Be careful when browsing for browser extensions in the Chrome Web Store

In the past, many people used to open Internet Explorer exactly once to download Google Chrome. I suspect that a lot of people similarly only ever visit the Chrome Web Store (CWS) once, to install an ad blocker and never return again.

However, the Chrome Web Store has much more to offer than just ad blockers. As it turns out, the Chrome Web Store is also a good place to “shop” for security and privacy risks.

Browser extensions provide additional functionality and customisation for web browsers. Google Chrome, the most popular browser, has nearly 125,000 extensions, which have over 1.6 billion active users.

Although many extensions are genuinely useful, they can also be used as a tool or a target by attackers. Malicious extensions actively spread malware, spy on users, or steal information. Benign extensions can contain vulnerabilities that, when exploited, lead to cross-site scripting or the leakage of sensitive user data. However, any extension can potentially pose a privacy risk, as attackers can use a technique called browser extension fingerprinting (side note: For example, some extensions might modify the DOM. Attackers can use such information to infer which extensions a user has installed.) to track users.

Browser vendors try to mitigate these issues by reviewing extensions before publishing them, but despite their efforts malicious, vulnerable and fingerprintable extensions still make it to extension stores. Clearly, a better understanding of the browser extension landscape is needed, so that such extensions can be dealt with more effectively.

This study analyses all extensions that were available in the CWS between July 2020 and February 2023, using data from Chrome-Stats, along with extension source code and data collected in an earlier study on vulnerabilities in browser extensions.

As of February 2023, there were about 124,000 extensions in the CWS.

The most popular extension category is “Productivity”, which includes anything from translation tools to PDF generators. Of the ten most popular extensions, nine are productivity extensions and one is from the “Shopping” category (side note: The Honey extension, which coincidentally was revealed to be malicious just a few months ago).

The total number of extension users, defined as the number of Chrome installations with an active extension that has checked in with Google’s update servers, largely fluctuates over time. The exact reasons for this phenomenon are unclear, but the researchers do see a large drop in the number of users during holiday seasons and the summer months when people are likely away from school or work.

The vast majority of extensions have a small user base (side note: This includes the Alright extension that I published last year.): 65% of extensions have fewer than 100 users, while about 18% have 100 to 1,000 users. Less than 2% of extensions have more than 100,000 users. This is problematic for people who value their privacy, as crowd anonymity of extensions with few users is very small if those extensions can be fingerprinted.

The number of extensions is steadily decreasing over time. On average, 3,775 extensions are removed from the CWS every month and another 2,687 are added.

This same volatility can be seen in the lifecycle of extensions. A year after the initial publication, only 51–63% are still available in the CWS. The number is considerably higher for extensions with a large number of users (1M+), but even these extensions sometimes temporarily disappear from the CWS, presumably due to violations of the CWS policies.

Security-noteworthy extensions (SNE), which contain malware, violate policies, or are vulnerable, differ from benign extensions in various ways.

SNE remain in the CWS for an average of 380 days (malware-containing) to 1,248 days (vulnerable). This means that such extensions put the security and privacy of their users at risk for years. One malware-containing extension even stayed in the CWS for 3,105 days (that’s 8.5 years)! Benign extensions, on the other hand, remain in the CWS for an average of only 1,152 days, which is less than for extensions with vulnerabilities.

The median number of SNE users is low, but mostly because 65% of extensions have fewer than 100 users. The average number of users is much higher, due to several outliers that include the “Casino Volcano” extension (side note: Strangely enough, when I google this extension I don’t get any relevant search result other than this paper that mentions it…) that had 8.58M users before it was removed for policy violations. Between July 2020 and February 2023, over 346 million users have installed at least one SNE, of which 280M installed malware-containing extensions and 63M installed policy-violating extensions.

On the CWS, users can rate extensions from 1 (lowest score) to 5 (highest score). A large number of extensions have no ratings at all – 47–59% for SNE, 32% for benign extensions. Of the extensions that do have a rating, there is no significant difference in scores between SNE and benign extensions. This could suggest that users are unaware that they have installed SNE.

The researchers found numerous cases of developers publishing both SNE and benign extensions. Interestingly, this includes one developer who has had 1,041 extensions removed for containing malware and nine for policy violations, yet still had 434 extensions in the CWS! In general, developers who have published an extension containing malware are more likely to publish more. Conversely, it’s unlikely that a developer who has published at least one benign extension will publish an SNE. Developers who have published vulnerable extensions will likely publish more vulnerable extensions in the future – but not other types of SNE.

On average, SNE require more browser API permissions than benign extensions, as this increases their attack surface. Both tend to use the same APIs, with the exception of topSites permission that grants SNE the ability to hijack the user’s homepage. Surprisingly, all-encompassing host permissions (<all_urls> or http://*/*) are often used in benign and vulnerable extensions, but not in malware-containing or policy-violating extensions. One reason for this may be that extensions requiring such powerful privileges are subject to in-depth review, which developers with malicious intent may want to avoid.

The researchers used ssdeep fuzzy-hash-based clustering to identify clusters of similar extensions. After analysing almost 110,000 extensions they found that about 20,000 of them contain similar scripts, divided over 3,270 clusters.

Clusters can be categorised into three types:

1. Identical extensions that look the same and do the same things. In some cases developers publish new extensions instead of pushing updates to existing ones.

2. Extensions that have similar functionality, but look different and have dissimilar product pages on the CWS.

3. Extensions that do very different things, but contain generic code which may originate from an extension builder or sample code from a tutorial or Stack Overflow post (side note: The paper mentions an example where 1,397 extensions all contain the same code that even includes the exact same comment “//example of using a message handler from the inject scripts”.).

   This may lead to vulnerabilities. For example, about 800 extensions in the dataset were created using the Extensionizr tool, which had already been abandoned for several years. Since the project is no longer updated, the tool includes versions of Angular.js and jQuery with known vulnerabilities. In such cases, code reuse should be avoided.

Of the 3,270 clusters there are 321 that contain only SNE. This suggests that it should be possible to remove – or at least flag – entire clusters once one of the extensions in a cluster is found to be SNE.

653 clusters contain both benign extensions and SNE. These clusters are just as suspicious as those that contain only SNE.

For example, one such cluster contains 9 screenshotting extensions that share the same code, three of which have been removed for policy violations several months apart despite containing identical code. In another cluster, a benign extension contained the same malicious code as an SNE but it was (temporarily?) rendered inactive due to the absence of a required permission.

In both cases, all extensions within the same cluster could have been flagged immediately if the review process had taken code similarity into account.

On average, 200–600 extensions are updated every day. The number of updates is mostly constant, except for 19–20 April 2022, when the CWS introduced featured and verified badges – which many developers apparently wanted to obtain.

However, the majority of extensions are not well-maintained. The median number of updates an extension receives after a year in the CWS is zero. Almost 60% never receives any update.

About a third of all extensions use at least one JavaScript library with a known vulnerability. This does not necessarily mean that the extensions themselves are vulnerable, but it is something to keep in mind.