, Manda Tran, and Aurore Fass. As they describe in their research paper, Security-Noteworthy Extensions (SNE) still represent a serious problem.

An SNE is defined as an extension that contains malware, violates Chrome Web Store policy, or contains vulnerable code. It's thus a more expansive category than simply a set of malicious extensions.

Browser extensions have long been a matter of concern because they have access to sensitive information. They may be able to see the data going into or out of your web browser, depending upon the permissions granted. They've been used by miscreants to spread malware, to track and spy on users, and to steal data. But since most extensions are free, there's never been much of a revenue stream that browser store operators can use to fund security.

But extension security can't be ignored. One of the reasons Google undertook its effort to redefine its browser extension architecture several years ago - an initiative known as Manifest v3 - was to limit the abusive potential of extensions.

Nonetheless the Chrome Web Store, despite Google's efforts, has been well-stocked with risky extensions, according to the researchers.

These SNE are a significant problem: over 346 million users installed a SNE in the last three years

"We find that these SNE are a significant problem: over 346 million users installed a SNE in the last three years (280 million malware, 63 million policy violation, and three million vulnerable)," the authors claim. "In addition, these extensions are staying in the [Chrome Web Store] for years, making thorough vetting of extensions and notification of impacted users all the more critical."

The authors collected and analyzed data from Chrome extensions available between July 5, 2020 and February 14, 2023, at which time there were almost 125,000 extensions available in the Chrome Web Store. So these findings do not necessarily reflect the current state of the Chrome Web Store.

The researchers found Chrome extensions often don't stick around very long: "only 51.86-62.98 percent of extensions are still available after one year," the paper says.

But malicious extensions can also be durable. SNEs remain in the Chrome Web Store for an average of 380 days, if they contain malware, and 1,248 days if they simply contain vulnerable code, according to the paper. The longest surviving malicious extension was available in the store for 8.5 years.

"This extension, 'TeleApp,' was last updated on December 13, 2013 and was found to contain malware on June 14, 2022," the paper claimed. "This is extremely problematic, as such extensions put the security and privacy of their users at risk for years."

The boffins also point out that the store rating system doesn't appear to be effective at separating good extensions from bad ones. That's because the user ratings for malicious SNEs are not significantly different from benign extensions.

"Overall, users do not give SNE lower ratings, suggesting that users may not be aware that such extensions are dangerous," the authors state. "Of course, it is also possible that bots are giving fake reviews and high ratings to those extensions. However, considering that half of SNE have no reviews, it seems that the use of fake reviews is not widespread in this case."

In any event, they say, the uselessness of user reviews as a quality guide underscores the need for more oversight from Google.

One of the suggestions the authors have is for Google to monitor extensions for code similarity. They found thousands of extensions that share similar code, which they point out is generally a bad practice. Copying and pasting from Stack Overflow, taking advice from AI assistants, or simply implementing outdated boilerplate or libraries can spread vulnerable code.

"For instance, roughly 1,000 extensions use the open-source Extensionizr project, 65-80 percent of which still use the default and vulnerable library versions initially packaged with the tool, six years ago," the authors observe.

They also call out the "critical lack of maintenance" of Chrome Web Store extensions - almost 60 percent of extensions have never been updated, meaning they miss out on security improvements such as those built into the Manifest v3 platform revision.

While detecting vulnerable extensions is critical, we also need better incentives to encourage and support developers to fix vulnerabilities

The lack of maintenance means extensions may remain in the store for years after vulnerabilities get disclosed. "At least 78/184 extensions (42 percent) are still in the CWS and still vulnerable two years after disclosure," the researchers state. "This shows that, while detecting vulnerable extensions is critical, we also need better incentives to encourage and support developers to fix vulnerabilities after disclosure."

And many extensions incorporate vulnerable JavaScript libraries. The team found that a third of extensions (~40,000) use a JavaScript library with a known vulnerability. "We detect over 80,000 uses of vulnerable libraries, impacting almost 500 million extension users," they claim.

Sheryl Hsu, a Stanford undergraduate researcher and co-author of the paper, told The Register in an email that she believes extension security has been improving. "I think we are more aware of the risks now (especially thanks to many researchers that have discovered vulnerabilities) compared to say 10 years ago when extensions were just starting out," she said.

Hsu said she believes that flagging extensions that have been updated or contain vulnerable libraries would be worthwhile.

"But it is also important to exercise some caution since things that aren’t updated might not be vulnerable (for example a super simple app that doesn’t really ever need to be updated) and just because an extension uses some vulnerable library does not mean the vulnerability can be exploited," she said. "It really depends on what parts of the library an extension is using.

"I think a difficult part of cybersecurity is always figuring out how to give the user the correct information to make informed choices but also realize that a lot of users don’t have the technical knowledge or time to dig deeply into things like this."

Hsu added, "I think deactivating Manifest v2 should definitely help with these problems, hope that they do it soon."

Chrome Manifest v2 extensions are due to stop working in the general release version of Chrome (Stable channel) at the beginning of 2025, barring further delays.

A Google spokesperson told The Register on Friday:

"We've also recently launched new tools that bring even greater user awareness to potentially risky extensions, and will continue to invest in this area," the rep added. ®

https://www.theregister.com//2024/06/23/google_chrome_web_store_vetting/