Chrome Web Store's Extension Crisis: Security Experts Sound the Alarm

AI-created, human-edited.

In a recent episode of Security Now, hosts Steve Gibson and Leo Laporte dove deep into the troubling state of Google Chrome's Web Store, drawing from Vladimir Palant's revealing exposé. Palant, the original developer of Adblock Plus, presents a damning critique of what has become a largely uncontrolled marketplace for browser extensions.

The discussion centered on Palant's blog post titled "Chrome Web Store is a mess," which details systematic problems with Google's extension ecosystem. As Gibson and Laporte explored the findings, several alarming issues came to light:

Despite Google Chrome commanding roughly 90% of the browser market share, the company appears to take a "least effort required" approach to moderating its extension store. Reports of malicious extensions often go unaddressed, and when action is taken, it's inconsistent and seemingly reluctant to confront established businesses.

The hosts highlighted particularly egregious examples of review manipulation, including an extension with just 30 users receiving nine five-star reviews in a single day. As Gibson noted, detecting and cleaning up such obviously fraudulent reviews would be "trivial" for Google to implement, raising questions about the company's commitment to maintaining store integrity.

Perhaps most concerning is the revelation about Google's "featured" badge for extensions. Despite Google claiming manual evaluation of featured extensions, the investigation revealed that numerous spam and non-functional extensions carried this supposedly prestigious designation. The criteria appear to be largely automated, focusing on superficial elements rather than actual security or functionality.

The podcast highlighted several key problems:

• Rampant spamming of identical extensions under different names
• Previously removed hostile extensions returning under new identities
• A fundamentally broken permissions system
• Unheeded developer reports
• Massive extension clusters operated by potentially malicious actors

Leo Laporte revealed that he avoids these issues entirely by using Firefox, where extensions like uBlock Origin continue to function at full strength. Steve Gibson, while using a Chromium-based browser (Arc), emphasized the importance of sticking to well-known, trusted extensions like Bitwarden and uBlock Origin.

The discussion concluded with a sobering assessment: Google's dominant market position may have removed any incentive to properly address these issues. As Gibson noted, rather than telling listeners not to use Chrome extensions, the episode aimed to equip users with the knowledge to make informed decisions about their browser security.

The hosts suggested several practical approaches:

• Stick to well-known, trusted extensions from reputable developers
• Be extremely skeptical of featured badges and high ratings
• Consider alternative browsers with more rigorous extension review processes
• Understand that an extension's permissions requests should match its stated purpose

The situation appears unlikely to improve soon, with Google taking what Palant describes as an "entirely reactive" approach, typically addressing only those extensions that have already caused considerable damage. For users, the message is clear: proceed with extreme caution in the Chrome Web Store, as the security of your browsing data may depend on it.