Bruce Schneier

 

Blog

Crypto-Gram Newsletter

Books

Essays and Op Eds

News and Interviews

Audio and Video

Speaking Schedule

Password Safe

Cryptography

About Bruce Schneier

Contact Information

 

Schneier on Security

A blog covering security and security technology.

« Making Fake ATMs Using 3D Printers | Main | Friday Squid Blogging: Interesting Squid Recipes »

September 29, 2011

Insecure Chrome Extensions

An analysis of extensions to the Chrome browser shows that 25% of them are insecure:

We reviewed 100 Chrome extensions and found that 27 of the 100 extensions leak all of their privileges to a web or WiFi attacker. Bugs in extensions put users at risk by leaking private information (like passwords and history) to web and WiFi attackers. Web sites may be evil or contain malicious content from users or advertisers. Attackers on public WiFi networks (like in coffee shops and airports) can change all HTTP content.

Posted on September 29, 2011 at 7:07 AM24 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

Need a comparison to the same (or at least like) extensions for other browsers to know if that is a Chrome problem, or is extension development problem in general.

Posted by: kingsnake at September 29, 2011 7:54 AM

Regarding the content security tags that Chrome extensions can specify, why aren't the more secure settings below the default?

default-src ‘self’; connect-src: *
default-src ‘self’; connect-src: *; script-src: https:

Posted by: Gabriel at September 29, 2011 8:05 AM

so what are the 27 that are leaking so I can uninstall them?

Posted by: Adam Sweet at September 29, 2011 8:11 AM

So... how about listing the insecure (and secure) ones?

It would certainly make the article a heck of a lot more useful!

Posted by: Jeff K at September 29, 2011 8:20 AM

As other posters have said what is the point of telling us 27 extensions are unsafe but then you don't tell us which ones are unsafe?
At least provide a list.

Posted by: peter55 at September 29, 2011 8:24 AM

The Chrome Web Store has more than 12000 different extensions, and this study looked at only 100 of them. So right off the bat, I wonder about sample sizes.

The authors state that 50 of the 100 picked were the most popular, while 50 were chosen at random. Their results do not state which set had the better results- it just combines them as a single sample, as if that makes no difference. This is poor statistics. Were the 50 popular ones *more* likely to have vulnerabilities? Did they originally do this study on the 50 most popular, and found only 5% were vulnerable, so then they decided to add 50 random ones, to make it more sensational?

What I've gotten from this article is that 96% of all the vulnerabilities can be fixed by adding a couple extra lines of code. That makes me feel that Chrome has done a good job of making extensions securable.

Posted by: Mabbo at September 29, 2011 8:29 AM

That makes me feel that Chrome has done a good job of making extensions securable.

Well, at least there's that.

Posted by: vajdaij at September 29, 2011 9:21 AM

I'm a chrome user. I find it fast and I run it in "incognito" mode so it doesn't track anything. Not saying it doesn't have its drawbacks.

I use this site on all my browsers:
https://browsercheck.qualys.com/

Points out some of the weaknesses. I was referred to it by a reputable source at the SANS institute.

Posted by: HJohn at September 29, 2011 9:31 AM

I'm the author of the study.

We haven't yet released the names of all of the vulnerable extensions because some of the very popular ones remain unpatched. We're giving them a few weeks before we publish our full report (which will include all of the extensions' names and whether they remain unpatched).

An equal number of the buggy extensions were from the popular and random samples. IIRC the split was 13 popular, 15 random (with 28 total vulnerable). The random extensions have more bugs per lines of code, but the popular extensions have far more lines of code, so it evens out.

Posted by: Adrienne Porter Felt at September 29, 2011 9:53 AM

100/28*100 ain't 25%, more like 28%. :P

Posted by: Natanael L at September 29, 2011 10:02 AM

@HJohn: I believe that you're being sincere, but I don't believe it enough to let a random site run arbitrary code on my computer. You have to admit that a recommendation from a trusted-friend-inside-the-industry sounds exactly like a thinly veiled social engineering attempt...

Posted by: Chelloveck at September 29, 2011 11:04 AM

@Chelloveck: "I believe that you're being sincere, but I don't believe it enough to let a random site run arbitrary code on my computer. You have to admit that a recommendation from a trusted-friend-inside-the-industry sounds exactly like a thinly veiled social engineering attempt..."
_____________

I admit it sounds that way. For what it is worth, I did check it out and it is legit. But I also understand the skepticism (yet another piece of damage done by the social engineers).

