Chrome Security team defends verification process.
Google Chrome extensions that are known to feature vulnerabilities are still available in the Web Store two years after disclosure.
A recently published research paper by security specialists at Cornell University found clusters of extensions sharing a similar code base, often cut and pasted from public repositories and forums, including code from vulnerable JavaScript libraries, reports Computing.
This means that some extensions may feature vulnerabilities which are still present two years after disclosure.
In a blog, Chrome Security Team members said before an extension is accessible to install from the Chrome Web Store, it has two levels of verification to ensure an extension is safe, and depending on the results of both the automated and manual review, “we may perform an even deeper and more thorough review of the code.”
"This review process weeds out the overwhelming majority of bad extensions before they even get published,” the team said. “In 2024, less than one per cent of all installs from the Chrome Web Store were found to include malware. We're proud of this record and yet some bad extensions still get through, which is why we also monitor published extensions."
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.