280 Million Google Chrome Users Installed Dangerous Extensions, Study Says
Two new reports reveal distinctly different opinions about the safety of Chrome browser extensions. Google says that less than 1% of all installs include malware, while university researchers say 280 million users have installed extensions with malware over a three-year period. Neither number fills me with much confidence.According to Google more than 250,000 extensions are available on the Chrome web store. Google also says that “less than 1% of all installs from the Chrome Web Store were found to include malware,” so why don’t I find this as reassuring as I might?A recent paper by researchers from Stanford University and the CISPA Helmholtz Center for Information Security highlights the concerning prevalence of security-noteworthy browser extensions for Chrome. According to the study, over 346 million users installed these kind of extensions between July 2020 and February 2023. Even after subtracting 63 million policy violations and three million with vulnerable code, the researchers estimate that there were still 280 million installs of Chrome extensions containing malware.
What The Researchers Say About Security-Noteworthy Browser Extensions For Chrome
The researchers in question, Sheryl Hsu, Manda Tran, and Aurore Fass, published their paper on June 18. It’s important to note that the research study covers violations of Google’s web store policy and vulnerable code, along with extensions containing malware in the SNE definition. However, I’m most interested in the malware side of things. Not least as extensions often require advanced permissions that can impact user privacy and security, and it is these requested permissions that determine the attack surface for any malicious extension.
Unsurprisingly, the researchers found that dodgy extensions tend to ask for more permissions than benign ones. “Ultimately, the more permissions an extension has, the larger the attack surface is,” the study concluded.
"Even after subtracting 63 million policy violations and three million with vulnerable code, the researchers estimate that there were still 280 million installs of Chrome extensions containing malware."
Four Recommendations To Help Ensure Your Chrome Extensions Are Safe
- Review new extensions before installing them – read the information about the extension and the developer before installing.
- Uninstall extensions that you no longer use.
- Limit the sites an extension has permission to work on.
- Enable the Enhanced Protection mode of Chrome’s Safe Browsing capability – this mode provides you with protections against phishing and malware, as well as features targeted to keep you safe against potentially harmful extensions.
Davey Winder is a veteran cybersecurity writer, hacker and analyst.
Reshared from Forbes.com