![]() ![]() The extension core includes invisible background code, options, and any other HTML the extension provides. Porter Felt: The “core” is the most powerful part of the extension, so a vulnerability in an extension core yields the most privileges to an attacker. Kassner: The paper seems particularly concerned about extension-core vulnerabilities. We then built attacks to demonstrate the vulnerabilities truly existed. I then reviewed each of the potential vulnerabilities to ensure they were real. Then, he read and searched through the extensions’ source code to find any attacks. First, he would exercise the user interfaces of the extensions while monitoring their network traffic. Porter Felt: I worked with a fantastic undergraduate student at Cal named Nicholas Carlini. ![]() Kassner: Could you briefly explain how you determined if an extension was vulnerable? If an attacker compromises an extension, the attacker can get access to this personal information, too. Porter Felt: Extensions are fairly powerful - they can read users’ browsing history, passwords, email, etc. ![]() Why is it important to make sure extensions are not vulnerable? The set of vulnerable extensions includes 7 extensions with more than 300,000 users each.” “27 of the 100 extensions contain one or more vulnerabilities, for a total of 51 vulnerabilities. Kassner: You reviewed 100 Chrome extensions: If an extension has a core vulnerability, the attacker will only gain access to the permissions the vulnerable extension already has. Permissions: Each extension comes packaged with a list of permissions, which govern access to the browser APIs and web domains.Isolated worlds: Content scripts can read and modify website content, but content scripts and websites have separate program heaps so websites cannot access content scripts’ functions or variables.Extension cores do not directly interact with websites and execute with the extension’s full privileges. Content scripts interact with websites and execute with no privileges. Privilege separation: Extensions are built from two types of components, which are isolated from each other - content scripts and extension cores.Porter Felt: In 2009, Google Chrome introduced a new extension platform with several features intended to prevent and mitigate extension vulnerabilities: Before we get to your latest paper, would you bring us up to speed on the security features implemented in the Chrome extension system? Well, I could see it was time to call Adrienne and see what’s up. In 2009, I wrote about Firefox having the same problem. “Vulnerabilities in browser extensions put users at risk by providing a way for website and network attackers to gain access to users’ private data and credentials.”ĭéjà vu struck when I read that. Adrienne, along with Nicholas Carlini and David Wagner (Adrienne’s advisor) released “An Evaluation of the Google Chrome Extension Security Architecture.” In February of this year, my suspicion was justified. Mental note to self - Adrienne was working on something important. Last September, a Google Alert email mentioned Adrienne had written about security bugs in Chrome extensions. The paper “Protecting Browsers from Extension Vulnerabilities,” written by her research team was instrumental in the development of Chrome’s innovative extension system. It just so happens Google listens to Adrienne as well. ![]() You may recognize the name Adrienne has provided expert advice for many of my articles. During my research for the earlier article about extensions, I was introduced to Adrienne Porter Felt. I have a Chrome vulnerability right now but I don’t know how to exploit it.”Ģ010 was also when I started writing about Chrome and Chrome extensions. “There are bugs in Chrome but they’re very hard to exploit. Charlie Miller, a several-time Pwn2Own winner pointed out: Why? For two years running, contestants at Pwn2Own did not even attempt to crack it. Michael Kassner asks the experts why extensions are vulnerable and what's being done about it.Ĭhrome extension : A small software program that can modify and enhance the functionality of the Chrome web browser.īack in 2010, Chrome became my web browser of choice. Chrome extensions are vulnerable: Advantage, bad guysĬhrome may be secure, but if the extensions aren't, it doesn't matter. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |