選單
中文 (繁體)

Google is failing miserably at weeding out bad extensions, new research indicates

Google Chrome, the most widely used desktop browser with an impressive 66% market share, boasts a user base of 1.6 billion active users. The number of extensions that it hosts is equally impressive: over 125,000 are listed on its Chrome Web Store (CWS). However, the immense popularity of the browser, and, as a result, its extensions, has a darker, dreary side. According to a research conducted by Stanford University, it looks like the Big G’s hands are so full that it hardly has any control over its sprawling extension empire.

The researchers found that despite rigorous checks that Google supposedly performs on each extension using a combination of machine-learning and human review, it falls spectacularly short of the goal — ensuring that the extensions are safe to use.

jzpyesm

According to the report, the scale of risk posed by potentially harmful and outright dangerous extensions, which the researchers call “Security-Noteworthy Extensions” or SNE, is simply hair-raising. Over the past three years, more than 346 million users have installed at least one SNE, the research says. Among these installations, 280 million users downloaded malware-containing extensions, 63.3 million installed extensions that violated CWS policies, and 2.9 million users installed extensions known to have vulnerabilities.

And even if we discount policy-violating and vulnerable extensions that are not necessary acute security threats to your PC, it still leaves 280 million malware-laden extensions that can unleash a range of threats, from bombarding users with malicious ads to invisibly tracking and spying on them, all while potentially stealing sensitive data like login credentials.

In a nutshell, what this data means is that millions of users have unwittingly exposed themselves to threats ranging from data theft to privacy violations while thinking they are adding useful functionality to their browsers.

Dangerous extensions linger in Chrome store for years

What is especially alarming is that benign extensions — those that do not endanger your privacy or security — tend to stay in the Chrome store less time than vulnerable extensions. The researchers found that benign extensions stay for an average of 1,152 days, while vulnerable extensions’ lifespan reaches the average of 1,248 days, over 3 years. Malware-containing extensions stay for far less on average, but they still inhabit the CWS for more than a year (380 days).

As for the median, for benign extensions it is significantly lower (780 days) than for vulnerable extensions (1,213 days).

As the researchers note, “This is extremely problematic, as such extensions put the security and privacy of their users at risk for years.”

The average lifespan of malicious extensions is troubling, but some cases are much worse. Researchers found a shocking outlier: a malware-laden extension called “TeleApp” that remained in the CWS for a staggering 8.5 years! Last updated in December 2013, over 10 years ago, TeleApp managed to fly under the radar until it was finally removed in June 2022.

Equally disconcerting is the fact that malware-tainted extensions have on average a larger user base than benign ones. According to the research, benign extensions average 11,000 users, while malware-containing extensions boast more than twice as many, or 27,000 users.

How to spot a bad extension?

Google does not seem to be doing a good job of vetting the extensions and weeding out the bad apples. Moreover, as the researchers note, while Google engineers “seem to be looking for malware-containing or policy-violating extensions through their review process” (cue the word “seem”), they apparently have no tools or a procedure in place to detect vulnerable extensions.

The researchers define vulnerable extensions as those that contain weaknesses in their code that, if exploited by attackers, could allow for widespread malicious attacks like stealing user data or injecting malicious scripts on every website you visit. This means that the large pool of potentially dangerous extensions remains a black spot for Google.

So, if Google is struggling to kick out the bad guys, can the users themselves step up and take matters into their own hands? Ideally, yes. However, as the researchers point out, that is incredibly difficult to accomplish in practice because at the first glance at least SNE extensions do not really stand out from the crowd.

For instance, the researchers found out that rating is not the best indicator of trustworthiness, to say the least. While a significant portion of malicious extensions (52%) and vulnerable ones (47%) lack ratings entirely, a surprising number of benign extensions (32%) also fall into this category. Even more concerning, the median rating across the board remains high: 5 for benign and policy-violating extensions, 4.9 for malware-laden ones, and 4.5 for vulnerable extensions. As the researchers point out, this suggests users are generally oblivious to the true nature and risks associated with extensions they install. While fake or manipulated reviews can’t be ruled out, this seems to be a double-edged sword impacting both benign and malicious extensions.

