What is in the Chrome Web Store? Investigating Security-Noteworthy Browser Extensions

TL;DR

This study provides a comprehensive analysis of the Chrome Web Store, revealing short extension life cycles, widespread security issues, code reuse, and maintenance deficiencies that pose significant security risks for users.

Contribution

It offers the first holistic view of the CWS, highlighting security concerns, code reuse patterns, and maintenance gaps, with novel insights into extension lifecycle and vulnerabilities.

Findings

60% of extensions last only one year

Nearly 350 million users affected by security-noteworthy extensions

60% of extensions are never updated or remain vulnerable

Abstract

This paper is the first attempt at providing a holistic view of the Chrome Web Store (CWS). We leverage historical data provided by ChromeStats to study global trends in the CWS and security implications. We first highlight the extremely short life cycles of extensions: roughly 60% of extensions stay in the CWS for one year. Second, we define and show that Security-Noteworthy Extensions (SNE) are a significant issue: they pervade the CWS for years and affect almost 350 million users. Third, we identify clusters of extensions with a similar code base. We discuss how code similarity techniques could be used to flag suspicious extensions. By developing an approach to extract URLs from extensions' comments, we show that extensions reuse code snippets from public repositories or forums, leading to the propagation of dated code and vulnerabilities. Finally, we underline a critical lack of maintenance in the CWS: 60% of the extensions in the CWS have never been updated; half of the extensions known to be vulnerable are still in the CWS and still vulnerable 2 years after disclosure; a third of extensions use vulnerable library versions. We believe that these issues should be widely known in order to pave the way for a more secure CWS.