Schneier on Security
A blog covering security and security technology.
« Making Fake ATMs Using 3D Printers |
| Friday Squid Blogging: Interesting Squid Recipes »
September 29, 2011
Insecure Chrome Extensions
An analysis of extensions to the Chrome browser shows that 25% of them are insecure:
We reviewed 100 Chrome extensions and found that 27 of the 100 extensions leak all of their privileges to a web or WiFi attacker. Bugs in extensions put users at risk by leaking private information (like passwords and history) to web and WiFi attackers. Web sites may be evil or contain malicious content from users or advertisers. Attackers on public WiFi networks (like in coffee shops and airports) can change all HTTP content.
Posted on September 29, 2011 at 7:07 AM
• 24 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Need a comparison to the same (or at least like) extensions for other browsers to know if that is a Chrome problem, or is extension development problem in general.
Regarding the content security tags that Chrome extensions can specify, why aren't the more secure settings below the default?
default-src ‘self’; connect-src: *
default-src ‘self’; connect-src: *; script-src: https:
so what are the 27 that are leaking so I can uninstall them?
So... how about listing the insecure (and secure) ones?
It would certainly make the article a heck of a lot more useful!
As other posters have said what is the point of telling us 27 extensions are unsafe but then you don't tell us which ones are unsafe?
At least provide a list.
The Chrome Web Store has more than 12000 different extensions, and this study looked at only 100 of them. So right off the bat, I wonder about sample sizes.
The authors state that 50 of the 100 picked were the most popular, while 50 were chosen at random. Their results do not state which set had the better results- it just combines them as a single sample, as if that makes no difference. This is poor statistics. Were the 50 popular ones *more* likely to have vulnerabilities? Did they originally do this study on the 50 most popular, and found only 5% were vulnerable, so then they decided to add 50 random ones, to make it more sensational?
What I've gotten from this article is that 96% of all the vulnerabilities can be fixed by adding a couple extra lines of code. That makes me feel that Chrome has done a good job of making extensions securable.
That makes me feel that Chrome has done a good job of making extensions securable.
Well, at least there's that.
I'm a chrome user. I find it fast and I run it in "incognito" mode so it doesn't track anything. Not saying it doesn't have its drawbacks.
I use this site on all my browsers:
Points out some of the weaknesses. I was referred to it by a reputable source at the SANS institute.
I'm the author of the study.
We haven't yet released the names of all of the vulnerable extensions because some of the very popular ones remain unpatched. We're giving them a few weeks before we publish our full report (which will include all of the extensions' names and whether they remain unpatched).
An equal number of the buggy extensions were from the popular and random samples. IIRC the split was 13 popular, 15 random (with 28 total vulnerable). The random extensions have more bugs per lines of code, but the popular extensions have far more lines of code, so it evens out.
100/28*100 ain't 25%, more like 28%. :P
@HJohn: I believe that you're being sincere, but I don't believe it enough to let a random site run arbitrary code on my computer. You have to admit that a recommendation from a trusted-friend-inside-the-industry sounds exactly like a thinly veiled social engineering attempt...
@Chelloveck: "I believe that you're being sincere, but I don't believe it enough to let a random site run arbitrary code on my computer. You have to admit that a recommendation from a trusted-friend-inside-the-industry sounds exactly like a thinly veiled social engineering attempt..."
I admit it sounds that way. For what it is worth, I did check it out and it is legit. But I also understand the skepticism (yet another piece of damage done by the social engineers).
Brian Krebs also blogged about it and discussed this very concern. He's fine with Qualys as well. I won't provide a link this time, his blog is easy to find. :)
merely saying they found a number of extensions insecure without revealing their names is much the same as claiming the earth is the center of the solar system.
@rino read the comment above from Adrienne Porter Felt
I'm not very impressed with the Qualys browser check.
On Firefox 6.0.2, it checked 5 out of 10 plugins I'm using, and none of the 20 extensions. For what was checked, it merely throws warnings that you're not running the latest version of that plugin. It gets even sillier when throwing an "insecure version" comment about FF 6.0.2, suggesting to upgrade to the just released FF 7, which most folks have found out by now and without applying some patch is disabling/hiding most of your extensions.
That said, I would really welcome an FF feature allowing you to first check which plugins/extensions are incompatible with the new version before upgrading. For most recent versions, I ended up downgrading and waiting several weeks before trying again until (most of) my extensions had been upgraded too.
As for the Chrome study, I think it deserves some extra work on other browsers too.
Ouch, I seem to have gotten the percentage calculation wrong. But anyway, the actual number is still the same. :)
@Dirk Praet: "waiting several weeks before trying again until (most of) my extensions had been upgraded too"
OT, but would you care to name some of the 'culprits'? I keep hearing those tales about incompatible Addons, but cannot confirm that from my own experience at all.
Google Sharing, LeetKey, Tor Button, Alert Stopper, PlasmaNotify and Oxygen KDE were just some of the extensions I had issues with when upgrading. In the specific case of FF 7, most extensions/add-ons got hidden due to a bug. See http://www.ghacks.net/2011/09/28/... .
Numerous versions creates instability both ways; for example, FF 3.6 lacks an addon for convergence. Just last night, when I upgraded the gf's Windows box to FF 7, I had issues with Adblock Plus. Not sure if it's working or not.
Doug, you can post that link to the squid thread.
Thank You @Adrienne Porter Felt
n=30 is the first "large" sample size statistically. After n=120, the next step is ~infinite. n=100 is a VERY respectable sample size, IF you keep in mind that every extension is a big investment in time and trouble, to evaluate each.
Is it possible to know which browser is more secure. and which level of risk they can give users.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.