So, if you cannot really trust reviews, how are you supposed to know whether a certain extension is good or bad? Alas, there are no foolproof indicators, but probably your best bet will be to look at the developer’s record, at least the research suggests so.

Developer reputation: a clue, but not a guarantee

Interestingly, the research indicates that developers with at least one malicious extension tend to publish more security-noteworthy extensions on average than the developers with at least one benign extension. Thus, according to the paper, “a developer having published 1 malicious extension publishes on average 3.6 benign, 4.9 malware-containing, 1.4 policy-violating, and 0.00093 vulnerable extensions.” The research also suggests that a developer having a malware-containing or privacy-violating extension will likely publish another one of those.

Curiously, the researchers counted 30 developers with over 100 malware-containing extensions each.

However, here a key distinction emerges between malicious and vulnerable extensions. While malware and privacy-violating extensions often come from repeat offenders, developers publishing vulnerable extensions appear to have a higher proportion of benign extensions as well, suggesting these vulnerabilities might be unintentional mistakes during implementation.

Bad extensions tend to ask for more permissions

The researchers found that Security-Noteworthy Extensions (SNEs) require more access to your data than benign extensions, which should not come as a big surprise. The median number of API permissions requested by malware-containing and vulnerable extensions is 4, whereas policy-violating ones need 2, and benign extensions require only 1.

Ultimately, the more permissions an extension has, the larger the attack surface is.

Interestingly, both benign extensions and SNEs seem to use similar APIs for functionality. The key difference lies in the ‘topSites’ permission, which grants access to your most visited sites. This permission ranks second for malicious extensions (used by over 4,000 extensions) but doesn’t appear in the top 10 for other categories. This likely relates to malware hijacking your homepage on new tabs, a functionality requiring ‘topSites’ access.

However, the story changes when we look at host permissions (access to specific websites). Permissions granting access to all URLs, like <all_urls> or http://, are popular among benign and vulnerable extensions. In contrast, malware and policy-violating extensions frequently target specific Google subdomains. This suggests that malware developers might be intentionally avoiding permissions that trigger Google’s scrutiny and potentially flag their extensions as malicious.

What about updates?

A big source of vulnerabilities and therefore risk for users is the extensions that have not been updated for years, and therefore are more likely to be susceptible to various attacks due to unpatched security holes.

In terms of sheer numbers, the researchers found that 60% of all extensions available have never been updated, which makes them a low-hanging fruit to exploitation and compromise. Even more shocking, perhaps, is that half of the extensions known to be vulnerable (meaning their vulnerabilities have been reported publicly), remain unpatched in the Chrome store for two years after their vulnerabilities are disclosed.

In conclusion

As users increasingly rely on extensions to enhance their browsing experiences, we believe that the responsibility lies with both developers and platform curators — in this case Google — to prioritize security. Google’s role is especially critical when it comes to malware-laden extensions whose developers made them that way by design.
Enhanced monitoring, stricter enforcement of policies, and improved user education are crucial steps toward mitigating these risks and ensuring a safer browsing environment for millions of Chrome users worldwide.

Discuss this post on our social networks

喜歡這篇文章嗎?
19,274 19274 使用者評論
極好的!

AdGuard for Windows

Windows 版 AdGuard 不只是廣告封鎖程式,它是集成所有讓您享受最佳網路體驗的主要功能的多用途工具。其可封鎖廣告和危險網站,加速網頁載入速度,並且保護兒童的線上安全。
透過下載該程式,您接受授權協定的條款
閱讀更多
19,274 19274 使用者評論
極好的!

AdGuard for Mac

Mac 版 AdGuard 是一款獨一無二的專為 MacOS 設計的廣告封鎖程式。除了保護使用者免受瀏覽器和應用程式裡惱人廣告的侵擾外,應用程式還能保護使用者免受追蹤、網路釣魚和詐騙。
透過下載該程式,您接受授權協定的條款
閱讀更多
19,274 19274 使用者評論
極好的!

AdGuard for Android

Android 版的 AdGuard 是一個用於安卓裝置的完美解決方案。與其他大多數廣告封鎖器不同,AdGuard 不需要 Root 權限,提供廣泛的應用程式管理選項。
透過下載該程式,您接受授權協定的條款
閱讀更多
19,274 19274 使用者評論
極好的!

