June 23, 2024 at 06:45AM
Google claims to effectively vet Chrome extensions to catch most malicious code, though researchers argue that the risk is more substantial. There has been considerable installation of risky extensions, representing a significant problem. The authors emphasize the critical need for stronger oversight by Google to address these issues.
After reviewing the meeting notes, it is apparent that there are significant concerns about the security of Chrome extensions. Researchers from Stanford University and CISPA Helmholtz Center for Information Security in Germany have published a paper that challenges Google’s assertions regarding the risks posed by browser extensions. The paper, titled “What is in the Chrome Web Store? Investigating Security-Noteworthy Browser Extensions,” alleges that the number of risky extensions in the Chrome Web Store is far greater than Google acknowledges. The authors highlight that over 346 million users installed a Security-Noteworthy Extension (SNE) in the last three years, indicating the widespread impact of these concerns.
The researchers emphasize several key points:
1. Malicious extensions and those with vulnerable code are persisting in the Chrome Web Store for extended periods, putting users’ security and privacy at risk. They suggest that addressing the critical lack of maintenance by developers is essential.
2. The research indicates a critical lack of code similarity monitoring by Google, highlighting that thousands of extensions share similar code, potentially compounding risks.
3. There is a significant concern regarding the ineffectiveness of user ratings in identifying dangerous extensions, as well as the use of outdated and vulnerable libraries by many extensions, affecting millions of users.
The suggestions made by the researchers, including monitoring extensions for code similarity and incentivizing developers to address vulnerabilities, should be carefully considered. It is clear that more oversight and improved security measures from Google are necessary to mitigate the risks associated with Chrome extensions effectively.