cispa_all_4057.pdf (3.77 MB)

What is in the Chrome Web Store?

Download (3.77 MB)
conference contribution
posted on 2024-03-05, 12:21 authored by Hsu, Sheryl, Tran, Manda, Aurore FassAurore Fass
This paper is the first attempt at providing a holistic view of the Chrome Web Store (CWS). We leverage historical data provided by ChromeStats to study global trends in the CWS and security implications. We first highlight the extremely short life cycles of extensions: roughly 60% of extensions stay in the CWS for one year. Second, we define and show that Security-Noteworthy Extensions (SNE) are a significant issue: they pervade the CWS for years and affect almost 350 million users. Third, we identify clusters of extensions with a similar code base. We discuss how code similarity techniques could be used to flag suspicious extensions. By developing an approach to extract URLs from extensions' comments, we show that extensions reuse code snippets from public repositories or forums, leading to the propagation of dated code and vulnerabilities. Finally, we underline a critical lack of maintenance in the CWS: 60% of the extensions in the CWS have never been updated; half of the extensions known to be vulnerable are still in the CWS and still vulnerable 2 years after disclosure; a third of extensions use vulnerable library versions. We believe that these issues should be widely known in order to pave the way for a more secure CWS.


Preferred Citation

Sheryl Hsu, Manda Tran, Aurore Fass. What is in the Chrome Web Store?. In: AsiaCCS. 2023.

Primary Research Area

  • Empirical and Behavioral Security

Name of Conference

ACM ASIA Conference on Computer and Communications Security (AsiaCCS)

Legacy Posted Date


Open Access Type

  • Unknown


@inproceedings{cispa_all_4057, author = {Sheryl Hsu AND Manda Tran AND Aurore Fass}, title = {What is in the Chrome Web Store?}, booktitle = {AsiaCCS}, year = {2023} }

Usage metrics


    No categories selected



    Ref. manager