AdGuard for iOS

用於 iPhone 和 iPad 的最佳 iOS 廣告封鎖程式。AdGuard 可以清除 Safari 中的各種廣告,保護個人隱私,並加快頁面載入速度。iOS 版 AdGuard 廣告封鎖技術確保最高質量的過濾,並讓使用者同時使用多個過濾器。
透過下載該程式,您接受授權協定的條款
閱讀更多
19,274 19274 使用者評論
極好的!

AdGuard 內容阻擋器

AdGuard 內容阻擋器將消除在支援內容阻擋器技術之行動瀏覽器中的各種各類廣告 — 即 Samsung 網際網路和 Yandex.Browser。雖然比 AdGuard for Android 更受限制,但它是免費的,易於安裝並仍提供高廣告封鎖品質。
透過下載該程式,您接受授權協定的條款
閱讀更多
19,274 19274 使用者評論
極好的!

AdGuard 瀏覽器擴充功能

AdGuard 是有效地封鎖於全部網頁上的所有類型廣告之最快的和最輕量的廣告封鎖擴充功能!為您使用的瀏覽器選擇 AdGuard,然後取得無廣告的、快速的和安全的瀏覽。
19,274 19274 使用者評論
極好的!

AdGuard 助理

AdGuard 桌面應用程式的配套瀏覽器擴充功能。它為瀏覽器提供了自訂的元件阻止的功能,將網站列入允許清單或傳送報告等功能。
19,274 19274 使用者評論
極好的!

AdGuard DNS

AdGuard DNS 是一種不需要安裝任何的應用程式而封鎖網際網路廣告之極簡單的方式。它易於使用,完全地免費,被輕易地於任何的裝置上設置,並向您提供封鎖廣告、計數器、惡意網站和成人內容之最少必要的功能。
19,274 19274 使用者評論
極好的!

AdGuard Home

AdGuard Home 是一款用於封鎖廣告 & 追蹤之全網路範圍的軟體。在您設置它之後,它將涵蓋所有您的家用裝置,且為那您不需要任何的用戶端軟體。由於物聯網和連網裝置的興起,能夠控制您的整個網路變得越來越重要。
19,274 19274 使用者評論
極好的!

AdGuard Pro iOS 版

除了在 Safari 中之優秀的 iOS 廣告封鎖對普通版的用戶為已知的外,AdGuard Pro 提供很多功能。透過提供對自訂的 DNS 設定之存取,該應用程式允許您封鎖廣告、保護您的孩子免於線上成人內容並保護您個人的資料免於盜竊。
透過下載該程式,您接受授權協定的條款
閱讀更多
19,274 19274 使用者評論
極好的!

AdGuard for Safari

自 Apple 開始強迫每位人使用該新的軟體開發套件(SDK)以來,用於 Safari 的廣告封鎖延伸功能處境艱難。AdGuard 延伸功能可以將高優質的廣告封鎖帶回 Safari。
19,274 19274 使用者評論
極好的!

AdGuard Temp Mail

免費的臨時電子郵件地址產生器,保持匿名性並保護個人隱私。您的主收件匣中沒有垃圾郵件!
19,274 19274 使用者評論
極好的!

AdGuard Android TV 版

Android TV 版 AdGuard 是唯一一款能封鎖廣告、保護隱私並充當智慧電視防火墻的應用程式。取得網路威脅警告,使用安全 DNS,並受益於加密流量。有了安全性和零廣告的使用體驗,使用者就可以盡情享受最喜愛的節目了!
已開始下載 AdGuard 點擊箭頭所指示的檔案開始安裝 AdGuard。 選擇"開啟"並點擊"確定",然後等待該檔案被下載。在被打開的視窗中,拖曳 AdGuard 圖像到"應用程式"檔案夾中。感謝您選擇 AdGuard! 選擇"開啟"並點擊"確定",然後等待該檔案被下載。在被打開的視窗中,點擊"安裝"。感謝您選擇 AdGuard!
在行動裝置上安裝 AdGuard