Even though the upcoming changes in Chrome 25 will make life harder for attackers, a piece of malware could still potentially replace the whole Chrome installation with a backdoored one, Balazs said. He pointed to the first of the "10 Immutable Laws of Security" as published by Microsoft, which reads: "If a bad guy can persuade you to run his program on your computer, it's not your computer anymore."
In July, when Google banned Chrome extension installations from third-party websites, the company also said that it will start analyzing all extensions listed in the Chrome Web Store for malicious behavior and will remove the offending ones.
However, malicious extensions have been found in the Chrome Web Store on multiple occasions since then, suggesting that Google's extension scanning and review mechanism can be bypassed. On Aug. 30, researchers from Barracuda Networks warned that Facebook scammers managed to trick over 90,000 users to install several malicious Chrome extensions hosted in the Chrome Web Store before the extensions were removed by Google.
A Dec. 20 alert from Facecrooks, a group that monitors Facebook threats, warned about a scam that tricked users into installing a rogue Chrome extension by claiming that it changes the color scheme of their Facebook profile.
According to Balazs, the fact that malicious extension developers manage to bypass the Chrome Web Store's malware detection systems is not that surprising.
"Right now Google is the security standard when it comes to browser extension security," Balazs said. However, one big step forward for Google would be to disable the old NPAPI (Netscape Plugin Application Programming Interface) plugin architecture everywhere -- it is now disabled in Chrome for Windows 8 Metro and Chromebook -- and promote the more secure and sandboxed Native Client architecture, he said.