I've just created my first Chrome Extension, and can say that from
developer perspective the API and whole architecture is really great
to work with.
Although I really like working with extensions, the power that
extension developer has really scares me. This subject was already
discussed here (http://groups.google.com/group/chromium-extensions/
browse_thread/thread/ec54f542447cba05) but I found that the thread
died more then year ago without any significant conclusions.
I'm not a security expert nor really experienced extension developer,
so if someone can calm my worries and point me where I'm wrong, it
will be highly appreciated :)
So, what worries me:
1. Content scripts + Cross Origin XHR
It is really easy to implement extension that will be also key logger.
It's already covered by thread I've mentioned - let us assume that
we've got extension that will be advertised as the one that allows you
to grab any image from page and send it to particular service one use
(flickr whatever). It's just example, but with this example, it will
be easy to convince user that this extension needs privilege to:
inject content script to every page, make http requests. I'm sure
there are loads of other ways to advertise malicious extension using
cover of really useful one.
Additionally, since such a extension has ability to edit DOM, it
allows phishing to reach totally new level. Let say, that we're using
on-line banking, that has 3 layered security (it's most popular
approach in PL) - to make a payment/transaction, user must provide:
user Id, password and random token either generated, or send via text
message to defined mobile phone no. It's really not that hard to
imagine attack on given bank system, that will be shipped using chrome
extension. First extension will steal login + passwd, and then goes
phsing. After successful log on, extension can monitor user actions by
parsing DOM, when it will detect that user just reached form asking
for token, it can steal the token, render page that will mimic
successful transaction and send all credentials needed to clear given
account to the criminal.
It's most serious danger I could imagine, and I've got this idea after
2 days of working with extensions, and I'm not an expert in either
security/social engineering/chrome extensions!
One question here - how in case of extensions 'same origin policy' is
interpreted - extension can make XHRs to the host from which it was
downloaded? If so, it's even more dangerous.
2. Partial extensions isolation
Isolation of extensions is really phony. Using message passing and
then DOM events (as suggested in extensions tutorial) extensions can
communicate with each other. This allows even more sophisticated
attack. Let say that there is extension A that needs 'only' access to
DOM of any page, but doesn't need/perform XHR. And, let us have
extension B which claims that need access just to one/two kind of
popular URLs + XHR. Now extension A steals data, opens new page to
which extension B can inject script, exchange data with B using DOM
events and closes window directly afterwards.
Short update - I've found that it's even easier, as extensions can
communicate between each other without any restrictions.
3. Other Deployment Options
Malicious developer may install chrome extension that can do
everything, without asking for permission, using other deployments
options. Let say that such a criminal, prepares tiny freeware, useful
application that doesn't contain any malicious code, thus won't be
detected by antivirus software. Installer of such a application may in
turn install any chrome extension using either windows registry or
preferences file. This extension can do anything and user won't even
notice it, until he/she goes to the chrome://extensions.
It all may sound paranoid, but I'm thinking here mostly about users
like my mother who can barely differentiate internet from browser and
so on. I'm sure that there are loads of such a users 'out there'.
Because of that I think that the developers shouldn't rely on user's
Some ideas on how to improve a bit:
1. Create URL's black list. User should be able to define set of URLs
into which content script will NEVER have access. I think also that
such a list should have initial entries filled by chrome developers,
containing well known, crucial services, like on-line banks, most
popular e-mail providers, shops and so on. Additionally it would be
great if web service developers/managers could post request to block
extensions on their site. Of course, user can edit this list and e.g.
remove entries he/she think that can use extension.
2. Ask user whether he/she wants to install or load extension that was
installed using 'Other Deployment Options'
3. Maybe think about more fine grained sandboxing, using flashplayer
as a source. In flash for example, various actions might be performed
only triggered by user event. It's really tough one.
Hope this will make someone to think about extensions security a bit,
also thanks in advance for any calming info ;)