For all of Google’s efforts to improve user security, it’s leaving thousands upon thousands of potential vulnerabilities and some actual malware active on its platform in the Chrome Web Store. How? Browser extensions. Browser extension security is generally nightmarish.
Browser extensions can improve the functionality of any browser, but also pose a big risk. They can see almost everything you do online and they can be hacked to carry malicious code. Extensions are expected to be free and are hard for developers to monetize – making deals proposed by bad guys more attractive. Some extensions can be bought out entirely by bad actors, and there are even fake versions of real extensions!
We’ll take a quick look at how each of the leading browser companies handle extension security.
Google Chrome Browser Extension Security is Bad
About 200,000 extensions up on Google’s Chrome Web Store. According to chrome-stats.com, over half of them haven’t been updated in over two years. Another 25% or so haven’t been updated in over one year.
Running outdated, abandoned apps is a huge security risk. If the developer is no longer updating the code, vulnerabilities will likely be found and never be patched.
The Chrome Web Store is also rife with actively malicious extensions. Some are spoofed versions of real ones (Krebs on Security found several, including a spoofed Microsoft Teams extensions). Others are legitimate extensions that carry borderline-malicious code or collect data on the user. Google doesn’t do any vetting to confirm that extensions are legitimate and many extensions are published as proprietary closed-source software. With no way for anybody to peek at the code, you are putting complete trust in the developer that they won’t do anything bad.
Without checking, could you even name the developer of any one of your extensions right now?
Google needs to step up its extension game, and it’s not the only one.
Microsoft Edge is Similar to Chrome
The (relatively) new Microsoft Edge browser shares more than its Chromium-based roots with Google Chrome. Microsoft seems to be taking the same hands-off approach to extension management as Chrome.
After registering for a developer account, it’s free and easy to publish an extension. Microsoft does have a couple of policies to encourage extension security and disallow malicious ones, but it’s not clear how closely Microsoft vets extensions, or if it does so at all unless something is reported.
Sure enough, a number of spoofed extensions have appeared for Edge.
Thankfully, some browsers do it better.
Mozilla Firefox is Better, but not Perfect
Despite having a much smaller user base than Chrome, there are still over 20,000 extensions available for Firefox. Mozilla does a much better job managing its platform than Google and Microsoft do.
Firefox Extension Badges
Mozilla’s approach to extension management comes in the form of “badges.” Mozilla slaps one of three badges on each available extension: Recommended, By Firefox, and a Caution Label.
The Recommended badge is applied to add-ons that Mozilla and community volunteers actively and regularly review. Mozilla says that “recommended extensions are editorially curated extensions that meet the highest standards of security, functionality, and user experience.” These are likely safe to trust.
Similarly, there are a number of extensions developed by Mozilla itself. These are badged “By Firefox” and are also likely safe.
The last label is the Caution label. Mozilla will flag any extensions that it doesn’t actively review and provide a warning label on the extension’s page.
Mozilla’s efforts to review, recommend reputable extensions, and warn users about un-reviewed ones go a long way in reducing the risk someone will download a malicious extension.
With that in mind, Firefox isn’t the perfect picture of browser extension security. Peer reviewed code can still get hacked, and the reviewers are humans who can make mistakes. Plus, it is still possible for abandoned extensions to be downloaded by users – they just won’t have the recommended badge.
Safari Extensions – now Integrated with the App Store
Safari used to have a public extension space called Extension Gallery that functioned similarly to the Chrome Web Store and Firefox’s Add-On browser. However, it was disabled in September 2019 and Safari Extensions now live on the App Store. They are presented and treated similarly to all Mac OS and iOS apps, and that means they go through Apple’s vetting process before they’re published to the world.
Apple’s review process usually means that you can trust software that appears on the App Store. It’s pretty unlikely that a fake Microsoft Teams Safari Extension could successfully clear a human review process. That said, there are still cases of malicious apps getting through Apple’s vetting process, so it’s not perfect.
Two interesting notes about Apple’s extension practices:
- Unlike the other three companies discussed here, Apple is the only one that appears to regularly remove abandoned apps from its store.
- Extension authors are easily able to monetize their apps thanks to their presence on the App Store. This might reduce the chance of extensions becoming abandoned over time.
How could browser extension security be better?
Google and Microsoft are woefully behind the curve here. The fact that two of the largest companies in America don’t appear to be doing the most basic of reviews to ensure that spoofed extensions aren’t being published is frankly horrific. It simply should not be possible for a bad guy to publish a fake Microsoft Teams or NordVPN extension.
Imagine if a grocery store sold a product with poison in it because it couldn’t be bothered to confirm that it was a legitimate product by a legitimate seller. The public would be outraged at the store! This is similar to what is happening in extension-land, and it’s not happening because the companies lack the resources.
Google and Microsoft both need to drastically step up their review process to stop more malicious and fake extensions from ever being published on their platform.
Mozilla, Google, and Microsoft should all take a page from Apple and remove abandoned extensions from their platforms.
Browser Extension Policy for Businesses
Browser extensions frequently feel innocuous since they don’t stand on their own, but each extension is actually its own little piece of software. Just like with normal apps, it’s all too easy (maybe easier!) for someone to accidentally download a malicious extension. If malicious extensions end up on company hardware, it could result in a serious data breach.
With that in mind, it’s probably worth implementing an extension policy. The policy might be “don’t install extensions.” It could also be “only use this list of permitted extensions,” “only use extensions by Google itself,” or “only use extensions vetted by Apple or Mozilla.”
There’s no reason browser extensions can’t continue to be helpful tools for many users, but it’s important to understand the unique security risks they represent.
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.