How secure are Google Chrome extensions?
Two new reports reveal starkly different views on the security of Chrome extensions. Google reports that less than 1% of all installations contain malware, while university researchers claim that 280 million users installed malware extensions over three years. Neither number fills me with much confidence.
According to Google, there are more than 250,000 extensions available in the Chrome Web Store. Google also says that “less than 1% of all installations from the Chrome Web Store have been found to contain malware”, so why isn’t that as reassuring as I could be?
A recent paper by researchers at Stanford University and CISPA’s Helmholtz Center for Information Security highlights the alarming prevalence of Chrome extensions that are notable for security. According to the study, between July 2020 and February 2023, more than 346 million users installed this kind of extension. Even after subtracting 63 million policy violations and three million code vulnerabilities, researchers estimate that there are still 280 million Chrome extension installations containing malware. .
What researchers say about Chrome browser security extensions
The researchers in question, Sheryl Hsu, Manda Tran and Aurore Fass, published their paper on June 18. It is important to note that the research study covers violations of Google’s e-commerce policy and vulnerable code along with extensions containing malware in the definition of SNE. . However, I am most interested in the malware side of things. Not least because extensions often require advanced permissions that can affect user privacy and security, and it is these required permissions that determine the attack surface for any malicious extension.
“We collected the permissions by parsing each extension’s manifest.json file,” the study says, with the V3 manifest permissions divided into “permissions (APIs such as storage or cookies) and host permissions (URLs or URL patterns that it wants to extension send requests. ) with both combinations in the earlier V2 manifest.
Unsurprisingly, the researchers found that questionable extensions tend to request more permissions than benign ones. “Ultimately, the more permissions an extension has, the larger the attack surface,” the study concluded.
Also alarmingly, the study found that extensions containing malware were available in the Chrome Web Store for an average of 380 days. One, the study said, remained available from December 2013 until June 2022, when it was found to contain malware and was removed.
What Google Says About Keeping Your Chrome Extensions Safe
A June 20 Google Security Blog post, just 48 hours after the researchers published their study, by Benjamin Ackerman, Anunoy Ghosh and David Warren of the Chrome security team, admits that “like any software, extensions can pose risks” . However, it also sets out how a dedicated security team is dedicated to keeping Chrome users safe around extensions. Google said this team provides users with a personalized overview of installed extensions, reviews all extensions before they are published on the Chrome Web Store, and tracks them afterwards.
One example of this in action is the security check panel at the top of the extensions page, which alerts the user to any installed extensions that may pose a risk. Google said that “if you don’t see a warning bar, you probably don’t have any extensions to worry about,” though the Stanford study rather leaves that statement up for debate.
However, Google’s automated process using machine learning systems reviews all extensions to be published on the web store, and then a human review looks at each extension’s images, descriptions, and public policies. “This review process removes the vast majority of bad extensions before they are published,” said Google, “in 2024, less than 1% of all Chrome Web Store installs were found to contain malware. We’re proud of this record, yet some bad extensions still make it, so we also monitor published extensions.”
Four recommendations to help you keep your Chrome extensions secure
Google recommends that Chrome users do four things to help minimize the risk of malicious extensions:
- Check for new extensions before installing them – read the extension information and developer before installation.
- Uninstall extensions you no longer use.
- Limit the sites the extension is allowed to work on.
- Enable Chrome’s Safe Browsing Enhanced Protection Mode – this mode provides you with protection against phishing and malware, as well as features aimed at protecting against potentially harmful extensions.