Google Chrome Web Store still has security fixes The Register

Google acknowledged this week that “like any software, extensions can pose risks,” but assured that its inspection of Chrome extensions can detect most malicious code.

Coincidentally, three researchers from Stanford University in the US and the CISPA Helmholtz Centre for Information Security in Germany have published a paper on recent Chrome Web Store data suggesting that the risks posed by browser extensions are much greater than Google has acknowledged.

The paper, “What's in the Chrome Web Store? A survey of security-notable browser extensions,” will be presented at the ACM Asia Conference on Computer and Communications Security (ASIA CCS 24) in July.

On Thursday, Benjamin Ackerman, Anunoy Ghosh, and David Warren from Google's Chrome security team claimed that “less than 1% of all installs from the Chrome Web Store were found to contain malware in 2024. While this is a record to be proud of, some malicious extensions still get through, which is why we also monitor publicly available extensions.”

As researchers Sheryl Hsu, Manda Tran, and Aurore Fass define and measure, “a small percentage of bad extensions” turns out to be quite common. As they explain in their research paper, Security-Noteworthy Extensions (SNE) remain a serious problem.

SNEs are defined as extensions that contain malware, violate Chrome Web Store policies, or contain vulnerable code, so it is a broader category than just the set of malicious extensions.

Browser extensions have long been a source of concern due to the access they can give to sensitive information. Depending on the permissions they're granted, they may be able to see data flowing in and out of your browser. Bad actors have used extensions to spread malware, track and spy on users, and steal data. But because most extensions are free, there's been little revenue stream for browser store operators to fund security.

But extension security cannot be ignored: limiting the exploitability of extensions was one of the reasons why Google began an effort to redefine the architecture of its browser extensions a few years ago (an effort called Manifest v3).

But researchers say that despite Google's efforts, the Chrome Web Store is brimming with dangerous extensions.

These SNEs are a big deal: over 346 million users have installed SNEs in the past three years.

“These SNEs have proven to be a significant problem: over 346 million users have installed them in the past three years (resulting in 280 million instances of malware, 63 million policy violations, and 3 million vulnerabilities),” the authors claim. “Furthermore, these extensions [Chrome Web Store] Over the years, thorough vetting of extensions and notifying affected users has become even more important.”

The authors collected and analyzed data on Chrome extensions that were available from July 5, 2020 to February 14, 2023. At that time, there were nearly 125,000 extensions available in the Chrome Web Store. Therefore, these findings do not necessarily reflect the current state of the Chrome Web Store.

The researchers found that Chrome extensions often don't stick around for very long: “Only 51.8662.98 percent of extensions are still available after one year,” the paper states.

But malicious extensions can also persist for a long time: SNEs containing malware remained in the Chrome Web Store for an average of 380 days, compared to 1,248 days for those containing only vulnerable code, according to the paper. The longest-lived malicious extension was available in the store for 8.5 years.

“The extension, TeleApp, was last updated on December 13, 2013 and was found to contain malware on June 14, 2022,” the paper claims. “This is highly troubling as such extensions put users' security and privacy at risk for years.”

Experts also point out that the store's rating system doesn't seem to be effective at distinguishing good extensions from bad ones, as user ratings for malicious SNEs are not that different from harmless ones.

“Overall, users did not give SNEs low ratings, suggesting that users may not be aware that these extensions are dangerous,” the authors wrote. “Of course, it is possible that bots are giving these extensions fake reviews and high ratings. However, given that half of SNEs have no reviews, the use of fake reviews does not seem widespread in this case.”

Either way, they say the uselessness of user reviews as an indicator of quality underscores the need for increased oversight by Google.

One of the authors' suggestions is for Google to monitor extensions for code similarity. They found thousands of extensions that share similar code, which they note is a bad practice in general. Copying and pasting from Stack Overflow, taking advice from an AI assistant, or simply implementing old boilerplate or libraries can lead to the spread of vulnerable code.

“For example, roughly 1,000 extensions use the open-source Extensionizr project, and of these, 65-80 percent still use the default vulnerable library versions that were first packaged with the tool six years ago,” the authors note.

It also pointed out a “serious lack of maintenance” of extensions in the Chrome Web Store, with roughly 60% of extensions never being updated and missing out on security improvements like those built into the Manifest v3 platform revision.

Detecting vulnerable extensions is important, but we also need better incentives to encourage and support developers to fix vulnerabilities.

Lack of maintenance means that extensions may remain in the store for years after vulnerabilities have been disclosed: “At least 78 of 184 extensions (42%) are present in the CWS and still vulnerable two years after publication,” the researchers wrote. “This indicates that while detecting vulnerable extensions is important, we also need better incentives to encourage and support developers to fix vulnerabilities after publication.”

