Chrome extension vetting

Definitely not.

That process can be useful since you can go to the website and see what it's about. Maybe they're a certified website or well known. If that's the case it's a strong argument that it's legitimate.

This kinda offloads the vetting process to CA's and users. Not great.

I think Chrome pretty much does little to no vetting and instead relies on the user to look at the rights that the extension wants.

A malicious extension would need to ask for rights to my passwords etc.

And an exploit in an extension is still sandboxed.

 

I think Firefox gives extensions tons of rights but it vets the repository. Chrome does very limited vetting but applications are limited by the sandbox (they have to ask for rights) and the API. Perhaps this is why they have been so slow to open it up?

 

I'm talking about the extensions, and I've never seen any public information saying I'm wrong. Sorry, but until anyone is able to point me to public information mentioning what steps Google takes to vet extensions, I'll stick to what I know - I cannot find any public information saying that they do have, while I can find information saying that they don't. Google doesn't say this information is inaccurate either. So, what's really going on?

And, the general public has no interest in knowing that Google Chrome has a sandbox - and, probably, don't even know it - yet, Google does provide great information on how the sandbox works. Why wouldn't they do the same for the extensions vetting process, if one exists?

The higher % of Firefox users have no interest in knowing what Mozilla is doing either. Mozilla does provide the information about all the steps they do in order to keep their users safer in what comes to extensions. Is it 100% perfect? No, but it sure helps a lot. It sure is a lot better than not having one.

An example of public information saying they don't have it -http://www.securityweek.com/hacking-google-chrome-talk-puts-security-focus-extensions

So, what in what do you believe? Do you believe there's one or that there isn't one?

In this case, you could try to contact with BitDefender and ask them if the extensions belong to them. Then, it would be matter of trust - trusting they were telling you the truth.

First, that's not an official public information coming from Google itself, like the information they give for their sandbox. You got that answer in an e-mail, and that's up to you whether or not to believe it.

I have no idea if it's true or not. Again, it's a matter of trust. It puzzles me that such information is lacking in Accuvant's report. A report that Google sponsored.

I hope they do have such process in place, though. But, what's the real % of such extensions? It's that the same as saying all other extensions don't pose a risk? Not really.

Also, what are these variety of internal systems that analyze extensions in a variety of ways?

Where can we learn more from it? Why doesn't anyone know about it? Not even Accuvant, that released a report paid by Google?

Above, I pointed to a link that shows that apparently they don't have a vetting process, at all.

If we take the most recent situation about Smooth Gestures extension, what else do I have to believe they have a vetting process? That guy Mike West's own word? That's not enough for me. His word is not the word of Google, IMHO.

If there was public information and Google was lying, that would be a great loss of trust from Google. So, if there was a vetting process, I do believe we'd see public information.

But, isn't that the problem? How do I know the extension is malicious? If I install an extension to manage my passwords, how can I be sure it's clean? If Google Chrome alerts me the extension wants to access my passwords, that's normal, isn't it? So, I'll allow it. The extension is in Google Chrome Web Store, it even has a "Author verified", so I'll trust it. That's probably what most people will do, isn't it?

 

So by "public information", do you mean statements issued by Google?
Because you proceed to issue so-called public information from someone other than Google and point to it as proof that there is no extension vetting.
I did that too.
I linked an article that said,

Very frustrating, indeed. But can Google be expected to respond to everything that everybody publicly says about it? I don't think so.

If this isn't a rhetorical question, and you're asking me, I believe that there is a vetting process for extensions, but I'm having a hard time finding solid info to describe or even confirm it, hence the thread... to see what people here know and think and believe.

I know you're not implying that I made the quote up. I know that you mean, how do we know if what MW is saying is correct? And we don't. We choose what we want to believe. Or more accurately, for me at least, I lean towards what looks to be most plausible.

Well, many companies would reply to such questions by saying that is proprietary information, wouldn't they? Maybe that isn't the way Google appears to be operating... they appear to be aiming for transparency... but keep in mind that what we are all looking for is an under-the-hood look at a process that most companies would certainly tell you is none of your business. Am I wrong about that?

That's what I am trying to find out, m00nbl00d! Where can we learn more and why doesn't anyone know?

The word 'apparently' just might be the operative word here.

Agree. MW's word is not enough for me either, and I am not suggesting that it should be for you, or anyone else. I want more... isn't that obvious? But I do take his word as a strong indication. And I am trying to determine more... I have sent more emails and I have some ideas about who else I can contact to try to discover more.

