Chrome extension vetting

More than a few people are saying, and in more than a few places I am reading, that Chrome browser has no vetting process for its extensions.

How could this be possible, especially for a browser known for its security-awareness and features? The thought of Chrome not having a vetting process for extensions absolutely floors me, yet the more I search for info on that subject, the more I encounter what some Wilders members have been saying... there is no vetting process.

I started to delve into this on another thread recently, but have since decided the topic deserves its own space.

The most substantial info I have read so far regarding the existence of a Chrome extension vetting process actually came via an email I received a few months ago from a Google Developer Advocate and member of the privacy team, Mike West.
I had emailed Mike about a Chrome Privacy article he's written, and I asked if he was referring to the Chrome extension vetting process in any part of his article?
The reply came back that he was not.
He stated that my question was more appropriate for the security team, but he did say this much about the vetting process for extensions...

Now, I know Mike's response isn't very detailed, and perhaps not conclusive, but in my opinion, it does at least counter the "no vetting process" statements that seem to prevail everywhere about Chrome extensions.

So, I'd like to know, what have you learned about this process?
Is the open source aspect what Chrome devs are banking on for vetting?
How can I get more details on this subject?
Are other Chrome users (or observers) amazed at the possibility that there is no extension vetting process?

I did come across one review (of sorts) that is floating around out there under various reincarnations, that does reference the process, by saying...

I've seen this repeated in at least a couple places, such as here and here.
I have emailed both of these sources and asked them to share with me where they came up with the "basic vetting process" info. No replies as of yet.

Any comments or contributions to this topic will be appreciated.

 

All I know about the vetting process right now is that it exists and there's a "Verified Author" label on extensions. I have no idea what that label means or if there's any behind the scenes vetting.

I think Chrome basically relies on sandboxing extensions. If an exploit happens in an extension it can't access much information, unless that extension has already stated it wants those rights.

The one example I have seen of a "malicious" extension (it seemed to be recording some type of information... ) was caught by the community and removed by Google.

 

HM, can you tell me how a Chrome user can check to see if their extensions are "verified", and how a user can check their predefined sandboxes when they install, in order to know what rights they have and don't have?
(My daily PM limit has been reached.)

 

https://chrome.google.com/webstore/category/home

Search the extension. It'll say if it's verified or not.

I think verified just means that the extension has been linked to the website they say they're linked to.

 

Well, of the 5 Chrome extensions I run, only three are listed as verified.
Interestingly, the 2 that aren't verified are a couple of BitDefender extensions... TrafficLight and QuickScan.
Now if I am understanding this verification properly, what this means is that the Chrome Web Store isn't guaranteeing that the extension was created by the verified author.
Jeez. Now why would I want to keep two extensions around with that lack of authenticity?



Edit in: The heck with 'em... until I get a different opinion or a clearer understanding, they're both removed.

 

It pretty much means that if I make an application and I run Wilders and I say "This is the wilders extension" they'll verify that I'm the creator of wilders as wella s the extension.

It's kinda... eh. I mean, if it's something like bitdefender that's nice because you know bitdefender is legitimate.

 

I most definitely know that BitDefender is legit, but the Chrome Store, via their verification system, isn't able to say that the extension is actually from BitDefender. Tell me I have that wrong.

 

Doesn't this mean I can create an extension and say I'm BitDefender?

 

You could link it to the bitdefender site but you wouldn't get verified as bitdefender.

Yeah they might just not have verified it.

 

I remember reading a Softpedia article in 2010 about extension developers having to pay to put their extensions in Google Chrome Web Store, as a step to prevent rogue extensions from going there, as it would make it not worthy for rogue extensions developers.

My question is, how good is that as a vetting process, as there's really no extension verification? We had a recent case with a Google Chrome extension, as Hungry Man pointed out.

My other question is, how many more extensions like that exist in Chrome Web Store?

Do we know if there aren't more? Can we be really sure they're all clean? Maybe it's time for you to learn JavaScript and study those extensions.

And, my final question is: This payment is working? We know of one rogue extension, at least. And, only because the community found it; not Google. So, is it worthy for bad guys to pay a small fee, after all?

 

I don't think there's any paying to get your extension onto the web store. If there were that wouldn't be a vetting process, someone wanting to spread malware that will make them thousands will pay the 24 dollars or whatever it is.

At this point if you get your extension from someone who is "verified" check to see what site it's from. If that's a trusted site or even a certified site that's a fair bet that it isn't outright malicious.

 

Actually, $5. And, I'm just being a messenger...

Like you, I'm in doubt if there's any fee payment. Because, if there is, it sure is failing to do what it was suppose to do.

-http://blog.chromium.org/2010/08/security-improvements-and-registration.html

Now, is it for real or isn't happening, at all? Either way, it's a poor job.

 

Interesting. But that's still an awful attempt at a safeguard.

I can see it working at only the most basic skiddy level. It'll discourage some kid from making a malicious extension just to mess with people. But if I'm serving up Java exploits to hundreds of people via my extension I'm going to make thousands of dollars, I can throw 5 down for investment.

 

What about the question I asked in the original post...
Might the open source aspect be what Chrome devs are banking on for vetting?

Doesn't Google pay people who find vulnerabilities?
I recall seeing articles about so and so got x amount of dollars for this, and somebody else got x amount for that.

