Chrome extensions are generally updated in the background without user interaction, unless their permission requirements change. The problem is that many installed extensions already have the permission allowing them to modify content on Web pages visited by users.
In the two reported cases the existing extensions were modified and used for aggressive advertising. However, the same technique can be used for more nefarious purposes.
"They could do worse like creating spam tweets on behalf of the extension users, or steal information from opened web pages," Skabichevsky said. "The extension was using my old Twitter API keys and I just reset them."
Using extensions to distribute malware directly is unlikely because Chrome scans downloaded binaries and flags the suspicious ones, said Zoltan Balazs, the CTO of IT security research firm MRG Effitas, via email. Even if they pass the scan, launching malicious binaries automatically would only be possible through a Chrome zero-day exploit and finding such an exploit is not a trivial task, he said.
Balazs researched the security risks posed by browser extensions before and even released proof-of-concept malicious extensions.
"My opinion is that dropping traditional malware is not a real threat here, but performing form injection, password stealing, cookie stealing for bypassing two factor authentication, credit card information stealing and launching distributed denial-of-service attacks using the browser as a proxy are actions that can be done via malicious extensions," he said. "I believe criminals buy extensions that already have a lot of permissions."
"Chrome add-ons can inject scripts into web pages so they can possibly do nasty things though there are no known case of them spreading malware yet," Agarwal said Monday via email.
The developer believes there should be an audit process in place on the Google Chrome Web Store like there is on the Mozilla Add-ons repository. There should also be a feature that allows users to figure out what a particular extension does to the websites they visit, he said.