27 Out of 100 Chrome Extensions Insecure

Here’s something to keep in mind when shopping for extensions for Google Chrome …

Security researchers Nicholas Carlini, Adrienne Porter Felt, and Prateek Saxena reviewed 50 popular and 50 random Chrome extensions from the official Chrome Web Store for security vulnerabilities and discovered that 27 of the 100 extensions “leak all of their privileges to a web or WiFi attacker”. These 27 extensions account for a total of 51 vulnerabilities. Seven of the vulnerable extensions have more than 300k users each according to data provided by the Chrome Web store.

Bugs or bad programming practices may leak information like passwords or history to web and Wi-Fi attackers. The developers provide two examples of how extensions can be exploited by attackers. The two extensions mentioned, Open Attribute and Silver Bird, have since been fixed by their development teams.

The Open Attribute extension helps users read the Creative Commons (CC) licenses of web sites. In the typical use case, a user clicks on the extension’s browser action to see a web site’s attribution information. Open Attribute embeds the site’s CC license in the extension’s popup window, using innerHTML. A malicious web site could serve a fake CC license that includes inline scripts, or a WiFi attacker could insert inline scripts into a license provided by a legitimate web site like Wikipedia. The inserted code then runs in the extension’s popup window with the extension’s privileges. This bug was fixed in Open Attribute 0.7 by setting a Content Security Policy for the extension.

Example 2: Silver Bird
Silver Bird allows users to post and read Twitter messages without navigating to twitter.com, and it currently has over 200,000 users. The extension makes an XHR to Twitter using either HTTP or HTTPS, based on the user’s settings. It displays the retrieved messages in the core extension, using innerHTML in several places. If a user were to specify an HTTP URI, a WiFi attacker could insert inline scripts into the XHR response. Luckily, Twitter prevents its users from launching this attack by sanitizing user messages. This bug was fixed in version by replacing innerHTML with innerText.

The two other extensions that have been named in the article are Last Pass and XMarks, which were both protected against those kinds of attacks.

Interestingly enough vulnerabilities were split more or less evenly between popular and random samples, as Adrienne Porter Felt points out.

Probably the most interesting aspect here is that the vulnerability count would drop from 51 vulnerabilities to 2 (a reduction of 96%) if the extension developers would have followed Google Chrome’s Content Security Policies. Implementing those security guidelines will block attempts by an attacker to “take over an extension by injecting malicious JavaScript into the core extension”.

The researchers have decided to not publish the full list of vulnerable and protected extensions at this time to give extension developers ample time to protect their extensions from these kind of attacks.

The developers are not aware of attacks exploiting those vulnerabilities at this point and note that nearly all important extensions with vulnerabilities have updated their extensions already.

The full security paper will be released at the beginning of November. (via)

© Martin Brinkmann for gHacks Technology News | Latest Tech News, Software And Tutorials, 2011. | Permalink |
Add to del.icio.us, digg, facebook, reddit, twitter
Post tags: , , ,

Link to Original Content

Tags: , , ,

Comments are closed.