Around 33% of all Chromium users have some kind of browser plugin installed. Rather than being a niche, edge-technology used exclusively by power users, add-ons are positively mainstream, with the majority coming from the Chrome Web Store and the Firefox Add-Ons Marketplace.
But how safe are they?
According to research due to be presented at the IEEE Symposium on Security and Privacy, the answer is not very. The Google-funded study found tens of millions of Chrome users have some variety of add-on based malware installed, which represents 5% of total Google traffic.
The research resulted in almost 200 plugins being scrubbed from the Chrome App Store, and brought into question the overall security of the market place.
So, what is Google doing to keep us safe, and how can you spot a rogue add-on? I found out.
Where Add-Ons Come From
Call them what you will - browser extensions, plugins or add-ons - they all come from the same place. Independent, third-party developers producing products that they feel serve a need, or solve a problem.
Browser add-ons are generally written using web technologies, such as HTML, CSS, and JavaScript, and usually are built for one specific browser, although there are some third-party services that facilitate the creation of cross-platform browser plugins.
Once a plugin has reached a level of completion and is tested, it is then released. It's possible to distribute a plugin independently, although the vast majority of developers choose instead to distribute them through Mozilla, Google and Microsoft's extensions stores.
Although, before it ever touches a user's computer, it has to be tested to ensure that it's safe to use. Here's how it works on the Google Chrome App Store.
Keeping Chrome Safe
From the submission of an extension, to its eventual publication, there's a 60 minute wait. What happens here? Well, behind the scenes, Google is making sure that the plugin doesn't contain any malicious logic, or anything that could compromise the privacy or safety of the users.
This process is known as 'Enhanced Item Validation' (IEV), and is a series of rigorous checks that examines a plugin's code and its behavior when installed, in order to identify malware.
Google has also published a 'style guide' of sorts that tells developers what behaviors that are permitted, and expressly discourages others. For example, it is forbidden to use inline JavaScript - JavaScript that's not stored in a separate file - in order to mitigate the risk against cross-site scripting attacks.
Google also strongly discourages the usage of 'eval', which is a programming construct that allows code to execute code, and can introduce all sorts of security risks. They're also not terribly keen on plugins connecting to remote, non-Google services, as this poses the risk of a Man-In-The-Middle (MITM) attack.
These are simple steps, but are for the most part effective at keeping users safe. Javvad Malik, Security Advocate at Alienware, thinks it's a step in the right direction but notes that the biggest challenge in keeping users safe is an issue of education.
"Making the distinction between good and bad software is becoming increasingly difficult. To paraphrase, one mans legitimate software is another mans identity-stealing, privacy-compromising malicious virus coded in the bowels of hell."Don’t get me wrong, I welcome the move by Google to remove these malicious extensions – some of these should never have been made public to start with. But the challenge going forward for companies like Google is policing the extensions and defining the limits of what’s acceptable behavior. A conversation that extends beyond a security or technology and a question for the internet-using society at large."
Google aims to ensure that users are informed about the risks associated with installing browser plugins. Each extension on the Google Chrome App Store is explicit about the permissions required, and can not exceed the permissions you give it. If an extension is asking to do things that seem unusual, you then have cause for suspicion.
But occasionally, as we all know, malware slips through.
When Google Gets It Wrong
Google, surprisingly, keeps quite a tight ship. Not much slips past their watch, at least when it comes to the Google Chrome Web Store. When something does, however, it's bad.
- AddToFeedly was a Chrome plugin that allowed users to add a website to their Feedly RSS reader subscriptions. It started life as a legitimate product released by a hobbyist developer, but was bought for a four figure sum in 2014. The new owners then laced the plugin with the SuperFish adware, which injected advertising into pages and spawned pop-ups. SuperFish gained notoriety earlier this year when it transpired Lenovo had been shipping it with all their low-end Windows laptops.
- WebPage Screenshot allows users to capture an image of the entirety of a webpage they're visiting, and has been installed on over 1 million computers. However, it also has been transmitting user information to a single IP address in the United States. The owners of WebPage Screenshot have denied any wrongdoing, and insist it was part of their quality assurance practices. Google has since removed it from the Chrome Web Store.
- Adicionar Ao Google Chrome was a rogue extension that hijacked Facebook accounts, and shared unauthorized statuses, posts and photos. The malware was spread through a site that mimicked YouTube, and told users to install the plugin in order to watch videos. Google has since removed the plugin.
Given that most people use Chrome to do the vast majority of their computing, it's troubling that these plugins managed to slip through the cracks. But at least there was a procedure to fail. When you install extensions from elsewhere, you're not protected.
Much like Android users can install any app they wish, Google lets you install any Chrome extension you want, including ones that don't come from the Chrome Web Store. This isn't just to give consumers a bit of extra choice, but rather to allow developers to test the code they've been working on before sending it off for approval.
However, it's important to remember that any extension that is installed manually hasn't gone through Google's rigorous testing procedures, and can contain all sorts of undesirable behavior.
How At Risk Are You?
In 2014, Google overtook Microsoft's Internet Explorer as the dominant web browser, and now represents almost 35% of Internet users. As a result, for anyone looking to make a quick buck or distribute malware, it remains a tempting target.
Google, for the most part, has been able to cope. There have been incidents, but they've been isolated. When malware has managed to slip through, they've dealt with it expediently, and with the professionalism you'd expect from Google.
However, it is clear that extensions and plugins are a potential attack vector. If you're planning on doing anything sensitive such as log in to your online banking, you might want to do that in a separate, plugin-free browser or an incognito window. And if you have any of the extensions listed above, type chrome://extensions/ in your Chrome address bar, then find and delete them, just to be safe.
Have you ever accidentally installed some Chrome malware? Live to tell the tale? I want to hear about it. Drop me a comment below, and we'll chat.