Millions of Google Chrome users are reportedly using compromised browser due to malware-infected extensions. According to a study conducted by Stanford University, more than 280 million users from July 2020 to February 2023 have downloaded Chrome extensions infected with malware.
What does the Stanford study say?
The study scrutinized about 1,25,000 extensions on Google Chrome Web Store (GCWS) for security-noteworthy extensions (SNE).
As per the study, around 346 million users downloaded SNEs from GCWS. Out of these, a staggering 280 million downloads were infected with malware.
“We collected permissions by parsing each extension’s manifest.json file,” the study reports, with manifest V3 permissions divided into “permissions (APIs such as storage or cookies) and host permissions (URLs or URL patterns that an extension wants to make requests to)” with both combined in the earlier manifest V2.
The study highlights that an infected extension tends to ask for more permissions than a benign one. “Ultimately, the more permissions an extension has, the larger the attack surface is,” it stated.
The research was led by Sheryl Hsu, Manda Tran, and Aurore Fass. It was published on June 18. The study also underlines ‘a critical lack’ of maintenance in the CWS: 60% of the extensions in the CWS have never been updated; half of the extensions known to be vulnerable are still in the CWS and still vulnerable 2 years after disclosure; a third of extensions use vulnerable library versions.”
What Google has to say about it?
In an official blog post published on June 20 (two days after the story was published), Google admits that “as with any software, extensions can also introduce risk.”
It states that before an extension is accessible to install from the Chrome Web Store, it undergoes two levels of verification. These are
- An automated review: Each extension gets examined by our machine-learning systems to spot possible violations or suspicious behavior.
- A human review: Next, a team member examines the images, descriptions, and public policies of each extension. Depending on the results of both the automated and manual review, we may perform an even deeper and more thorough review of the code.