Chrome extensions are a security nightmare; here’s why you should avoid them
Posted on
by
Joshua Long
For decades, popular Web browsers have offered the ability to extend their capabilities through the use of third-party extensions.
Today, Google Chrome is the most popular desktop browser on the planet, with a roughly 65% market share. Microsoft Edge is the number-two browser, with a 13% market share, and it’s also based on Chromium—the open-source version of Chrome. These and other Chromium-based browsers support extensions from Google’s Chrome Web Store.
Malware in Google’s Chrome Web Store
Google would have you believe that Chrome extensions are, by and large, extremely safe. On June 20, the Chrome Security Team wrote on the Google Security Blog, that “In 2024, less than 1% of all installs from the Chrome Web Store were found to include malware,” noting “We’re proud of this record.”
It seems odd to be “proud” that close to 1 in every 100 extension installs from their store contains malware. Imagine a doctor bragging to patients, “Only 1 in 100 patients gets sick as a result of visiting our office!” That’s an alarming failure rate.
Also concerning is that Google’s claim presumably* didn’t even take into consideration an August 6 report about “at least 300,000 users across Google Chrome and Microsoft Edge” who had unknowingly installed extensions from a specific malware campaign over the past three years. (*The exact timeline of communication between the researchers and Google is unclear.)
Extension risks go far beyond malware
Two days before the Google blog post, researchers from Stanford University published a study examining the safety of extensions in the Chrome Web Store (CWS). Most of their sample data was collected through May 2023. But the results may reflect a somewhat similar situation to today’s Chrome Web Store—and they’re shocking.
The researchers defined “security-noteworthy extensions” (SNE) as malware-containing, privacy-violating, or known-vulnerable extensions. And they found many of each.
Some of the key takeaways from the research include:
- SNE “stay in the CWS for years, meaning that their user base can stay at risk for years.”
- “Over 346 million users installed a SNE in the last 3 years.“
- “Users do not give SNE lower ratings.” In other words, even unsafe extensions often have high user ratings.
- “Almost 60% of extensions have never received any updates.” The researchers note that unmaintained extensions miss out on “security and privacy improvements such as those offered by Manifest V3,” a platform update that improves baseline extension security.
- At least 42% of vulnerable extensions were “still in the CWS and still vulnerable 2 years after disclosure.”
- “Almost a third of extensions (40k) use a JavaScript library with a known vulnerability.” This issue alone impacts nearly 500 million extension users.
- “Even when developers update their extensions, they often do not update vulnerable libraries” within them. In other words, even extensions that have been updated recently should not be presumed to be safe.
This research is rather stunning, to say the least. But even this research doesn’t tell the whole story of why extensions can be unsafe.
Good extensions can take a turn for the worse, too
A little over a year ago, we reported on the Intego Mac Podcast about nearly three dozen browser extensions in the Chrome Web Store that contained search-hijacking code. Some of the extensions had contained this unadvertised malicious functionality for nearly two years before Wladimir Palant blogged about the problem, and Google finally took them down. But in the mean time, those 34 extensions had amassed 87 million users.
I pointed out on the podcast that sometimes this sort of thing happens “when a developer stops working on an extension or app, [and] someone else comes along and offers the developer a bunch of money and says, ‘Here, I’ll take over development.’ And then they start developing it and add malicious things to it.” While it’s unclear whether that may have been the case with those 34 Chrome extensions, it has certainly happened before, and will inevitably happen again.
In fact, just last August, the developer of a Chrome extension with 300,000 users spoke out about having received more than 130 solicitations to “monetize” his extension.
That’s to say nothing of overtly malicious extensions. In March 2023, we reported on a fake ChatGPT extension designed to hijack Facebook accounts.
Avoid installing extensions if at all possible
All of this speaks to the potential dangers of using any third-party browser extensions.
My recommendation is to avoid using any extensions at all—unless you’re absolutely sure you can trust the developer.
One of the most popular categories of extensions is advertisement and tracker blockers. The only ad-blocking extension that I both trust and personally use is uBlock Origin by Raymond Hill. Wladimir Palant’s Adblock Plus is fine, too; both developers understand browser security well. Or you can use a browser with built-in ad blocking, such as Brave, a privacy-focused, Chromium-based browser.
How can I learn more?
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security, and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: 
