Insecure Chrome Extensions

An analysis of extensions to the Chrome browser shows that 25% of them are insecure:

We reviewed 100 Chrome extensions and found that 27 of the 100 extensions leak all of their privileges to a web or WiFi attacker. Bugs in extensions put users at risk by leaking private information (like passwords and history) to web and WiFi attackers. Web sites may be evil or contain malicious content from users or advertisers. Attackers on public WiFi networks (like in coffee shops and airports) can change all HTTP content.

Tags: browsers, Chrome, web

Posted on September 29, 2011 at 7:07 AM • 24 Comments

Comments

kingsnake • September 29, 2011 7:54 AM

Need a comparison to the same (or at least like) extensions for other browsers to know if that is a Chrome problem, or is extension development problem in general.

Gabriel • September 29, 2011 8:05 AM

Regarding the content security tags that Chrome extensions can specify, why aren’t the more secure settings below the default?

default-src ‘self’; connect-src: *
default-src ‘self’; connect-src: *; script-src: https:

Adam Sweet • September 29, 2011 8:11 AM

so what are the 27 that are leaking so I can uninstall them?

Jeff K • September 29, 2011 8:20 AM

So… how about listing the insecure (and secure) ones?

It would certainly make the article a heck of a lot more useful!

peter55 • September 29, 2011 8:24 AM

As other posters have said what is the point of telling us 27 extensions are unsafe but then you don’t tell us which ones are unsafe?
At least provide a list.

Mabbo • September 29, 2011 8:29 AM

The Chrome Web Store has more than 12000 different extensions, and this study looked at only 100 of them. So right off the bat, I wonder about sample sizes.

The authors state that 50 of the 100 picked were the most popular, while 50 were chosen at random. Their results do not state which set had the better results- it just combines them as a single sample, as if that makes no difference. This is poor statistics. Were the 50 popular ones more likely to have vulnerabilities? Did they originally do this study on the 50 most popular, and found only 5% were vulnerable, so then they decided to add 50 random ones, to make it more sensational?

What I’ve gotten from this article is that 96% of all the vulnerabilities can be fixed by adding a couple extra lines of code. That makes me feel that Chrome has done a good job of making extensions securable.

vajdaij • September 29, 2011 9:21 AM

That makes me feel that Chrome has done a good job of making extensions securable.

Well, at least there’s that.

HJohn • September 29, 2011 9:31 AM

I’m a chrome user. I find it fast and I run it in “incognito” mode so it doesn’t track anything. Not saying it doesn’t have its drawbacks.

I use this site on all my browsers:
https://browsercheck.qualys.com/

Points out some of the weaknesses. I was referred to it by a reputable source at the SANS institute.

Adrienne Porter Felt • September 29, 2011 9:53 AM

I’m the author of the study.

We haven’t yet released the names of all of the vulnerable extensions because some of the very popular ones remain unpatched. We’re giving them a few weeks before we publish our full report (which will include all of the extensions’ names and whether they remain unpatched).

An equal number of the buggy extensions were from the popular and random samples. IIRC the split was 13 popular, 15 random (with 28 total vulnerable). The random extensions have more bugs per lines of code, but the popular extensions have far more lines of code, so it evens out.

Natanael L • September 29, 2011 10:02 AM

100/28*100 ain’t 25%, more like 28%. 😛

Chelloveck • September 29, 2011 11:04 AM

@HJohn: I believe that you’re being sincere, but I don’t believe it enough to let a random site run arbitrary code on my computer. You have to admit that a recommendation from a trusted-friend-inside-the-industry sounds exactly like a thinly veiled social engineering attempt…

HJohn • September 29, 2011 11:20 AM

@Chelloveck: “I believe that you’re being sincere, but I don’t believe it enough to let a random site run arbitrary code on my computer. You have to admit that a recommendation from a trusted-friend-inside-the-industry sounds exactly like a thinly veiled social engineering attempt…”

I admit it sounds that way. For what it is worth, I did check it out and it is legit. But I also understand the skepticism (yet another piece of damage done by the social engineers).

Brian Krebs also blogged about it and discussed this very concern. He’s fine with Qualys as well. I won’t provide a link this time, his blog is easy to find. 🙂

Sam • September 29, 2011 12:29 PM

You can also just run a javascript-based check, without installing anything:
https://browsercheck.qualys.com/?scan_type=js

Here’s Kreb’s blog:
http://krebsonsecurity.com/2011/03/test-your-browsers-patch-status/

rino • September 29, 2011 2:18 PM

merely saying they found a number of extensions insecure without revealing their names is much the same as claiming the earth is the center of the solar system.

nice work.

jeff • September 29, 2011 4:41 PM

@Sam,
I went to your first link and it advertised ways to secure my browser, but the first recommendation (with an exclamation point) was to enable Javascript. I’m wondering if that’s a good idea? 🙂
jeff

mike • September 29, 2011 5:42 PM

@rino read the comment above from Adrienne Porter Felt

Dirk Praet • September 29, 2011 6:22 PM

I’m not very impressed with the Qualys browser check.

On Firefox 6.0.2, it checked 5 out of 10 plugins I’m using, and none of the 20 extensions. For what was checked, it merely throws warnings that you’re not running the latest version of that plugin. It gets even sillier when throwing an “insecure version” comment about FF 6.0.2, suggesting to upgrade to the just released FF 7, which most folks have found out by now and without applying some patch is disabling/hiding most of your extensions.

That said, I would really welcome an FF feature allowing you to first check which plugins/extensions are incompatible with the new version before upgrading. For most recent versions, I ended up downgrading and waiting several weeks before trying again until (most of) my extensions had been upgraded too.

As for the Chrome study, I think it deserves some extra work on other browsers too.

Natanael L • September 30, 2011 1:50 AM

Ouch, I seem to have gotten the percentage calculation wrong. But anyway, the actual number is still the same. 🙂

Paeniteo • September 30, 2011 3:15 AM

@Dirk Praet: “waiting several weeks before trying again until (most of) my extensions had been upgraded too”

OT, but would you care to name some of the ‘culprits’? I keep hearing those tales about incompatible Addons, but cannot confirm that from my own experience at all.

Dirk Praet • September 30, 2011 3:39 AM

@ Paeniteo

Google Sharing, LeetKey, Tor Button, Alert Stopper, PlasmaNotify and Oxygen KDE were just some of the extensions I had issues with when upgrading. In the specific case of FF 7, most extensions/add-ons got hidden due to a bug. See http://www.ghacks.net/2011/09/28/fix-for-hidden-add-ons-after-updating-to-firefox-7/ .

Johnston • September 30, 2011 12:17 PM

@Paeniteo

Numerous versions creates instability both ways; for example, FF 3.6 lacks an addon for convergence. Just last night, when I upgraded the gf’s Windows box to FF 7, I had issues with Adblock Plus. Not sure if it’s working or not.

Moderator • September 30, 2011 12:50 PM

Doug, you can post that link to the squid thread.

pointless_hack • September 30, 2011 2:47 PM

Thank You @Adrienne Porter Felt

n=30 is the first “large” sample size statistically. After n=120, the next step is ~infinite. n=100 is a VERY respectable sample size, IF you keep in mind that every extension is a big investment in time and trouble, to evaluate each.

Fawad Lalzad • January 15, 2012 1:05 AM

Is it possible to know which browser is more secure. and which level of risk they can give users.

Insecure Chrome Extensions

Comments

Leave a comment Cancel reply