madison

Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

27 of 100 tested Chrome extensions contain 51 vulnerabilities

By | October 4, 2011, 1:20am PDT

Summary: A group of security researchers have analyzed 100 Chrome extensions and found out that 27 of the 100 extensions contain one or more vulnerabilities in their cores, for a total of 51 vulnerabilities.

A group of security researchers have analyzed 50 of the top Chrome extensions and another 50 chosen by random, and found out that 27 of the 100 extensions contain one or more vulnerabilities in their cores, for a total of 51 vulnerabilities :

We reviewed 100 Chrome extensions and found that  27 of the 100 extensions leak all of their privileges to a web or WiFi attacker.  Bugs in extensions put users at risk by leaking private information (like passwords and history) to web and WiFi attackers.  Web sites may be evil or contain malicious content from users or advertisers.  Attackers on public WiFi networks (like in coffee shops and airports) can change all HTTP content.  We’ll show you how you can prevent attacks on your extension using Content Security Policy.

49 of the 51 vulnerabilities found can be patched by adapting the extensions to use one of two offered Content Security Policies (CSP).

The group is urging extension developers to use CSP directives to protect their users from the potential security consequences of core extension bugs.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Researcher, Vulnerability, Security, Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Disclosure

Dancho Danchev

More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile.

Biography

Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis. More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile. You can also follow him on Twitter

Talkback Most Recent of 6 Talkback(s)

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources