Send email Copy Email Address

Felix Koltermann

Security vulnerabilities of browser extensions in the Chrome Web Store

Millions of users use browser extensions on a daily basis, for example, to block advertisements on websites. But is the use of extensions from third-party providers at all secure? CISPA Faculty Dr. Aurore Fass and her students Sheryl Hsu and Manda Tran have examined this question based on extensions for Google’s web browser Chrome, thus providing the first large study on the Chrome Web Store. Their respective paper “What is in the Chrome Web Store?” was accepted at the ACM ASIA Conference on Computer and Communications Security.

To access the Internet, users require a web browser such as Chrome, Safari, Mozilla Firefox or Microsoft Edge. If the default features of the browser do not suffice, third-party extensions can be used. “Browser extensions are very useful for extending browser functionality. If you add extensions such as an ad blocker, for example, you can block or restrict advertising on websites”, CISPA Faculty Dr. Aurore Fass explains. Users can download the extensions via the browser and install them with just a few clicks. Since all common web browsers offer extensions, Fass decided to examine the Chrome Web Store. “We use Chrome because it is the most popular browser”, she explains. “And Chrome has a WebExtensions API that works across all browsers. From a developer’s perspective, the extensions for Chrome and Firefox are very similar.” Another important factor was that a tool named “Chrome-Stats” facilitates data access for Chrome. “Chrome-Stats collects longitudinal data for extensions in the Chrome Web Store. This was very important because as soon as an extension is removed from the store, we no longer have access to the metadata or the source code of these extensions”, Fass continues.

Security-noteworthy extensions

For her investigations, Fass distinguishes between benign and security-noteworthy extensions (SNEs), classifying the latter into three categories. “First, there are extensions that contain malware”, Fass explains. “Those extensions are malicious in the sense that they were specifically developed by people who want to harm users. The second category groups extensions that violate Google’s data protection policy. And the third category consists of vulnerable extensions.” The latter were developed with good intentions, but they contain errors that can result in security vulnerabilities. The danger of SNEs is that they can be used by attackers to send malware, track users, spy on them or steal data. Fass and her colleagues analyzed extensions that were available in the Chrome Web Store between July 2020 and February 2023.

Life span and security risks of extensions

Fass' first important finding was that extensions have very short life cycles. “60 percent remain in the Chrome Web Store for less than a year”, she explains. “This is crazy! It means that you need regular analyses to know what is available in the Store.” The second finding relates to the presence of security-noteworthy extensions. “We have analyzed many security-noteworthy extensions in the Chrome Web Store that affect hundreds of millions of users”, Fass continues. “Some of them remain in the Store for ten years, thus compromising the security and privacy of users for a very long time.” The third finding refers to the similarities between extensions. “Using clustering processes, we were able to identify extensions with a similar code base”, Fass explains. “This helps us detect security-noteworthy extensions. Because if an extension resembles another, security-noteworthy extension, we can strongly assume that it is also security-noteworthy. This can help to identify previously unknown security-noteworthy extensions.” The last finding is related to the lack of maintenance of the Chrome Web Store. “60 percent of the extensions have not been updated since their publication in the store. This means that they do not profit from Chrome’s new APIs or features that improve security and privacy, like the new Manifest V3”, Fass says.

Insights about the source code of extensions

In a further step, Fass examined the source code of the extensions available in the Chrome Web Store more closely. This was motivated by the assumption that searching for similar source code can help to discover SNEs more easily and quickly. In fact, Fass discovered thousands of clusters with similar source code. “30 percent of browser extensions use a vulnerable library in their source code”, Fass explains. “Although we did not examine whether this can actually be exploited, we still think it is bad practice to use these vulnerable libraries. Because they are asking for something bad to happen.” There are reasons for the use of similar source code: It is common practice among developers to reuse existing code from freely accessible online libraries. “The problem is that the third-party code they use is not maintained. This results in them using outdated, unmaintained code that could contain security vulnerabilities”, Fass says. In particular, developers often use code from a tool called Extensionizr.

What can users, developers and Google actually do?

When asked what developers could do to make their extensions more secure, Fass replies: “Developers with good intentions should become aware of what can go wrong with extensions. It would be good if they kept threat scenarios in mind and thought about possible gateways for attackers.” Regular updates are also an important factor. For users of extensions, things are more complicated. “There are few means for them to find out whether an extension is dangerous or not”, Fass explains. “In theory, you can check the extensions’ permissions, but most have never dealt with this and do not understand the details.” This makes monitoring by Google even more important. “Google has a monitoring system that checks extensions before they are published in the Chrome Web Store”, Fass continues. Fass even has an idea on how to improve the monitoring system: “In a previous paper, I have shown how vulnerable extensions could be detected automatically. This could be included in Google’s pipeline.”