Chrome extension vetting

Maybe the sandboxing aspect of Google Chrome extension security needs to be re-emphasized. Maybe GC is relying heavily on the sandbox, and for the most part, that is the reason why there haven't been widespread, catastrophic exploits involving extensions?

VEX: Vetting Browser Extensions For Security Vulnerabilities

 

Been following this and you guys have brought up some very interesting points for consideration. I see that your research favours Mozilla's vetting process for extensions over what Chrome does (or does not do). I have a question...
If the extension is hosted on Mozilla and also shows up on Chrome, e.g. respected extensions such as WOT, Adblock Plus are two that I use, then can we assume that the vetting is in Mozilla's hands and Chrome just auto verifies the author/website because the work has already been done?

There are a lot of extensions on FF that users recommend because they meet a specific need and I have made use of a few myself, however many of them are not as popular as WOT and AdblockPlus.
NB: You may remember me, I loaded Perspectives on Chrome and this extension was already hosted on Mozilla (and in good standing). I ran into problems with this ext because the author and accessing website were different. The only way this was discovered was via a Java security warning for an expired CA. As far as I know there were no flags raised on Mozilla or Chrome concerning the website/author discrepancy. They were using another websites CA.

 

It would be nice if that was the case (it would mean they were doing something about it, at least ), but take this extension -https://chrome.google.com/webstore/detail/gighmmpiobklfepjocnamgkkbiglidom as an example.

It has Verified Author, but this extension is only for Google Chrome. It appeared as Adblock Plus alternative for Google Chrome, back then. There is no such extension, from the same author, for Firefox, AFAIK.

 

His point is that if there is the same author then you can trust it.

 

Pretty much. There have been exploits but the most an exploit can do in most cases is access maybe a single sites contents but not your passwords or cookies etc. You'd need to exploit something like LastPass.

 

Yes, I'm aware of that. But, that's not why they have a Verified Author in Chrome Web Store, though. Which was what I tried to say. I pointed the other extension as a way of showing it; it has a Verified Author, but it's not in Mozilla's repository, as it only exists for Chrome.

 

Yes... I get that it only exists for Chrome. The point is that if it does exist for both you can trust it. Obviously that won't be the case for most of the time and it's still kinda poor security "They made one good product for one platform so this product for another platform should be good too."

I'd rather just have them do checks themselves but relying on the sandbox makes things easy - none of my extensions are untrustworthy/ have access to things I wouldn't watn them having access to.

 

I think that's the key. If you're not sure about an app, then it's best to research it to confirm that it's legitimate, then confine it. Maybe I've got a tin-foil hat surgically attached to my head, but I don't think I will ever fully trust Chrome or FF or IE to vet every app, regardless of what they say.

 

Well Google Chrome isn't saying much, we all seem to agree on that.

 

By the way, this got me thinking. Who would control Google's own extensions?

 

I'm actually using an extension, that's not even available on Chrome Web Store; from what I know it's trustworthy, it allow needs permissions to access a specific service's domains. Nonetheless, I've confined it to a sandbox, and the browser profile I'm using (a different Chromium browser install, actually) is only allow to connect to those same domains, as well.

 

You mean the ones like GMail checker? Someone from the GMail or Chrome team, probably a few separate ones. Anything from Google's going to get vetted because it would be too big a joke if they got exploited through it.

 

What do you mean "control"... do you mean develop? or maintain?

#the rest is strictly out of my own morbid curiosity
Where'd you get the extension?
Also what function does it give you for such trouble?

 

There are lots of unofficial Chrome extensions stores.

Android is a great example of unofficial stores. Ironically the sites will do more vetting of the application than the market.

 

Yeah, but it was more of a joke. We have been discussing if there's a vetting process that will protect us from misbehaving extensions; but, no one ever asked who's making sure/who will make sure that Google's own extensions won't misbehave.

But, as I said, it was intended as a joke.

 

I see.

 

It allows me to download Youtube videos, directly from the browser, without having to cache the video.

Even though it may seem clean of bad intentions, there's no reason to even give the browser full permissions. I have a dedicated Chromium profile just to access Youtube. The extension inherits its permissions; that's all.

 

How Safe Are Google Chrome Extensions?

(I can't tell how old this article is, but it contains a link to another article with a comment that is dated July 2011)

 

Verified Security for Browser Extensions

(This looks to me to be the most detailed paper on this topic that I have come across so far.)

 

That's a fascinating article.