Sunday, December 22, 2024

280 Million Google Chrome Users Installed Dangerous Extensions, Study Says

Must read

Two new reports reveal distinctly different opinions about the safety of Chrome browser extensions. Google says that less than 1% of all installs include malware, while university researchers say 280 million users have installed extensions with malware over a three-year period. Neither number fills me with much confidence.

According to Google more than 250,000 extensions are available on the Chrome web store. Google also says that “less than 1% of all installs from the Chrome Web Store were found to include malware,” so why don’t I find this as reassuring as I might?

A recent paper by researchers from Stanford University and the CISPA Helmholtz Center for Information Security highlights the concerning prevalence of security-noteworthy browser extensions for Chrome. According to the study, over 346 million users installed these kind of extensions between July 2020 and February 2023. Even after subtracting 63 million policy violations and three million with vulnerable code, the researchers estimate that there were still 280 million installs of Chrome extensions containing malware.

ForbesGoogle Workspace Warning: ‘Less Secure’ Gmail Access Ends In 3 Months

What The Researchers Say About Security-Noteworthy Browser Extensions For Chrome

The researchers in question, Sheryl Hsu, Manda Tran, and Aurore Fass, published their paper on June 18. It’s important to note that the research study covers violations of Google’s web store policy and vulnerable code, along with extensions containing malware in the SNE definition. However, I’m most interested in the malware side of things. Not least as extensions often require advanced permissions that can impact user privacy and security, and it is these requested permissions that determine the attack surface for any malicious extension.

“We collected permissions by parsing each extension’s manifest.json file,” the study reports, with manifest V3 permissions divided into “permissions (APIs such as storage or cookies) and host permissions (URLs or URL patterns that an extension wants to make requests to)” with both combined in the earlier manifest V2.

Unsurprisingly, the researchers found that dodgy extensions tend to ask for more permissions than benign ones. “Ultimately, the more permissions an extension has, the larger the attack surface is,” the study concluded.

Also worrying was that the study found extensions containing malware were available from the Chrome web store for an average of 380 days. One, the study said, remained available from December 2013 until June 2022, when it was found to contain malware and removed.

ForbesSmart Guessing Algorithm Cracks 87 Million Passwords In Under 60 Seconds

What Google Says About Staying Safe With Chrome Extensions

A June 20 posting to the Google Security Blog, just 48 hours after the researchers published their study, by Benjamin Ackerman, Anunoy Ghosh and David Warren from the Chrome security team, admits that “as with any software, extensions can also introduce risk.” However, it also sets out how a dedicated security team is dedicated to keeping Chrome users safe regarding extensions. Google said this team provides users with a personalized summary of installed extensions, reviews all extensions before they can be published on the Chrome web store and monitors them afterward.

One example of this in action is a safety check panel at the top of the extensions page that alerts users to any installed extensions that might present a risk. Google said that “if you don’t see a warning panel, you probably don’t have any extensions you need to worry about,” although the Stanford study rather opens that statement up to debate.

That said, Google’s automated process using machine-learning systems examines all extensions looking to be published on the web store, and then a human review looks at the images, descriptions, and public policies of each extension. “This review process weeds out the overwhelming majority of bad extensions before they even get published,” Google said, “in 2024, less than 1% of all installs from the Chrome Web Store were found to include malware. We’re proud of this record and yet some bad extensions still get through, which is why we also monitor published extensions.”

Four Recommendations To Help Ensure Your Chrome Extensions Are Safe

Google recommends that Chrome users do four things to help minimize the risk of malicious extensions:

  1. Review new extensions before installing them – read the information about the extension and the developer before installing.
  2. Uninstall extensions that you no longer use.
  3. Limit the sites an extension has permission to work on.
  4. Enable the Enhanced Protection mode of Chrome’s Safe Browsing capability – this mode provides you with protections against phishing and malware, as well as features targeted to keep you safe against potentially harmful extensions.

ForbesNew Wi-Fi Takeover Attack-All Windows Users Warned To Update Now

Latest article