Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Ethereum mailing list breach exposes 35,000 to crypto draining attack

Featured Deal: Upgrade your iPad with an Apple Magic Keyboard Folio for under $90

Latest Buyer's Guide: Best web browsers with built in VPN: Boost online privacy

Malicious extensions from Chrome store way worse than Google's letting on

Started by JohnC_21 , Jun 23 2024 08:42 AM

Please log in to reply

2 replies to this topic

#1 JohnC_21

Members
35,028 posts
OFFLINE

Gender:Male
Local time:10:02 AM

Posted 23 June 2024 - 08:42 AM

Google this week offered reassurance that its vetting of Chrome extensions catches most malicious code, even as it acknowledged that "as with any software, extensions can also introduce risk."

Coincidentally, a trio of researchers affiliated with Stanford University in the US and the CISPA Helmholtz Center for Information Security in Germany just published a paper about recent Chrome Web Store data that suggest the risk posed by browser extensions is far greater than Google admits to.

On Thursday, over at Google, Benjamin Ackerman, Anunoy Ghosh, and David Warren on the Chrome Security Team claimed, "In 2024, less than one percent of all installs from the Chrome Web Store were found to include malware. We're proud of this record and yet some bad extensions still get through, which is why we also monitor published extensions."

Well, "some bad extensions" turns out to be rather a lot, as defined and measured by researchers Sheryl Hsu, Manda Tran, and Aurore Fass. As they describe in their research paper, Security-Noteworthy Extensions (SNE) still represent a serious problem.

The authors collected and analyzed data from Chrome extensions available between July 5, 2020 and February 14, 2023, at which time there were almost 125,000 extensions available in the Chrome Web Store. So these findings do not necessarily reflect the current state of the Chrome Web Store.

The researchers found Chrome extensions often don't stick around very long: "only 51.86–62.98 percent of extensions are still available after one year," the paper says.

But malicious extensions can also be durable. SNEs remain in the Chrome Web Store for an average of 380 days, if they contain malware, and 1,248 days if they simply contain vulnerable code, according to the paper. The longest surviving malicious extension was available in the store for 8.5 years.

"This extension, 'TeleApp,' was last updated on December 13, 2013 and was found to contain malware on June 14, 2022," the paper claimed. "This is extremely problematic, as such extensions put the security and privacy of their users at risk for years."

In any event, they say, the uselessness of user reviews as a quality guide underscores the need for more oversight from Google.

https://www.theregister.com/2024/06/23/google_chrome_web_store_vetting/