Many extensions also incorporate vulnerable JavaScript libraries: the team found that a third of extensions (about 40,000) use JavaScript libraries with known vulnerabilities. “We detected the use of over 80,000 vulnerable libraries, affecting roughly 500 million extension users,” the team claims.

Cheryl Shue, an undergraduate researcher at Stanford University and a co-author on the paper, told The Register in an email that she thinks extensions are becoming more secure: “I think there's more awareness of the risks now than there was 10 years ago when extensions were just starting out (especially thanks to the many researchers finding vulnerabilities),” she said.

Hsu said he thinks it's worth flagging updated extensions and those that contain vulnerable libraries.

Makers of ad blockers and browser privacy extensions worry that 2022 is nearing its end

“But it's also important to be careful, because things that aren't updated might not necessarily be vulnerable (for example, very simple apps that don't need to be updated). Also, just because an extension uses a vulnerable library doesn't mean the vulnerability can be exploited,” she said. “It really depends on which parts of the library the extension uses.”

“The challenge in cybersecurity has always been figuring out how to provide users with the right information to make informed choices, while also recognizing that many users don't have the technical knowledge or time to dig deep into these things.”

Hsu added that “disabling Manifest v2 would undoubtedly resolve these issues, and we hope that happens soon.”

The Chrome Manifest v2 extension is scheduled to stop working in the generally released version of Chrome (the stable channel) in early 2025, barring further delays.

A Google spokesperson told The Register on Friday:

“We've also recently released new tools to further raise user awareness about potentially risky extensions and will continue to invest in this area,” the spokesperson added.

Sources 1/ https://Google.com/ 2/ https://www.theregister.com/2024/06/23/google_chrome_web_store_vetting/ The mention sources can contact us to remove/changing this article

What Are The Main Benefits Of Comparing Car Insurance Quotes Online

LOS ANGELES, CA / ACCESSWIRE / June 24, 2020, / Compare-autoinsurance.Org has launched a new blog post that presents the main benefits of comparing multiple car insurance quotes. For more info and free online quotes, please visit https://compare-autoinsurance.Org/the-advantages-of-comparing-prices-with-car-insurance-quotes-online/ The modern society has numerous technological advantages. One important advantage is the speed at which information is sent and received. With the help of the internet, the shopping habits of many persons have drastically changed. The car insurance industry hasn't remained untouched by these changes. On the internet, drivers can compare insurance prices and find out which sellers have the best offers. View photos The advantages of comparing online car insurance quotes are the following: Online quotes can be obtained from anywhere and at any time. Unlike physical insurance agencies, websites don't have a specific schedule and they are available at any time. Drivers that have busy working schedules, can compare quotes from anywhere and at any time, even at midnight. Multiple choices. Almost all insurance providers, no matter if they are well-known brands or just local insurers, have an online presence. Online quotes will allow policyholders the chance to discover multiple insurance companies and check their prices. Drivers are no longer required to get quotes from just a few known insurance companies. Also, local and regional insurers can provide lower insurance rates for the same services. Accurate insurance estimates. Online quotes can only be accurate if the customers provide accurate and real info about their car models and driving history. Lying about past driving incidents can make the price estimates to be lower, but when dealing with an insurance company lying to them is useless. Usually, insurance companies will do research about a potential customer before granting him coverage. Online quotes can be sorted easily. Although drivers are recommended to not choose a policy just based on its price, drivers can easily sort quotes by insurance price. Using brokerage websites will allow drivers to get quotes from multiple insurers, thus making the comparison faster and easier. For additional info, money-saving tips, and free car insurance quotes, visit https://compare-autoinsurance.Org/ Compare-autoinsurance.Org is an online provider of life, home, health, and auto insurance quotes. This website is unique because it does not simply stick to one kind of insurance provider, but brings the clients the best deals from many different online insurance carriers. In this way, clients have access to offers from multiple carriers all in one place: this website. On this site, customers have access to quotes for insurance plans from various agencies, such as local or nationwide agencies, brand names insurance companies, etc. "Online quotes can easily help drivers obtain better car insurance deals. All they have to do is to complete an online form with accurate and real info, then compare prices", said Russell Rabichev, Marketing Director of Internet Marketing Company. CONTACT: Company Name: Internet Marketing CompanyPerson for contact Name: Gurgu CPhone Number: (818) 359-3898Email: [email protected]: https://compare-autoinsurance.Org/ SOURCE: Compare-autoinsurance.Org View source version on accesswire.Com:https://www.Accesswire.Com/595055/What-Are-The-Main-Benefits-Of-Comparing-Car-Insurance-Quotes-Online View photos