27 of 100 tested Chrome extensions contain 51 vulnerabilities

27 of 100 tested Chrome extensions contain 51 vulnerabilities

Summary: A group of security researchers have analyzed 100 Chrome extensions and found out that 27 of the 100 extensions contain one or more vulnerabilities in their cores, for a total of 51 vulnerabilities.

SHARE:
TOPICS: Security
6

A group of security researchers have analyzed 50 of the top Chrome extensions and another 50 chosen by random, and found out that 27 of the 100 extensions contain one or more vulnerabilities in their cores, for a total of 51 vulnerabilities :

We reviewed 100 Chrome extensions and found that  27 of the 100 extensions leak all of their privileges to a web or WiFi attacker.  Bugs in extensions put users at risk by leaking private information (like passwords and history) to web and WiFi attackers.  Web sites may be evil or contain malicious content from users or advertisers.  Attackers on public WiFi networks (like in coffee shops and airports) can change all HTTP content.  We’ll show you how you can prevent attacks on your extension using Content Security Policy.

49 of the 51 vulnerabilities found can be patched by adapting the extensions to use one of two offered Content Security Policies (CSP).

The group is urging extension developers to use CSP directives to protect their users from the potential security consequences of core extension bugs.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

6 comments
Log in or register to join the discussion
  • Wifi attacker

    With "Wifi attacker", they mean man-in-the-middle attacker.
    Which is most easily done by a malicious Wifi provider.
    pj.de.bruin
  • 1 in 4 is unacceptable

    A 27% failure rate is unacceptable. Are these malicious exploits or a function of poor QA?
    Your Non Advocate
  • If the greater public ever needed an excuse

    .. to dump the spybot that is Google's Chrome browser, than this is it. Now we have confirmation that Chrome actively assists man-in-the-middle attacks.<br><br>Great! On top of blatant, active spyware (as detected by MSE) deployment through false pretenses, now we have Chrome harboring extensibility for privilege escalation via intercepted communications and XSS.<br><br>In the mean time, Chrome users can self-help by trying this:<br><br>(1) switch out to Chrome's non-spyware, Chromium-twin, Iron Browser. (..that is, nuke Google Chrome and install Iron in its place):<br><br><a href="http://www.srware.net/en/software_srware_iron.php" target="_blank" rel="nofollow"><a href="http://www.srware.net/en/software_srware_iron.php" target="_blank" rel="nofollow">http://www.srware.net/en/software_srware_iron.php</a></a><br><br>and<br><br>(2) Install an above average-to-good emulator of NoScript (for FF) called NotScripts - which i'm confident will kill many (if not most) XSS vectors run via Chrome browsing sessions that the author's blog speaks of:<br><br><a href="https://chrome.google.com/webstore/detail/odjhifogjcknibkahlpidmdajjpkkcfn" target="_blank" rel="nofollow"><a href="https://chrome.google.com/webstore/detail/odjhifogjcknibkahlpidmdajjpkkcfn" target="_blank" rel="nofollow">https://chrome.google.com/webstore/detail/odjhifogjcknibkahlpidmdajjpkkcfn</a></a><br><br>(I can personally attest to NotScripts doing an excellent job of securing the browser.)<br><br>Either way, by all means (lemmings), please read up and do your research ... after all, time is money.
    thx-1138_
  • RE: 27 of 100 tested Chrome extensions contain 51 vulnerabilities

    And you wonder why I refuse to use Google Chrome. This article is a good reason.
    LoverockDavidson_-24231404894599612871915491754222
    • RE: 27 of 100 tested Chrome extensions contain 51 vulnerabilities

      shaddup ya moron...
      ScorpioBlue
    • RE: 27 of 100 tested Chrome extensions contain 51 vulnerabilities

      @LoverockDavidson_
      Amen, brother!!! A leopard can't change its spots. NO reference to Apple, I meant the animal (leopard)!!
      Can you say"ET phone Home"! With Chrome it's so simple even a Caveman can. ROFLMAO!!!!!!!!!!!!!!!!
      Disgruntled_MS_User