Security Bugs in Google Chrome Extensions (And How To Avoid Them)

Discussion in 'other security issues & news' started by Hungry Man, Sep 29, 2011.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Has Google done anything about them?
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    No clue. Not sure there's really anything to be done.
     
  4. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Some readers will be relieved to learn that LastPass was reviewed and found to not have bugs.
     
  5. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Indeed, that's the only one I truly care about.
     
  6. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
  7. tlu

    tlu Guest

    Yes, but no surprise at all. That's one reason why I strongly prefer FF over Chrome.
     
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yep, that is one reason not to use it, which can be easily mitigated though (see pic)

    Strong reason's to use Chrome: native client and PPAPI flash on top of its superb sandbox and javascript virtual machine (with hidden classes)
     

    Attached Files:

  9. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    One has got to love the mitigation... :D
     
  10. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I'm looking forward to finding out which ones are vulnerable. I understand the need to not "spill the beans", but a commenter in the article was right, not doing so just ramps up the paranoia. ABP and Ghostery would be the first two I'd personally worry over. At this point, I wouldn't ever go extension-less. Ads, trackers, they're far too prevalent today, and ABP is certainly easier to tweak than other methods of blocking.
     
  11. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    So there's a lot they should do.
     
  12. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    If Chrome handles this as poorly as Android has I'll be disappointed. The lack of a vetting process is really lame. I've said for a while we'll see more security issues with extensions.

    I still don't see what else they can do about it. It's not like you can say "Oh, you can't access passwords" or "you can't access all tabs" because that breaks the extensions.
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I would love to see this enforced.
     
  14. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Are they still not checking extensions, or have they gotten a little better about it? That's really all they can do, and that's really all Mozilla can do, is check every extension closely before letting it out for people to play with. Extensions have always been a risk, and always will be one.
     
  15. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    There are two options that I see:

    1) Basic heuristics scan for insecure content like:

    default-src ‘self’; connect-src: *
    default-src ‘self’; connect-src: *; script-src: https:

    2) Individually vetted extensions by a human

    in my opinion we're going to need a middle ground for it to be both effective and plausible.
     
  16. fsr

    fsr Registered Member

    Joined:
    Jul 26, 2010
    Posts:
    190
    I don't know either but have you checked with Secunia PSI ? If a public vulnerabilty was reported, it will flag it. This not new but it is indeed troublesome :thumb:
     
  17. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    They're not public so I doubt they'd be flagged.

    Anyways, Google can solve this problem incredibly easily... but I'm not sure they will. Android's security is pathetic even though all it would take is a simple vetting process.
     
  18. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    There has to be some form of vetting. I think what we're bemoaning is that it is not very extensive. Maybe it consists mainly of those scary warnings. :shifty:
    You're not sure, or you are sure?
    And if they can solve it incredibly easy, but you're not sure they will, whatever could be the reason for them to not solve it? :doubt:
     
  19. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I think what he means is that he isn't sure what other ways there are to secure extensions besides doing a more thorough check, to make sure there are no obvious misdeeds or terrible coding practice.

    Scary warnings don't do a thing, we all know that. They're about as effective as check boxes and EULA, almost always ignored.
     
  20. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yes, dw understood me. Sorry I wasn't clear haha

    I mean that there's no way to further protect the user from a vulnerable extension - instead they need to force developers to write more secure extensions.

    They can solve it incredibly easy. They can solve the android problem easily as well. But they haven't. I'm hoping the android team is just idiotic and the chrome team knows better.
     
  21. twl845

    twl845 Registered Member

    Joined:
    Apr 12, 2005
    Posts:
    4,186
    Location:
    USA
    Although Chrome has a few good extensions, I think a lot of them are just dumb. I have looked through tons of them when I'm bored and can't find more than 4 or 5 I'd use. I think FF has some dumb ones too, but most of theirs have a purpose. :cool:
     
  22. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Not really. In terms of useful extensions they pretty much have the same amount. Most of Firefox's are useless to me. Most of Chrome's are useless to me.
     
  23. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Well, yes, we can hope they know better. However, for a vendor that was praised for the security of their browser, I would have thought that they could foresee extension issues as well and forced better writing from the get go.
     
  24. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yep. Security has always been Chrome's main focus, it was built from the start with security in mind.

    And yet this vulnerability, which was pretty glaringly obvious has slipped in. Granted we probably won't see it really being exploited for a while but still... I'd expect better.

    Hopefully they solve this major hole.
     
  25. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Same here. If anything, both companies allow far too much into their "stores", for a lack of a better term. Mozilla also needs to do some major house cleaning in regards to long abandoned and/or very outdated extensions. Heck, that might even make Firefox users upgrade past v3 and 4, which too many still use.
     
Loading...
Thread Status:
Not open for further replies.