Brian Krebs also blogged about it and discussed this very concern. He's fine with Qualys as well. I won't provide a link this time, his blog is easy to find. :)

Posted by: HJohn at September 29, 2011 11:20 AM

You can also just run a javascript-based check, without installing anything:
https://browsercheck.qualys.com/?scan_type=js

Here's Kreb's blog:
http://krebsonsecurity.com/2011/03/...

Posted by: Sam at September 29, 2011 12:29 PM

merely saying they found a number of extensions insecure without revealing their names is much the same as claiming the earth is the center of the solar system.

nice work.

Posted by: rino at September 29, 2011 2:18 PM

@Sam,
I went to your first link and it advertised ways to secure my browser, but the first recommendation (with an exclamation point) was to enable Javascript. I'm wondering if that's a good idea? :-)
jeff

Posted by: jeff at September 29, 2011 4:41 PM

@rino read the comment above from Adrienne Porter Felt

Posted by: mike at September 29, 2011 5:42 PM

I'm not very impressed with the Qualys browser check.

On Firefox 6.0.2, it checked 5 out of 10 plugins I'm using, and none of the 20 extensions. For what was checked, it merely throws warnings that you're not running the latest version of that plugin. It gets even sillier when throwing an "insecure version" comment about FF 6.0.2, suggesting to upgrade to the just released FF 7, which most folks have found out by now and without applying some patch is disabling/hiding most of your extensions.

That said, I would really welcome an FF feature allowing you to first check which plugins/extensions are incompatible with the new version before upgrading. For most recent versions, I ended up downgrading and waiting several weeks before trying again until (most of) my extensions had been upgraded too.

As for the Chrome study, I think it deserves some extra work on other browsers too.

Posted by: Dirk Praet at September 29, 2011 6:22 PM

Ouch, I seem to have gotten the percentage calculation wrong. But anyway, the actual number is still the same. :)

Posted by: Natanael L at September 30, 2011 1:50 AM

@Dirk Praet: "waiting several weeks before trying again until (most of) my extensions had been upgraded too"

OT, but would you care to name some of the 'culprits'? I keep hearing those tales about incompatible Addons, but cannot confirm that from my own experience at all.

Posted by: Paeniteo at September 30, 2011 3:15 AM

@ Paeniteo

Google Sharing, LeetKey, Tor Button, Alert Stopper, PlasmaNotify and Oxygen KDE were just some of the extensions I had issues with when upgrading. In the specific case of FF 7, most extensions/add-ons got hidden due to a bug. See http://www.ghacks.net/2011/09/28/... .

Posted by: Dirk Praet at September 30, 2011 3:39 AM

@Paeniteo

Numerous versions creates instability both ways; for example, FF 3.6 lacks an addon for convergence. Just last night, when I upgraded the gf's Windows box to FF 7, I had issues with Adblock Plus. Not sure if it's working or not.

Posted by: Johnston at September 30, 2011 12:17 PM

Doug, you can post that link to the squid thread.

Posted by: Moderator at September 30, 2011 12:50 PM

Thank You @Adrienne Porter Felt

n=30 is the first "large" sample size statistically. After n=120, the next step is ~infinite. n=100 is a VERY respectable sample size, IF you keep in mind that every extension is a big investment in time and trouble, to evaluate each.

Posted by: pointless_hack at September 30, 2011 2:47 PM

Is it possible to know which browser is more secure. and which level of risk they can give users.

Posted by: Fawad Lalzad at January 15, 2012 1:05 AM

Subscribe to comments on this entry

Post a comment




E-mail is optional and will not be displayed on the site.


Remember Me?


Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Powered by Movable Type. Photo at top by Geoffrey Stone.

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

 
Bruce Schneier
Blog Menu

Search


blog only
essays and op eds only
whole site

Blog Home Page
100 Latest Comments

Archives by Date

2012 J F
2011 J F M A M J J A S O N D
2010 J F M A M J J A S O N D
2009 J F M A M J J A S O N D
2008 J F M A M J J A S O N D
2007 J F M A M J J A S O N D
2006 J F M A M J J A S O N D
2005 J F M A M J J A S O N D
2004 J F M A M J J A S O N D

Support Bloggers' Rights!
Defend Privacy--Support Epic
Latest Book
Liars & Outliers
more books by Bruce Schneier
Syndication
Full Text Feed
Excerpts Feed

Follow on Twitter
Subscribe via Kindle

Translations
German
Italian

more translations

Crypto-Gram Newsletter
If you prefer to receive Bruce Schneier's comments on security as a monthly e-mail digest, subscribe to Schneier on Security's sister publication, Crypto-Gram.
read more