But now, the GCWS—known for its extensive repository of third-party Chrome extensions—finds itself at the centre of a troubling discovery.
A study by Stanford University security experts Sheryl Hsu, Manda Tran and Aurore Fass has revealed that millions of users are unknowingly running compromised versions of the
Despite their popularity,
Their methodology was twofold. First, they examined historical data from previous research on Chrome web extensions' security vulnerabilities.
Next, they embarked on a massive analysis. They downloaded and scrutinised the code of approximately 1,25,000 extensions available on GCWS from July 2020 to February 2023, searching for security-noteworthy extensions (SNEs). These are extensions that either violate GCWS policies or contain malware or vulnerable code.
The analysis uncovered alarming results. Around 346 million users had downloaded SNEs from GCWS during the two-year period. A staggering 280 million of these downloads involved extensions with malware.
Furthermore, the research highlighted the variability in how long SNEs remain on GCWS—ranging from a few months to several years—suggesting that problematic extensions often fly under the radar for extended periods. User reports of problematic extensions are infrequent, further exacerbating the issue.
This stands in stark contrast to Google's assertion that less than 1% of extensions hosted on GCWS contain malware. Despite Google’s claims of thorough vetting procedures, the study’s findings indicate a significant gap between policy and practice in ensuring user safety on the GCWS.
The findings were recently posted on the arXiv preprint server and can be accessed here.