Published on: June 27, 2024
In a stark contrast of opinions, two new reports highlight differing perspectives on the safety of Chrome browser extensions. Google claims that less than 1% of all installs include malware, while university researchers suggest that 280 million users have installed malware-infested extensions over the past three years.
Google’s Perspective
According to Google, there are over 250,000 extensions available on the Chrome Web Store. In a blog post, Google asserted that “less than 1% of all installs from the Chrome Web Store were found to include malware.” Despite these assurances, many users remain skeptical about the overall safety of these extensions.
University Researchers’ Findings
A recent study by researchers from Stanford University and the CISPA Helmholtz Center for Information Security paints a more concerning picture. The study, published on June 18, reveals that between July 2020 and February 2023, over 346 million users installed extensions deemed security-noteworthy. After accounting for policy violations and vulnerable code, the researchers estimate that 280 million installs involved extensions containing malware.
The researchers, Sheryl Hsu, Manda Tran, and Aurore Fass, analyzed extension permissions by examining each extension’s manifest.json file. They found malicious extensions often request more permissions than benign ones, increasing the potential attack surface. Alarmingly, some malware-containing extensions remained available on the Chrome Web Store for extended periods, with one staying online from December 2013 until June 2022.
Google’s Safety Measures
In response to the study, a June 20 post on the Google Security Blog by members of the Chrome security team acknowledged that extensions could introduce risks. However, Google emphasized its efforts to protect users, including reviewing all extensions before publication, monitoring them post-publication, and providing personalized summaries of installed extensions.
Google also introduced a safety check panel on the extensions page, alerting users to potentially risky extensions. They claimed that their review process, which includes automated machine-learning systems and human reviews, effectively filters out most malicious extensions.
Recommendations for Users
To minimize the risk of installing malicious extensions, Google offers four key recommendations:
- Review new extensions thoroughly before installing.
- Uninstall extensions that are no longer in use.
- Limit the sites that an extension can access.
- Enable the Enhanced Protection mode in Chrome’s Safe Browsing feature.
These steps aim to enhance user security and ensure a safer browsing experience with Chrome extensions. However, the contrasting reports from Google and the researchers suggest that users should remain vigilant and proactive in managing their browser extensions.