What is in the Chrome Web Store? Investigating Security-Noteworthy Browser Extensions (2406.12710v1)

Abstract: This paper is the first attempt at providing a holistic view of the Chrome Web Store (CWS). We leverage historical data provided by ChromeStats to study global trends in the CWS and security implications. We first highlight the extremely short life cycles of extensions: roughly 60% of extensions stay in the CWS for one year. Second, we define and show that Security-Noteworthy Extensions (SNE) are a significant issue: they pervade the CWS for years and affect almost 350 million users. Third, we identify clusters of extensions with a similar code base. We discuss how code similarity techniques could be used to flag suspicious extensions. By developing an approach to extract URLs from extensions' comments, we show that extensions reuse code snippets from public repositories or forums, leading to the propagation of dated code and vulnerabilities. Finally, we underline a critical lack of maintenance in the CWS: 60% of the extensions in the CWS have never been updated; half of the extensions known to be vulnerable are still in the CWS and still vulnerable 2 years after disclosure; a third of extensions use vulnerable library versions. We believe that these issues should be widely known in order to pave the way for a more secure CWS.

• The paper introduces the concept of Security-Noteworthy Extensions, emphasizing that vulnerable and non-updated extensions persist longer in the Chrome Web Store.
• The study employs historical data analysis to reveal a one-year average lifespan for most extensions with sharp turnover rates.
• The authors highlight code similarity clusters as a promising technique for early detection of security risks in browser extensions.

Investigating the Security of Browser Extensions in the Chrome Web Store

The paper "What is in the Chrome Web Store? Investigating Security-Noteworthy Browser Extensions" by Sheryl Hsu, Manda Tran, and Aurore Fass provides a comprehensive examination of the Chrome Web Store (CWS) with a specific focus on browser extension security. By leveraging historical data from ChromeStats, the authors present an extensive analysis of the global trends and security ramifications associated with browser extensions. This essay highlights the key findings, strong numerical results, and broader implications of their research.

Key Findings

The primary findings of the paper are:

1. Life Cycle of Extensions: The paper reveals that the life cycles of extensions in the CWS are notably short. Approximately 60% of extensions remain available for merely one year.
2. Security-Noteworthy Extensions (SNE): The concept of Security-Noteworthy Extensions (SNE) is introduced. SNE include extensions that contain malware, violate policies, or have vulnerabilities. These extensions persist in the CWS for extended periods, some for several years.
3. Code Similarity: The authors identify clusters of extensions with similar code bases, indicating potential pathways to flag suspicious extensions through code similarity techniques. Code reuse from public repositories and forums propagates dated code and vulnerabilities, reinforcing the need for better vetting processes.
4. Lack of Maintenance: The paper emphasizes a significant lack of maintenance in the CWS. Over 60% of the extensions have never been updated since their initial release. This negligence is further exemplified by the persistence of vulnerable extensions and the continued use of known vulnerable library versions.

Numerical Results

The paper provides several compelling numerical results:

• Extension Longevity: Extensions exhibit a high turnover rate, with only 51.86% to 62.98% still available after one year.
• User Impact: Over 346 million users installed an SNE in the last three years, including 280 million who installed malware-containing extensions.
• Extension Clusters: A total of 3,270 clusters of similar extensions were identified. Notably, clusters containing only SNE hint at the potential for rapid detection once one extension within the cluster is flagged.
• Maintenance Statistics: About 60% of the extensions in the CWS have never been updated. Moreover, half of the known vulnerable extensions identified in 2021 remained unfixed as of 2023, impacting over 450,000 users.
• Vulnerable Libraries: Almost a third of the extensions use at least one JavaScript library with known vulnerabilities, affecting nearly 500 million users.

Implications and Future Directions

Practical Implications

The findings have profound practical implications. The identification of short-lived extensions necessitates frequent reevaluation of extension security. The high prevalence of SNE with extensive user bases underlines the urgent need for more rigorous vetting and notification mechanisms to safeguard users. Furthermore, the detection of code similarities suggests that employing code similarity techniques could streamline the identification of suspicious extensions, thereby mitigating risks more effectively.

Theoretical Implications

From a theoretical standpoint, the paper sheds light on the dynamics of the browser extension ecosystem, exposing significant security concerns. The concept of Security-Noteworthy Extensions can refine theoretical models of extension security assessment. Additionally, the persistence of unmaintained and vulnerable extensions prompts a reevaluation of dependency management and maintenance incentives within software ecosystems.

Recommendations for Future Research

The paper's findings pave the way for several future research directions:

1. Enhanced Vetting Mechanisms: Future work should focus on integrating code similarity analysis into extension vetting processes to flag potential SNE more efficiently.
2. User Notification Systems: Development of robust user notification systems to alert users about the risks associated with installed SNE could be highly beneficial.
3. Maintenance Incentives: Research into effective incentives for developers to maintain and update their extensions will be crucial. This could include exploring policies for mandatory updates or securing funding for maintenance tasks.
4. Exploitability Studies: While identifying vulnerable libraries is a significant step, assessing the actual exploitability of these vulnerabilities within the context of browser extensions remains an open challenge.

Conclusion

This paper by Hsu et al. provides a detailed examination of the CWS, highlighting critical security concerns and outlining strategies to address these issues. By revealing the high turnover of extensions, the pervasiveness of SNE, the potential of code similarity analysis, and the alarming lack of maintenance, the research sets the stage for enhancing both the security and reliability of browser extensions. Moving forward, addressing these issues will require collaborative efforts between researchers, developers, and platform maintainers to ensure a safer browsing environment for all users.