Chrome Extentions Vulnerabilities
Introduction Google Chrome Browser Chrome OS Platform Chrome Web Store Applications Open Source Platform
Vulnerabilities Statistics 27 out of 100 tested extensions of Chrome Browser vulnerable to attack by extracting data (password, history, etc.) Malicious applications Gain control over your Google account (G-mail, Calendar etc.) Java Script- injection vulnerabilities More the 25% of testing extensions from researcher were considered vulnerable under this attack and 7 of those application used from more then users!!! Security flows in chrome OS Hackers access your data on the cloud without event has access to the user pc. Exits design flows that gives extensions sweeping rights to access data on the cloud.
Research 3 types of extensions: core extensions- main portion of an extension content scripts - are JavaScript that are injected into web sites Plugins – native executable Each app or extensions ask for permission before install- but who reads them??? 2 Types of permissions : Time-of-use systems - prompt the user to approve of needed permissions at the runtime of the application. install-time systems -ask for permissions at the time the extension is installed.
Risk Management Extensions required permissions Plug ins – is granted full permissions to everything on users machine (because is local executable) Extensions with plug ins are reviewed Core extensions – comes with the extention API which is a browser manager that allows access to bookmarks, history and geo-location.
Findings 500 most popular extensions 91.4% of them ask for at least one security-relevant permission. This means that almost every extension installalation generates at least one security warning. 10% of applications request unneeded permissions. no developer tools on any platform with install-time permissions that provide developer tools to detect unnecessary permissions.
Scratchpad App example Scratchpad extension for Google Docs Installed by default on Chrome notebook The permissions allow it to auto-sync with user’s Google Doc account! The catch- Google Docs lets users share documents with others without first asking the receiving user if they want to receive the document or not. The result of hacking this app from the researchers: Johansen was able to share a malicious note through Scratchpad which, when opened, stole all of the user’s Gmail contacts.
Our experiment User downloads our app Goes to the blog and let say he want to write something. In order to right something a pop up appear so he can log though Facebook using his credentials What we do ? We still his username and password … So what’s is the conclusion ? Don’t download our app ;D
Use case Diagram
Solutions The Good news is that: o 49 of 51 vulnerabilities can be patched just by using one of two proposed safety rules (Content Security Policies). o Peer feedback on applications (Ratings) o Trust No-one o Read permissions
Conclusion Google Chrome browser that the third-party code extensions cannot be 100% trusted every extension requests for permissions that are irrelevant to the purpose of the application. Humans are not perfect – checking code is not an easy task Suggestion : Google need better graphical interface which instructs end users that high level security risk permissions
Reference Felt, Adrienne, Kate Greenwood, and David Wagner. "The Effectiveness of Application Permissions." USENIX Association. 2. (2011): n. page. Web. 28 Feb < final_files/webapps11_proceedings.pdf 25% of tested extensions of Google Chrome admit stealing data, stealing-data/, October 2011 Chrome OS Hacked via Scratchpad, scratchpad/ Chrome OS has security flaws, claims researcher, by Lance Whitney Security Expert Raises Questions Regarding Security Issues Regarding Chrome Web Store ARUPCHOU on MAY 29, chrome/security-expert-raises-questionsregarding-security-issues- regarding-chrome-web-store/