[UPDATED Oct. 2, 2018 with new changes to how Google handles the development and implementation of Chrome extensions. This story was originally published on Nov. 7, 2017.]
Google's Chrome browser has been praised for continuously upgrading its own security. Chrome OS, which is based on the browser, is one of the safest operating systems in widespread use. So, then, why is Google doing such a poor job of screening Chrome extensions?
At least half a dozen malicious Chrome extensions have been discovered in the past few months, most coming from the official Chrome Web Store.
Some loaded adware and took users to sleazy websites. Others stole personal data or used victims' computers to "mine" cryptocurrencies. Somehow, they all got through Google's mostly automated screening process, and in most cases, even the best antivirus software won't be able to stop them.
If Google lets this continue, the Chrome Web Store, and Chrome in general, could end up as riddled with malware as Android, whose Google Play marketplace also has an automated app-screening process of questionable efficiency. And if the Chrome browser falls, then so does Chrome OS, which millions of schoolkids use on their Chromebooks. Google needs to fix this problem now.
'A joke' and 'a wreck'
"The current malware detection on the Chrome Web Store is a joke," wrote Danish computer-science student Maxime Kjaer in a recent blog post. "Currently, all it takes to get around it is to download the payload on installation rather than shipping with it. This has been the case for years now, and it doesn't seem like Google is doing much about it."
Kjaer was writing about a Chrome extension that pretended to verify the user's age so he or she could view porn, but actually stole authentication tokens for social-media sites. If you log into Facebook with that malicious extension loaded, it can steal your Facebook token and take over your Facebook page.
This past week, Lawrence Abrams at Bleeping Computer wrote about an image-downloading Chrome extension that loaded adware into the browser and took users to various sleazy websites.
Abrams reported the extension to the Chrome developers, but on Friday afternoon, Nov. 3, two days after Abrams published his piece, the extension was still in the Chrome Webstore. (It's since been taken down.)
"It is starting to become more and more common for unwanted and malicious extensions to be uploaded to the store and not be removed for quite a while," Abrams noted.
On Ghacks.net in late September, Martin Brinkmann was more blunt as he wrote about a Chrome extension that supposedly made your browsing safer from malware, but in fact secretly ran a cryptocurrency miner.
"Google's automatic verification system for Chrome extension uploads to the official Chrome Web Store is a wreck," Brinkmann wrote.
A URL-shortening Chrome extension also ran a cryptocurrency miner, software engineer Alessandro Polidori noted in a Medium posting Oct. 14, adding that "the spread of malware through Chrome extensions seems to be an increasingly widespread problem."
On the blog of the SANS Internet Storm Center on Oct. 27, Brazilian security researcher Renato Marinho detailed how a fake WhatsApp installer quite brazenly installed a Chrome extension that stole data that a user entered into online form fields.
The extension was not in the Chrome Web Store, but the malware easily disabled Chrome's restrictions so that non-Web Store software could be installed.
Google knows, but is that enough?
We contacted Google about this recurring problem, and a Google spokeswoman pointed us to a recent posting on the official Chromium developer blog regarding a phony AdBlock Plus extension. (Chromium is the open-source browser underpinning Chrome, and most Chrome software development actually takes place in Chromium.)
"We [want] to acknowledge that we know the issue spans beyond this single app," the posting said. "We can't go into details publicly about solutions we are currently considering (so as to not expose information that could be used by attackers to evade our abuse fighting methodologies), but we wanted to let the community know that we are working on it, as we continually strive to improve our protection and keep users safe from malicious Chrome Extensions and Apps."
It's nice that Google is aware there's a problem with Chrome Web Store malware, but it's been aware of the problem for at least 5 years. The Google spokeswoman also directed us to an academic paper published by Google researchers in mid-2015 entitled "Trends and Lessons from Three Years Fighting Malicious Extensions."
In the paper, the researchers say they had removed 9,523 malicious extensions from the Chrome Web Store from 2012 to 2015. That's admirable, but those extensions should never have made it into the store in the first place.
Is it impossible to keep malware out of an app store or an extension store? Perhaps, but Apple has come close to pulling it off — the number of known incidents involving malicious apps found in the iOS App Store over the past decade has not yet reached double digits.
How to fix this (hint – it costs money)
There is a simple way to solve this problem, but it's slow and expensive. Google needs to have humans manually run and review every single Chrome Web Store extension, rather than have machines sort out the bad-looking ones, let the rest go live and rely on bad user reviews to flag any further problems. Human app review is what Mozilla does with Firefox's extension repository, and what Apple does with iOS apps.
Implementing human review of every extension might greatly reduce the number of extensions that get approved every day for the Chrome Web Store. It might make some developers grumble. It will cost Google a lot to hire more extension testers. But the alternative is to let the Chrome malware problem get worse — and to threaten the market shares of Chrome and Chrome OS, and the security of millions of users.
"Fix the Chrome Webstore," Kjaer wrote. "It's one of the largest single security threats to the web right now."
UPDATE: Even as the abuse of Chrome extensions continues, Google is finally doing something about this problem. In the summer of 2018, it began to forbid "in-line" links that installed Chrome extensions immediately; those links now have to go to the extension's Chrome Web Store page so the user can learn more about it first.
On Oct. 2, 2018, Google announced several new restrictions on Chrome extensions.
— "Obfuscated" code, i.e. code that's deliberately hard for humans to read, is banned immediately.
— An extension's permissions will be limited to those necessary for its stated purposes.
— Later in October with Chrome 70, users will be able to limit an extension's abilities to specific websites rather than all websites.
— All Chrome extension developers will be required to implement two-factor authentication on their Google developer accounts to prevent unauthorized changes.
We don't know how much of an effect these restrictions will have on malicious extensions, but the Chromium blog post noted that 70 percent of malicious or ethically dubious extensions used obfuscated code. We'd still prefer to see humans checking each new Chrome extension before it's pushed out into the wild.