I know from reading past threads that you do what you can to find out more info when something doesn't seem right... I remember the banking security issue that you took up and made your own. That's how I feel about this extension vetting question, m00nbl00d. There needs to be more light shed on this subject, because as it stands right now, things don't add up.

 

Yes, by public information, I mean statements issued by Google. I do realize I'm basing my knowledge over non-Google information, but I'm also basing it on the fact that Google was aware of that same information, and yet they didn't feel the need to counter such information. Wouldn't be in the best interest of Google to let Google Chrome users know there is a vetting process?

I previously missed the other two links you provided. But, Expert Reviews says:

This doesn't say much. Are they referring to the "Verified author"? I can't honestly say what the heck they're referring to; on the other hand, the article I pointed to, shows that two security researchers managed to get a rogue extension in Chrome Web Store without any issues.

I'm pretty sure that got Google's attention. So, if there was indeed a vetting process, then it was a very poor one, and it still is a very poor one, otherwise the Smooth Gestures fiasco would most likely not happen. I want to believe in this.

Not everything, but when two white hats show the flaws (-http://www.securityweek.com/hacking-google-chrome-talk-puts-security-focus-extensions), I'd expect a reaction from Google. I wouldn't expect them to react to some blog post I may run, though. But, two white hats aren't exactly m00nbl00d.

If there's one, then it's a rather weak one and one that doesn't seem to work. Then, it would in everybody's interest (except bad guys ) that Google improves it for once and for all.

To be honest, I don't know what's worse, if not having none or having one that doesn't work. If the latter is what happens, then it's the same as not having none.

Nope, I was not implying that.

I'm also looking at what looks plausible to me. In worst case scenario, there's a vetting process that simply doesn't work.

If you're wrong? Heck, I don't know. Maybe the vetting process mechanism is worth $$$$$$...

And that is the question - Why doesn't anyone - including Accuvant - know about it? Regardless of what other blogs may say about the vetting process, Google did pay Accuvant to make a report on the differences between Google Chrome and other main browsers; so, their intention was to send a message - we got the most secure browser. Why would they want to purposefully leave the extensions vetting process out of the report? Isn't a good vetting process system as important as a sandbox? In the end, the sandbox doesn't matter if you decide to trust extensions just because they're on Chrome Web Store.

I just find this very confusing, that's all. And, the more I dig about it, the more I'm inclined to believe and say there isn't any - or a very very weak one.

Maybe that's why such information lacks in Accuvant's report. Google has one, but it's simply weak and not worth mentioning it in the article, as it would make them look bad?

Which probably is where apparently comes in. So, apparently it has no vetting process, because it's a rather very weak one? Take your pick.

It could very happen what I wrote above. lol

And, you should never stop from wanting more.

 

-edit-

The other blog you pointed to, also says nothing more than what Expert Reviews says, and Web3Mantra sounds like a rip-off article. While the text differs a little bit, it's practically the same deal.

 

Right, that fact did not escape me either, m00nbl00d.
That is why I wrote in the original post,

Specifically, on 12/29, I wrote to the Reviews Editor, asking

At the same time, the same question was posed to the contact source on the other review.

On 12/31, I also emailed the security team at Google (at an address taken from the MW email) and referenced this thread and asked a bunch of pertinent questions.
You can be sure that I will post any responses I may receive!

In addition, I have located a couple of more good contacts... people who have been involved in writing about Chrome extensions and vetting specifically. I plan to send them inquiries as well.

 

Ah, OK! I also didn't notice that before. There's still too much sugar and a bit of alcohol in my blood. I'm not in my best right now.

Yes, keep us posted. In the end, it's all about one thing only - We want a vetting process. Whether it currently doesn't exist or is very weak, we just want one that simply works 99,99%.

 

Been awhile, and as you know, info on this subject isn't easy to come by.

But I did just find the following reply from daaaveeeee, a Top Contributor on the Google Chrome Help forum, in the Give Feature Feedback and Suggestions section.

daaaveeeee was responding to a suggestion for essential feature/fixes that stated, "More vetting/security for extensions to prevent a mass infection among users"...

In addition to the above, below is a link to a YouTube vid from Adam Barth, entitled "Security, Google Chrome Extensions". Barth is a researcher working on the extensions system for Google Chrome, who "discusses how the extension system makes it easier for developers to create secure extensions".
http://www.youtube.com/watch?v=DO-nzPqhdXw

This video elaborates on the above quote from daaaveeeee, and makes it almost understandable to me, but hopefully it will resonate with others here who can tell me if they think it amounts to anything or not.