Just like we have a community within a community here at Wilders who love to experiment with new software, isn't it easy to imagine a community of Chromies who search extensions for signs of exploitation?

 

Only in their code, not extensions.

Sure, that's how the other extension got caught I believe.

 

That should be Google's job, not the job of a community of users. Will we soon see something like WOT? This extension is bad, this one is good? Hope not.

Also, whatever some of the Wilders Security Forums users may test will never hit the many millions of people out there. They serve their purpose for a limited number of people coming here. The more people it helps the better, though.

This is taken from the blog of the person who spotted the action the extension was performing:

Source: -http://codeonfire.cthru.biz/?p=96

That person wasn't exactly investigating the extension. If the site wouldn't take long to respond, most likely we wouldn't even know about it as of today.

The only reason for investigating it was precisely due to the slowness of the site.

Then again, after the author(s) of the extension removed the problematic code, Google reintroduced it back in Chrome Web Store, when it should not... so... anyone is free to put whatever trust they want in Google in what comes to vetting extensions... But, as I stated in the thread where you brought it up, such extension developer is not trustworthy, and the extension/future extensions from the same person should never make it into Chrome Web Store.

 

No, but they realized something was happening, had a look, and saw the issue.

I wouldn't rely on open source for extensions though. There are way too many.

If this were the case for Firefox we wouldn't have NoScript.

 

And, I'm glad that blog's author noticed it and reported it. Google...

I'm afraid I'm not familiar with that story... if there's any you'd like to tell me in PM, so that we don't go off-topic? But, I'm having a feeling you're saying the guy was mean at some point in his life?

 

Yes, that's what I'm saying. We'll just leave it at that - it was a little bit of drama that's all settled now and Maone apologized and all is right in the world now. I believe he was legitimately sorry about it.

I agree, vetting is necessary and Google is not doing it properly. If they don't change that we'll have the same issues we do on android.

 

I respect that. I did a research of my own, though. I would never install such an extension ever again, if I ever had it. That much I can tell you.

By the way, many bad people out there are also legitimately sorry about their bad actions. But, I still want nothing to do with them. Now, I'm not saying NoScript's author is such a person, but his actions would inspire me no trust on him. The same about what happened with this Google Chrome's extension. It's just a principle I have. Call me rigid...

I'm also very sorry for drinking too much lemonade with beer this last Xmas and New Years ever.

 

There certainly were trust issues.

Some things we can just forgive I think =p it's the holidays.

 

I agree that it should be Google's job.
But how do you know that Google isn't doing it?
What I am searching for in this thread is actual info on what Google does or doesn't do in way of a vetting process for extensions.
I see a lot of mention lately that Google has no vetting process. You yourself have said this a few times lately, if I am not mistaken.
Well, I have so far presented info from a named source whose words indicate that there is a vetting process for extensions...

And I am trying to find out more concrete info... because it is just too hard for me to believe that a browser that is so focused on security would allow such a security hole as unvetted extensions to exist.

 

Well, the first clue that I got is that every time I search for info on Mozilla's vetting process is that, there's in fact one. I can find information of such.

I can't find any information on whether or not Google has one. But, I can find other sources - as you probably also found - that say Google doesn't have it.

Also, considering the aggressive monster Google is in terms of market domination, I'd expect them to provide information showing what they actually do to make sure the extensions are safe.

I just wouldn't expect no less from Google, but that information lacks, and I got to ask myself why such happens. Does Google have a vetting process and they simply don't want to share?

Wouldn't they want their users to be assured they do have a vetting process in place? Like saying Hey, we not only have a secure browser, we also make sure you have no problems installing extensions from Chrome Store. We keep you safe.

All this together makes me say they have no vetting process.

Hungry Man talked about the Verified author. What it means is:

They only confirm the extension comes from whoever creates it; that's not the same as saying it's safe to use. I can create one, Google puts the label "Verified author", but does that mean I'm an OK person?

 

-edit-

Also, the recent Accuvant's research sponsored by Google didn't provide any information on whether or not there's a vetting process. Interesting, wouldn't you say? Wouldn't Google be interested in letting users know about it?

They did say Mozilla has one, though. Something we know.

 

Actually I found two sources that say very clearly that they do have a vetting process for extensions, and I posted them. But I am not claiming that this seems satisfactory to me... on the contrary, I am frustrated that more documentation is not readily available. That is pretty much the reason I started this thread.

Me too, but again, because we expect them to provide it, and we are unable to confirm it, are you correct to then say there is none?

Again, I direct you to the Mike West quote.

I actually think Google does tell people they keep them safe, but only tech-minded individuals like us here at Wilders care enough to dig deeper and search for specific info and answers. But the general public probably has no such concern for extension vetting processes, don't you agree?

Not a conclusion that I feel is safe to arrive at, nor a statement that I am ready to make.

Yes, I understand the verification system, as noted in earlier posts in this thread.
I actually removed two BitDefender extensions once I fully comprehended what the verification means.
Prior to that understanding, I was content in trusting BitDefender.
Now I realize that Chrome Web Store is saying they are unable to verify that the extensions I had actually came from BitDefender.
That's weak.
So I removed them. Whether it's an oversight or what, they are off my computers until other info become available.

Again, I don't see why they wouldn't, and it has me very perplexed.