27 Out of 100 Chrome Extensions Insecure
Security researchers Nicholas Carlini, Adrienne Porter Felt, and Prateek Saxena reviewed 50 popular and 50 random Chrome extensions from the official Chrome Web Store for security vulnerabilities and discovered that 27 of the 100 extensions "leak all of their privileges to a web or WiFi attacker". These 27 extensions account for a total of 51 vulnerabilities. Seven of the vulnerable extensions have more than 300k users each according to data provided by the Chrome Web store.
Bugs or bad programming practices may leak information like passwords or history to web and Wi-Fi attackers. The developers provide two examples of how extensions can be exploited by attackers. The two extensions mentioned, Open Attribute and Silver Bird, have since been fixed by their development teams.
The Open Attribute extension helps users read the Creative Commons (CC) licenses of web sites. In the typical use case, a user clicks on the extension’s browser action to see a web site’s attribution information. Open Attribute embeds the site’s CC license in the extension’s popup window, using innerHTML. A malicious web site could serve a fake CC license that includes inline scripts, or a WiFi attacker could insert inline scripts into a license provided by a legitimate web site like Wikipedia. The inserted code then runs in the extension’s popup window with the extension’s privileges. This bug was fixed in Open Attribute 0.7 by setting a Content Security Policy for the extension.
Example 2: Silver Bird 1.9.7.9
Silver Bird allows users to post and read Twitter messages without navigating to twitter.com, and it currently has over 200,000 users. The extension makes an XHR to Twitter using either HTTP or HTTPS, based on the user’s settings. It displays the retrieved messages in the core extension, using innerHTML in several places. If a user were to specify an HTTP URI, a WiFi attacker could insert inline scripts into the XHR response. Luckily, Twitter prevents its users from launching this attack by sanitizing user messages. This bug was fixed in version 1.9.8.4 by replacing innerHTML with innerText.
The two other extensions that have been named in the article are Last Pass and XMarks, which were both protected against those kinds of attacks.
Interestingly enough, vulnerabilities were split more or less evenly between popular and random samples, as Adrienne Porter Felt points out.
Probably the most interesting aspect here is that the vulnerability count would drop from 51 vulnerabilities to 2 (a reduction of 96%) if the extension developers would have followed Google Chrome's Content Security Policies. Implementing those security guidelines will block attempts by an attacker to "take over an extension by injecting malicious JavaScript into the core extension".
The researchers have decided to not publish the full list of vulnerable and protected extensions at this time to give extension developers ample time to protect their extensions from these kind of attacks.
The developers are not aware of attacks exploiting those vulnerabilities at this point and note that nearly all important extensions with vulnerabilities have updated their extensions already.
The full security paper will be released at the beginning of November. (via)
Independent researches such as this raise awareness that most (casual) people take for-granted when using third-party web-apps or browser add-ons — security, and that convenience trumps any fore-thought of security or privacy matters.
Thanks for providing this bit of info Martin, and looking forward to more of the likes of this in the future.
/m