 

On the Google Chrome Extensions FAQ site they write:

This is confirmed here:

Unless they have changed the process since that post was written, it is very obvious that there is no general vetting process (with the exception of extensions using NPAPI).

 

That was going to be my reaction. The vetting process that exists is only for a security matter - and only those using NPAPI.

@ Page42

I never see any mentions to what they do to protect the users privacy, and to some extent their security as well. I'll explain. I develop an extension (no NPAPI, at all), I send it to Google Chrome Web Store. You like it, you use it and you accept whatever the extensions says it will have access to. I have code in the extension that will steal you information, track you... and send all that to me.

Is Google doing something about it? Not, if we take under consideration what user tlu mentioned.

An extension doesn't have to make use of NPAPI to be dangerous - dangerous is a relative thing.

I mentioned in another thread, unrelated to this topic, about how many people are using an extension such as Adblock Plus to block ads, including in Gmail? Obviously, I'm not saying ABP+ developer is evil, but you get my point, I suppose.

 

Did you watch the 2 minute video on extension security that I linked two posts above?

 

Yes, I did. It happens what I mentioned before. It will only help from a security point of view, against vulnerable extensions that would be compromised/ compromise us otherwise, by limiting what the attacker can do.

The guy did say that if we install a malicious extension, then all bets are off, because least privilege won't help you. No kidding?

And, from where would we install the malicious extension? Yeah, the guy didn't say if it could be from Chrome Web Store.

So, the guy talks about the security against an attacker targeting a vulnerable extension, but that's not new. He doesn't address our doubts - What are they doing - as of today - to protect us against rogue extensions?

That video doesn't say anything about it, other than saying all bets are off - Why? No vetting process, I'd say. Otherwise, why would the guy say all bets are off? If there was a vetting process against rogue extensions, then it would be a lot harder to host a rogue extension in Chrome Web Store.

This comes in the line of the information I gave the other day about two security researchers being able to host a rogue extension in Chrome Web Store without any problems, not so long ago.

 

Saying "All bets are off" doesn't mean there's no vetting process. I honestly don't think there is one anymore but all he's saying is that if you were to get a malicious extension (there are repositories all over the internet) it would be able to define its own sandbox.

I really doubt there's much of a vetting process at this point. There really should be though. Firefox manages to do it and I don't see why Chrome can't.

 

We agree there's none, in what comes to protect users against rogue extensions. But, you don't know what he meant by saying All bets are off. I don't know either, so I just made an observation based on a few facts that have happened in recent pasts: Smooth Gestures extension fiasco and two security researchers were able to host a rogue extension in Chrome Web Store with no vetting process taking place.

I believe this to be a very legitimate question - Can we really trust any extension in Chrome Web Store, rogue-wise? If I were a Firefox user, I'd have a high trust that Mozilla is doing a good job keeping rogue extensions out of their repository and keeping order in the house. I don't have such confidence with Google, though. I wish I could have.

If I developed a Firefox extension and hosted it in Mozilla, Mozilla vetting process would make sure I don't have urges... or don't put them into practice. But, just because Mozilla's vetting process makes me trustworthy, the same doesn't mean I will be trustworthy with a same Google Chrome extension.

Whether the guy meant All bets are off only for extensions installed from outside Chrome Web Store, we don't know. But, will 99% of Chrome users known and use any other source other than Chrome Web Store? Maybe... My guess is a good as any other. But, Chrome Web Store app comes with Google Chrome, if I'm not mistaken, so users have a fast way of having access to extensions without having to google them.

Maybe we should sign a petition for Google to have one...

 

I think so far what we know is that there is an extension vetting process but for extensions that call Java or some other NPAPI plugin and "other" extensions. That "other" is fairly vague. Maybe extensions that are calling every right? Maybe extensions that ask for password rights?

There wouldn't be too much point in getting my twitter extension vetted since it only has access to my twitter profile (something anyone on twitter can access) and not my password or any other information. Why bother vetting it? For exploits? Who cares about exploits, we're using a sandbox.

If the extension process is limited just to the extensions that could be dangerous that would certainly make sense. I'm glad that an extension can't just load up Java without it being tested.

At this point all we can do is speculate and try to find some answers. What is the criteria for "other" ?

They say "types of extensions" so it's not like "Oh let's pick this one out" there seems to be a definitive category of extensions that they differentiate and sort out and say "Let's check this guy out." If I had to guess, and this is entirely a guess, I'd say it's referring to extensions that can access passwords.

It may also refer to "Accessing Data on All Tabs" or a wide variety of rights mixed together. No way to tell.

