Security Bugs in Google Chrome Extensions (And How To Avoid Them)

Abandoned projects are one thing. Security holes are another.

 

I don't know, Hungry. Chrome is approaching that dangerous point where it has a much bigger audience. It's even on track to overtake Firefox by the end of the year or a little into 2012. Once you get that widely used, that bulls eye shows up on your back. If hackers and malware writers can't deal with the sandbox, they'll move to any other vulnerability. Extensions are a good place to begin.

 

Sometimes they go hand in hand though. There's no telling how many users are out there hanging on to old, possibly vulnerable extensions.

 

Oh I know. By "a while" I mean like half a year, which really isn't very long.

 

No, it isn't long at all. That's like a New York minute in the tech world. Unfortunately, this looks like a problem that isn't going to be solved in such a short period of time. At best (and like always it seems), a band-aid might be applied.

 

Yeah the thing is that I can't think of any bandaids. The sandbox is secure, all of the holes are there for a reason. The problem is poorly coded extensions. I really only see one way to solve that, force developers to deal with insecure code.

Best way to do that is to just do some simple heuristics check of each extensions. Nice and automated. If an extension is flagged inform the developer and either take it off the store or make it clear in the store that the extension hasn't been vetted.

 

Hungry man, I'm still stuck on this... if they can solve it incredibly easy, but you're not sure they will, whatever could be the reason for them to not solve it?
Sorry if I missed your response. I read through the posts.

 

I have no clue. They could solve the android issue with vetting as well. It's the simplest solution and you can employ heuristics to do it. We already have the signature for it and obviously it can be fine tuned to include more possible errors (in the case with Chrome.)

I really don't know why they don't vet with android. I don't know why they wouldn't with Chrome either.

 

I can only think of a few things as to why they don't check as thoroughly as Mozilla, and none of them may be the answer:

1. Over-confident in Chrome's overall security.

2. Not enough people to come up with such a process or oversee it.

3. They have other "more important" things to do.

Other than that, I just don't see a reason.

 

It's most likely 3.

 

It would be difficult to judge them on number 3, if it weren't such a simple thing they could easily do. The money is certainly there, and surely they could set aside a small group to handle it. Perhaps it's overreacting to think so, but in my opinion, it's irresponsible of them to ignore it, and causes my faith to lessen slightly.

 

Same here.

 

Currently, I'm trying IE 9 with TPL (Easy, Fanboy & TRUSTe), WOT, and Speckie.
Let's see if I manage to stay away from 3rd-party browsers...

 

I'm not certain whether the situation has changed, but you should probably pick one TPL provider and stick with them. For a time, what Fanboy or Easy would put on their block lists, TRUSTe would put on their allow lists, thereby really screwing up protection and blocking.

 

Yes, stick to Fanboy only. EasyList has too many allow rules because of their broken importing script. TRUSTe... I wouldn't trust

 

O.K., guys.
I will follow your advice!
Thanks!!!

 

Hm, I've never heard of that. Please elaborate! Source?

 

I'm talking about the EasyList TPL only, which is nothing other than the result of a script converting the ABP subscription to TPL format. They have expressed no interest in maintaining it or improving it on their forums, where as the folks over at Fanboy's forums have expressed that interest.

 

Sorry, I overlooked that.

 

Any experience related to THIS TPL ?

Especially with the Adversity and the Others Lists...