Browsers Security

How Safe Is The Chrome Web Store Anyway?

Matthew Hughes 10-04-2015

Around 33% of all Chromium users have some kind of browser plugin installed. Rather than being a niche, edge-technology used exclusively by power users, add-ons are positively mainstream, with the majority coming from the Chrome Web Store and the Firefox Add-Ons Marketplace.


But how safe are they?

According to research due to be presented at the IEEE Symposium on Security and Privacy, the answer is not very. The Google-funded study found tens of millions of Chrome users have some variety of add-on based malware installed, which represents 5% of total Google traffic.

The research resulted in almost 200 plugins being scrubbed from the Chrome App Store, and brought into question the overall security of the market place.

So, what is Google doing to keep us safe, and how can you spot a rogue add-on? I found out.

Where Add-Ons Come From

Call them what you will – browser extensions, plugins or add-ons – they all come from the same place. Independent, third-party developers producing products that they feel serve a need, or solve a problem.



Browser add-ons are generally written using web technologies, such as HTML, CSS, and JavaScript What is JavaScript, And Can the Internet Exist Without It? JavaScript is one of those things many take for granted. Everybody uses it. Read More , and usually are built for one specific browser, although there are some third-party services that facilitate the creation of cross-platform browser plugins.

Once a plugin has reached a level of completion and is tested, it is then released. It’s possible to distribute a plugin independently, although the vast majority of developers choose instead to distribute them through Mozilla, Google and Microsoft’s extensions stores.

Although, before it ever touches a user’s computer, it has to be tested to ensure that it’s safe to use. Here’s how it works on the Google Chrome App Store.


Keeping Chrome Safe

From the submission of an extension, to its eventual publication, there’s a 60 minute wait. What happens here? Well, behind the scenes, Google is making sure that the plugin doesn’t contain any malicious logic, or anything that could compromise the privacy or safety of the users.

This process is known as ‘Enhanced Item Validation’ (IEV), and is a series of rigorous checks that examines a plugin’s code and its behavior when installed, in order to identify malware.

Google has also published a ‘style guide’ of sorts that tells developers what behaviors that are permitted, and expressly discourages others. For example, it is forbidden to use inline JavaScript – JavaScript that’s not stored in a separate file – in order to mitigate the risk against cross-site scripting attacks What's Cross-Site Scripting (XSS), & Why It Is A Security Threat Cross-site scripting vulnerabilities are the biggest website security problem today. Studies have found they’re shockingly common – 55% of websites contained XSS vulnerabilities in 2011, according to White Hat Security’s latest report, released in June... Read More .



Google also strongly discourages the usage of ‘eval’, which is a programming construct that allows code to execute code, and can introduce all sorts of security risks. They’re also not terribly keen on plugins connecting to remote, non-Google services, as this poses the risk of a Man-In-The-Middle (MITM) attack What Is a Man-in-the-Middle Attack? Security Jargon Explained If you've heard of "man-in-the-middle" attacks but aren't quite sure what that means, this is the article for you. Read More .

These are simple steps, but are for the most part effective at keeping users safe. Javvad Malik, Security Advocate at Alienware, thinks it’s a step in the right direction but notes that the biggest challenge in keeping users safe is an issue of education.

“Making the distinction between good and bad software is becoming increasingly difficult. To paraphrase, one mans legitimate software is another mans identity-stealing, privacy-compromising malicious virus coded in the bowels of hell.

“Don’t get me wrong, I welcome the move by Google to remove these malicious extensions – some of these should never have been made public to start with. But the challenge going forward for companies like Google is policing the extensions and defining the limits of what’s acceptable behavior. A conversation that extends beyond a security or technology and a question for the internet-using society at large.”

Google aims to ensure that users are informed about the risks associated with installing browser plugins. Each extension on the Google Chrome App Store is explicit about the permissions required, and can not exceed the permissions you give it. If an extension is asking to do things that seem unusual, you then have cause for suspicion.

But occasionally, as we all know, malware slips through.


When Google Gets It Wrong

Google, surprisingly, keeps quite a tight ship. Not much slips past their watch, at least when it comes to the Google Chrome Web Store. When something does, however, it’s bad.

Given that most people use Chrome to do the vast majority of their computing, it’s troubling that these plugins managed to slip through the cracks. But at least there was a procedure to fail. When you install extensions from elsewhere, you’re not protected.

Much like Android users can install any app they wish, Google lets you install any Chrome extension you want How To Install Chrome Extensions Manually Google recently decided to disable the installation of Chrome extensions from third-party websites, but some users still want to install these extensions. Here's how to do it. Read More , including ones that don’t come from the Chrome Web Store. This isn’t just to give consumers a bit of extra choice, but rather to allow developers to test the code they’ve been working on before sending it off for approval.


However, it’s important to remember that any extension that is installed manually hasn’t gone through Google’s rigorous testing procedures, and can contain all sorts of undesirable behavior.

How At Risk Are You?

In 2014, Google overtook Microsoft’s Internet Explorer as the dominant web browser, and now represents almost 35% of Internet users. As a result, for anyone looking to make a quick buck or distribute malware, it remains a tempting target.

Google, for the most part, has been able to cope. There have been incidents, but they’ve been isolated. When malware has managed to slip through, they’ve dealt with it expediently, and with the professionalism you’d expect from Google.

However, it is clear that extensions and plugins are a potential attack vector. If you’re planning on doing anything sensitive such as log in to your online banking, you might want to do that in a separate, plugin-free browser or an incognito window. And if you have any of the extensions listed above, type chrome://extensions/ in your Chrome address bar, then find and delete them, just to be safe.

Have you ever accidentally installed some Chrome malware? Live to tell the tale? I want to hear about it. Drop me a comment below, and we’ll chat.

Image Credits: Hammer on shattered glass Via Shutterstock

Related topics: Google Chrome, Online Security.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. TechnicGeek
    November 5, 2016 at 7:52 am

    What about plugin user disabled and then decided to re-enable but found that it was no longer in Chrome Store? Should user stay away?

  2. Doc Szpinner
    September 5, 2016 at 12:43 pm

    Google Chrome extensions caused me problems, especially the SPEED DIAL ones like SPEED DIAL (FVD) and SPEED DIAL 2. Installation of each of these also installed tracking malware which was nearly impossible to delete. Removing the extension, then running spyhunter cleared the problems.
    If the extension had not been removed, the malware tracking returned. So it is crucial to remove the extension before running the cleaner app.

  3. A41202813GMAIL
    April 13, 2015 at 10:29 am

    The Browser CHROME Is Too *Safe* - For Power Users Anyway.

    I Would Love A Stable Version Where I Could Install Any .CRX File I Would Damn Want.

    Fortunately Most .CRX Files Are Compatible With OPERA5+.

    OPERA15+ Has Not ( Yet ) Followed The CHROME Policy *Lead* On Extensions - The Very Reason I Dumped CHROME In Favor Of OPERA15+.


    • A41202813GMAIL
      April 13, 2015 at 10:33 am


      I Meant OPERA(1)5+, NOT OPERA()5+.

      No Edit Functions.