Header image

Cornell Researchers Question Chrome Extension Vulnerabilities

Chrome Security team defends verification process.


Google Chrome extensions that are known to feature vulnerabilities are still available in the Web Store two years after disclosure.

A recently published research paper by security specialists at Cornell University found clusters of extensions sharing a similar code base, often cut and pasted from public repositories and forums, including code from vulnerable JavaScript libraries, reports Computing.

This means that some extensions may feature vulnerabilities which are still present two years after disclosure.

In a blog, Chrome Security Team members said before an extension is accessible to install from the Chrome Web Store, it has two levels of verification to ensure an extension is safe, and depending on the results of both the automated and manual review, “we may perform an even deeper and more thorough review of the code.”

"This review process weeds out the overwhelming majority of bad extensions before they even get published,” the team said. “In 2024, less than one per cent of all installs from the Chrome Web Store were found to include malware. We're proud of this record and yet some bad extensions still get through, which is why we also monitor published extensions."


Dan Raywood Senior Editor SC Media UK

Dan Raywood is a seasoned B2B journalist with over 20 years of experience, specializing in cybersecurity for the past 15 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes. Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a seasoned B2B journalist with over 20 years of experience, specializing in cybersecurity for the past 15 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes. Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.

Upcoming Events

08
Aug
Webinar

How to Automate the Lifecycle of Joiners, Movers, and Leavers With No-Code Solutions

Streamlining the lifecycle of joiners, movers, and leavers using no-code automation

The process of onboarding new employees and quickly removing departing staff profiles can be both time-consuming and labour-intensive.
In this live webinar, we will look at how to streamline these processes to save time and resources, and providing a smooth experience for both admins and employees.

Key takeaways:
  • Understanding the importance of securing the joiners, movers and leavers process
  • Exploring successful attacks that occurred due to errors in managing these transitions
  • Discover which advanced controls can be utilized
image image image