Security News > 2024 > June > Risk of installing dodgy extensions from Chrome store way worse than Google's letting on, study suggests
Coincidentally, a trio of researchers affiliated with Stanford University in the US and the CISPA Helmholtz Center for Information Security in Germany just published a paper about recent Chrome Web Store data that suggest the risk posed by browser extensions is far greater than Google admits to.
On Thursday, over at Google, Benjamin Ackerman, Anunoy Ghosh, and David Warren on the Chrome Security Team claimed, "In 2024, less than one percent of all installs from the Chrome Web Store were found to include malware. We're proud of this record and yet some bad extensions still get through, which is why we also monitor published extensions."
An SNE is defined as an extension that contains malware, violates Chrome Web Store policy, or contains vulnerable code.
The authors collected and analyzed data from Chrome extensions available between July 5, 2020 and February 14, 2023, at which time there were almost 125,000 extensions available in the Chrome Web Store.
Google to push ahead with Chrome's ad-blocker extension overhaul in earnest Chrome users - get an alert when extensions are in danger of falling into wrong hands Maker of Chrome extension with 300,000+ users tells of constant pressure to sell out What happens when a Chrome extension with 2m+ users changes hands, raises red flags, doesn't document updates? Let's find out.
They also call out the "Critical lack of maintenance" of Chrome Web Store extensions - almost 60 percent of extensions have never been updated, meaning they miss out on security improvements such as those built into the Manifest v3 platform revision.
News URL
https://go.theregister.com/feed/www.theregister.com/2024/06/23/google_chrome_web_store_vetting/
Related news
- Google to let businesses create curated Chrome Web Stores for extensions (source)
- Lazarus hackers used fake DeFi game to exploit Google Chrome zero-day (source)
- How to enable Safe Browsing in Google Chrome on Android (source)
- Lazarus Group Exploits Google Chrome Vulnerability to Control Infected Devices (source)
- New tool bypasses Google Chrome’s new cookie encryption system (source)
- Google says “Enhanced protection” feature in Chrome now uses AI (source)