Two new reports reveal starkly different opinions about the security of Chrome browser extensions. Google says less than 1% of all installations involve malware, while university researchers say 280 million users installed malware-laden extensions over a three-year period. Neither number fills me with much confidence.
According to Google, more than 250,000 extensions are available in the Chrome Web Store. Google also says that “less than 1% of all installs from the Chrome Web Store were found to include malware,” so why don’t I find that as reassuring as I could?
A recent study by researchers from Stanford University and the CISPA Helmholtz Center for Information Security highlights the disturbing prevalence of security-critical browser extensions for Chrome. According to the study, over 346 million users installed these types of extensions between July 2020 and February 2023. Even after subtracting 63 million policy violations and three million vulnerable code, the researchers estimate there were still 280 million installations of Chrome extensions containing malware . .
What researchers say about security-important browser extensions for Chrome
The researchers in question, Sheryl Hsu, Manda Tran and Aurore Fass, published their paper on June 18. It is important to note that the research study covers violations of Google’s online store policy and vulnerable code, along with malware-containing extensions to the SNE definition. However, I’m more interested in the malware side of things. No less than add-ons often require advanced permissions that can affect user privacy and security, and it is these required permissions that define the attack surface for any malicious add-on.
“We collected permissions by parsing each extension’s manifest.json file,” the study reports, with the V3 manifest permissions divided into “permissions (APIs such as storage or cookies) and host permissions (URLs or URL patterns that an extension wants to make requests )” with both combined in the previous V2 manifest.
Surprisingly, researchers found that suspicious extensions tend to require more permissions than benign ones. “After all, the more permissions an extension has, the larger the attack surface,” the study concluded.
Also of concern was that the study found that extensions containing malware were available from the Chrome Web Store for an average of 380 days. One, the study said, remained available from December 2013 until June 2022, when it was found to contain malware and was removed.
What Google says about staying safe with Chrome extensions
A June 20 post on the Google Security Blog, just 48 hours after the researchers published their study, by Benjamin Ackerman, Anunoy Ghosh and David Warren of the Chrome security team, acknowledges that “as with any software, extensions can also bring danger”. However, it also outlines how a dedicated security team is committed to keeping Chrome users safe about extensions. Google said this team provides users with a personalized overview of installed extensions, reviews all extensions before they are published on the Chrome Web Store, and monitors them afterwards.
An example of this in action is a security control panel at the top of the add-ons page that warns users about any installed add-ons that may pose a risk. Google said that “if you don’t see a warning panel, you probably don’t have an add-on to worry about,” though the Stanford study rather leaves that statement up for debate.
That said, Google’s automated process using machine learning systems examines all extensions that request to be published on the web store, and then a human reviewer looks at each extension’s images, descriptions and public policies. “This review process eliminates the vast majority of bad extensions before they’re released,” Google said, “in 2024, less than 1% of all installs from the Chrome Web Store were found to include malware. We’re proud for this record and yet some bad add-ons still get through, which is why we also monitor published add-ons.”
Four recommendations to help you make sure your Chrome extensions are safe
Google recommends that Chrome users do four things to help minimize the risk of malicious extensions:
- Review new add-ons before installing them – read the information about the add-on AND developer before installation.
- Uninstall add-ons you no longer use.
- Limit the pages where an extension is allowed to work.
- Enable Chrome’s Safe Browsing enhanced protection mode – this mode offers you protection against phishing and malware, as well as targeted features to keep you safe from potentially harmful extensions.