Google Chrome Internet Pack still has security work to do • Check in

Google sympathized with the speed with which the Chrome extension investigation caught maximum bad code, even stating that “like any software, extensions can pose risks.”

Coincidentally, a trio of researchers associated with Stanford University in the United States and the CISPA Helmholtz Center for Data Security in Germany have published a paper about fresh Chrome Internet Pack data that suggests the risks posed via browser extensions. Some distance higher than Google. To.

The paper, “What’s in the Chrome Web Store? Investigating Security-Notable Browser Extensions,” is scheduled to be presented at the ACM Asia Convention on PC and Communications Security (ASIA CCS ’24) in July.

On Thursday, at Google, Benjamin Ackerman, Anunnoy Ghosh and David Warren on the Chrome safety staff claimed, “In 2024, less than one percent of all installs from the Chrome Web Store were found to contain malware. We’re proud of that.” This is a record and yet some bad extensions still emerge, which is why we also monitor published extensions.”

Apparently, there appear to be “a few bad extensions” rather than a dozen, as outlined and sequenced by researchers Sheryl Hsu, Manda Tran, and Aurore Faas. As they describe in their analysis paper, security-eligible extensions (SNE) are nevertheless a major disorder.

SNE is defined as an extension that accommodates malware, violates Chrome Internet Pack coverage, or potentially accommodates code. Thus it is a more detailed division than just a collection of bad extensions.

Browser extensions have long been a subject of surprise as they have gained access to sensitive data. They can view information coming to or from your internet browser depending on the permissions granted. They have been harassed by miscreants to spread malware, track and hide agents on customers, and steal lending information. However, since most extensions are separate, there is no means that browser pack operators can use to protect capital.

However extension security cannot be ignored. One of the main reasons Google struggled to redefine its browser extension architecture several years ago – an initiative called Manifest v3 – was to limit the abusive potential of extensions.

However, according to researchers, despite Google’s efforts, Chrome Internet Pack is full of dangerous extensions.

Those SNEs are a significant disruptor: more than 346 million clients have invested in SNEs over the past three years

“We found that these SNEs are a significant problem: more than 346 million users have installed SNEs over the past three years (280 million malware, 63 million policy violations, and three million insecure),” the authors declare. “Furthermore, these extensions have persisted in the (Chrome Web Store) for years, making thorough investigation of extensions and notification of affected users even more important.”

The authors collected and analyzed data from Chrome extensions available between July 5, 2020, and February 14, 2023, after which approximately 125,000 extensions were available in Chrome Internet Pack. So those findings don’t necessarily replicate the Chrome Internet Pack’s stream environment.

The researchers found that Chrome extensions consistently don’t stick around for very long: “Only 51.86-62.98 percent of extensions are still available after a year,” the paper says.

However bad extensions can also be strong. According to the paper, SNEs live in Chrome Internet packs for an average of 380 days if they come with malware, and up to 1,248 days if they come with only vulnerable code. The longest lived Bad expansion was once available within a pack for 8.5 years.

“This extension, ‘TeleApp’, was last updated on December 13, 2013, and was found to contain malware on June 14, 2022,” the newspaper claimed. “This is extremely problematic, as such extensions have been jeopardizing the security and privacy of their users for years.”

Boffins additionally indicate that the Pack Score gadget does not appear to be efficient at separating excellent extensions from horrendous extensions. This is why consumer scores for bad SNEs don’t look much different from benign extensions.

“Overall, users do not give SNE a low rating, which suggests that users may not be aware that such extensions are dangerous,” the authors say. “Of course, it is also possible that bots are giving fake reviews and high ratings to those extensions. However, given that half of SNEs have no reviews, it seems that the use of fake reviews is not widespread in this case. ”

In any case, they are saying, the uselessness of consumer opinion as property information undercuts the desire for additional oversight from Google.

One of the hottest tips from authors is to have Google inspect extensions for code similarity. They found thousands of extensions that share a proportion of the same code, which they say is typically a herculean task. Copying and pasting from Stack Induction, consulting AI assistants, or simply implementing old boilerplate or libraries can reveal prone code.

“For example, of the approximately 1,000 extensions that use the open-source Extensionizer project, 65-80 percent still use the default and vulnerable library versions initially packaged with the tool six years ago,” the authors apply. Are there.

They also mention the “severe lack of maintenance” of Chrome Internet Pack extensions – about 60% of extensions have never been updated, which means they notice security improvements less than those built into the manifest v3 platform revision. fail to do. ,

While potential life detection extensions are important, we also want additional incentives to motivate and help builders fix vulnerabilities.

Inadequacy of maintenance method expansion may persist within the pack for years until the nearest vulnerabilities are revealed. “At least 78/184 extensions (42 percent) are still in CWS and vulnerable two years after disclosure,” the researchers say. “This shows that, while it is important to detect vulnerable extensions, we also need better incentives to encourage and support developers to fix vulnerabilities after disclosure.”

And a lot of extensions include prone JavaScript libraries. The task force found that one third of the extensions (~40,000) are in a JavaScript library with the identified vulnerability. “We have detected more than 80,000 uses of the vulnerable libraries, impacting approximately 500 million extension users,” they announced.

Sheryl Su, a Stanford graduate researcher and co-author of the paper, directed check in In an email he believes extension security is improving. “I think we are more aware of the risks now (especially thanks to the many researchers who have discovered vulnerabilities) than we were 10 years ago when extensions were just starting,” he noted.

Hsu mentioned that they believe it could be beneficial to flag extensions that are updated or that contain potential libraries.

“But it’s also important to exercise some caution because things that haven’t been updated may not be vulnerable (for example a super simple app that doesn’t really need to be updated) and just because an extension uses some vulnerable library. “Uses mean that the vulnerability can be exploited,” she noted. “Really it depends on what part of the library the extension is using.

“I think a hard part of cybersecurity is always figuring out how to give the user the right information to make an informed choice, but also realizing that a lot of users don’t have the knowledge to know things like this in depth. Don’t have the technical knowledge or time to do this.”

Hsu said, “I think disabling manifest v2 should definitely help these problems, hopefully they will do it soon.”

Chrome Manifest v2 extensions are due to be banned from operating within Chrome’s native shader model (solid channel) in early 2025, barring additional delays.

A Google spokesperson gave this instruction check in on Friday:

“We also recently launched new tools that bring even greater awareness to users about potentially risky extensions and we will continue to invest in this area,” the representative said.