And as for verified author, remember that it's not necessarily a vetting technique it's just showing you the origin. If I make an extension saying "I'm from Wilders!" but my Verified Author says I'm from evil.com or whatever you can say "Alright, this guy isn't from where he says he is, why is he writing this extension?" and deduce a lot.

Verified Author helps a lot with trust. If I'm downloading an extension and I see "Oh it's striaght from Google" or "It's straight form Twitter" or "It's from weather.com" I know that these are legitimate websites who will not be throwing malware around for kicks.

EDIT: The youtube video brings up privilege separation, I wasn't aware that was part of the extensions. Interesting.

As he says, if you were to install a malicious extension there's nothing you can do about it. It has whatever rights it wants. That isn't to say there aren't mechanisms in place to prevent that.

 

At this point in time, I don't fully trust them either, which is why I have so few extensions. In truth, I probably trust them more than I am able to verify, which probably sounds bizarre. But I just can't understand a browser with so many security measures in place, not having a vetting process for extension. It just does not make sense to me.

I actually happen to believe that the author verification feature is pretty decent, in that it more or less shifts the burden onto the vendor, if you will.
If Chrome verifies that TrafficLight is from BifDefender, then I only have to ask myself if I trust BD. For less well-known app authors, verification doesn't carry the same weight.

 

Isn't this where an extension is only allowed to do certain things, and if it attempts to do something other than that it is unable or prevented from doing so?

 

No that's just the least privilege. The privilege separation splits the extension up into a background page that handles some things and an active script that handles other things.

 

Ha ha. BitDefender and TrafficLight are now showing verification checkmarks.
I emailed BD rep about it a week ago and he told me he would forward the info to "the team".
I'm glad they got this little item fixed.

 

Whether or not the Verified Author helps with trusting an extension, that will depend on whom is providing it. If we take Page42 example, with BitDefender's extensions, I got no issues putting in them a higher trust than I would put in other Verified Author extensions.

But, while they're legitimate, that doesn't mean that the authors should be given an open path.

I'm pretty sure the Smooth Gestures is a legitimate* extension, still we know what happened, don't we? Regardless of it having or not the label Verified Author. -edit- *Google seems to think it is a legitimate extension, because they did reintroduce it back in Chrome Web Store after that blogger made this situation public, and after the extension's author "cleaned" it. -end of edit-

I'm imagine "someone" like BitDefender would have a lot more to lose than some folk developing Smooth Gestures, for example. Unless BitDefender would have a lot more to gain from being sneaky.

For example, this Verified Author extension -https://chrome.google.com/webstore/detail/jpkfjicglakibpenojifdiepckckakgk

Should this Verified Author label inspire me trust so that I'll install it? What do I care if it comes from ss-o. net? That doesn't tell me anything. In BitDefender's case, it's different, because BitDefender has a long background in the security field. For all I know, they're a respectable and trustworthy security vendor. That doesn't mean that Google shouldn't verify their extensions, though. lol But, I suppose you get my point.

Exactly. There isn't anything we can do. But, if the extensions are coming from Chrome Web Store, then there's something they (Google) can do.

Of course, I'm not saying there aren't any mechanisms to prevent it. We simply don't know it. Period. But, based on serious (IMHO) recent events, I have doubts about the existence of a proper vetting process and find it dangerous to use extensions, from Chrome Web Store*, if not coming from certain developers, such as BitDefender (for example).

* Chrome Web Store is the only place from where I'd get extensions, precisely because I would know Google was taking the needed measures to prevent situations such as those that have happened sometime ago.

I got no idea - and no one truly does, IMHO - if more extensions exist in Chrome Web Store that are misbehaving. We simply don't know. This is worrying, isn't it?

 

Exactly. But, would you trust a random extension developer with the Verified Author label? I can't say that I would.

 

I answered that in the section you quoted, m00n...

What you are asking about is not a condition that applies exclusively to extensions from Chrome, m00n.
It applies to any security app that a computer owner has installed on his or her machine, does it not?
You might ask the same question about Sandboxie or Kaspersky or any other, no?

 

It was a rhetorical question. I wanted to introduce my answer.

It applies to everything. I'm not saying it's just about Google Chrome extensions. I'm just saying that a Verified Author label doesn't suffice to give an answer on whether or not they're OK to use. If Google believes that it suffices, then they should reconsider that thought.

 

I agree, I wouldn't say Verified Author means much. It just means that if you believe the author is legitimate you know for a fact that the extension came from them. I'd rather they inspect the code.