Security Bugs in Google Chrome Extensions (And How To Avoid Them)

http://www.adrienneporterfelt.com/blog/?p=226

 

Has Google done anything about them?

 

No clue. Not sure there's really anything to be done.

 

Some readers will be relieved to learn that LastPass was reviewed and found to not have bugs.

 

Indeed, that's the only one I truly care about.

 

Very sad...very disappointing...

 

Yes, but no surprise at all. That's one reason why I strongly prefer FF over Chrome.

 

Yep, that is one reason not to use it, which can be easily mitigated though (see pic)

Strong reason's to use Chrome: native client and PPAPI flash on top of its superb sandbox and javascript virtual machine (with hidden classes)

 

One has got to love the mitigation...

 

I'm looking forward to finding out which ones are vulnerable. I understand the need to not "spill the beans", but a commenter in the article was right, not doing so just ramps up the paranoia. ABP and Ghostery would be the first two I'd personally worry over. At this point, I wouldn't ever go extension-less. Ads, trackers, they're far too prevalent today, and ABP is certainly easier to tweak than other methods of blocking.

 

So there's a lot they should do.

 

If Chrome handles this as poorly as Android has I'll be disappointed. The lack of a vetting process is really lame. I've said for a while we'll see more security issues with extensions.

I still don't see what else they can do about it. It's not like you can say "Oh, you can't access passwords" or "you can't access all tabs" because that breaks the extensions.

 

I would love to see this enforced.

 

Are they still not checking extensions, or have they gotten a little better about it? That's really all they can do, and that's really all Mozilla can do, is check every extension closely before letting it out for people to play with. Extensions have always been a risk, and always will be one.

 

There are two options that I see:

1) Basic heuristics scan for insecure content like:

default-src ‘self’; connect-src: *
default-src ‘self’; connect-src: *; script-src: https:

2) Individually vetted extensions by a human

in my opinion we're going to need a middle ground for it to be both effective and plausible.

 

I don't know either but have you checked with Secunia PSI ? If a public vulnerabilty was reported, it will flag it. This not new but it is indeed troublesome

 

They're not public so I doubt they'd be flagged.

Anyways, Google can solve this problem incredibly easily... but I'm not sure they will. Android's security is pathetic even though all it would take is a simple vetting process.

 

There has to be some form of vetting. I think what we're bemoaning is that it is not very extensive. Maybe it consists mainly of those scary warnings.

You're not sure, or you are sure?
And if they can solve it incredibly easy, but you're not sure they will, whatever could be the reason for them to not solve it?

 

I think what he means is that he isn't sure what other ways there are to secure extensions besides doing a more thorough check, to make sure there are no obvious misdeeds or terrible coding practice.

Scary warnings don't do a thing, we all know that. They're about as effective as check boxes and EULA, almost always ignored.

 

Yes, dw understood me. Sorry I wasn't clear haha

I mean that there's no way to further protect the user from a vulnerable extension - instead they need to force developers to write more secure extensions.

They can solve it incredibly easy. They can solve the android problem easily as well. But they haven't. I'm hoping the android team is just idiotic and the chrome team knows better.

 

Although Chrome has a few good extensions, I think a lot of them are just dumb. I have looked through tons of them when I'm bored and can't find more than 4 or 5 I'd use. I think FF has some dumb ones too, but most of theirs have a purpose.

 

Not really. In terms of useful extensions they pretty much have the same amount. Most of Firefox's are useless to me. Most of Chrome's are useless to me.

 

Well, yes, we can hope they know better. However, for a vendor that was praised for the security of their browser, I would have thought that they could foresee extension issues as well and forced better writing from the get go.

 

Yep. Security has always been Chrome's main focus, it was built from the start with security in mind.

And yet this vulnerability, which was pretty glaringly obvious has slipped in. Granted we probably won't see it really being exploited for a while but still... I'd expect better.

Hopefully they solve this major hole.

 

Same here. If anything, both companies allow far too much into their "stores", for a lack of a better term. Mozilla also needs to do some major house cleaning in regards to long abandoned and/or very outdated extensions. Heck, that might even make Firefox users upgrade past v3 and 4, which too many still use.