350 million people downloaded insecure browser extensions over two years

From hundreds of millions that contain malware to other vulnerable extensions, the Chrome Web Store is full of issues.

Browser extensions are a key part of how we navigate the web. They’re designed to help support our browsing, adding functionalities and abilities that we otherwise wouldn’t get from apps out of the box like Google Chrome.

But the more that a browser can be customized, the more opportunities there are for issues to arise – and vulnerabilities to be exploited.

That’s a real concern – and a valid one, according to new analysis by researchers at Stanford University who have harnessed historical data from analysts ChromeStats.

Google Chrome dominates the desktop browser market with a 66% market share, and the Chrome Web Store is where those users download their browser extensions.

In all, the Chrome Web Store hosts nearly 125,000 extensions catering to over 1.6 billion users worldwide.

Yet analysis shows that a worrying number of those extensions either harbor malware or are so outdated when it comes to security that they can pose risks for users who have installed them.

A large-scale problem

The researchers highlighted what they deemed “Security Noteworthy Extensions,” which are those that contain malware, violate Chrome Web Store policies, or are vulnerable to exploitation by bad actors.

In all, the academics discovered more than 26,000 extensions they believed had issues inherent in them, with around 15,400 of them violating privacy rules. A further 10,400 or so contained malware that could harm users.

While users might hope that action would be taken to quickly identify those vulnerable or malware-containing extensions and remove them from the store, the reality was somewhat different.

The researchers discovered that the average malware-harboring extension remained in the store for 380 days, while vulnerable extensions existed for far longer – 1,248 days on average.

“This is extremely problematic, as such extensions put the security and privacy of their users at risk for years,” the academics wrote.

Given the time that those issue-causing extensions have existed on the Chrome Web Store, the main outlet for people to download extensions to the world’s most popular web browser, it’s perhaps unsurprising that a large number of users have been affected.

More than 346 million people worldwide have installed at least one of the extensions with issues in the last three years, according to the researchers, with 280 million users using extensions containing malware.

Tackling the issue

“We assume that those users are unaware of using SNE [Security Noteworthy Extensions],” the researchers write.

“Given both the extremely large number of impacted users and the fact that [they] stay in the CWS [Chrome Web Store] for years, [they] are a major problem and need to be removed as quickly as possible from the CWS.”

The researchers worry that although Google is scanning extensions as they enter the Chrome Web Store, it appears that they are not proactively checking for vulnerable extensions that already exist in the store and have managed to slip through the net.

The researchers believe that future work to tackle this would be beneficial for the safety of all users. This may help avoid some of the major concerns that the researchers have raised, including the fact that many longstanding extensions habour malware.

“We found one malware-containing extension that stayed in the CWS for 3,105 days (8.5 years!),” the researchers wrote.

The extension, called “TeleApp,” was last updated on December 13th, 2013, and was found to contain malware on June 14th, 2022.

Another extension – “No More Holidays” – was also a longstanding concern. It was last updated on May 17th, 2012, and was found to have a policy violation only on March 9th, 2023, after almost 11 years of being available.

The preponderance of these vulnerable extensions means that users need to be more cautious than ever about what they install on their devices and through their browsers. Users should also carefully check whether they need an extension or not before adding it to Chrome.