thechromesource – Google Chrome and Chrome OS News and Forum

Paper: Browser Extensions Have Potential Security Implications

Posted on 09. Feb, 2010 by Daniel Cawrey in Features

In a comprehensive paper that was recently published, researchers at Berkeley’s Department of Electrical Engineering and Computer Science studied the possible security impact that extensions could have on a browsers’ vulnerability to exploit and/or attack a computer. It was found that of twenty-five popular Firefox Extensions, all of them had the highest level of security privileges in the browser. That’s all that would theoretically be needed to attack a machine, which could potentially result in a compromised situation.

The paper also goes on to explain that the majority of extensions don’t need to have these types of privileges in order to execute what a developer  is trying to accoplish, but that the Firefox API as it is currently is built to allow for powerful networked software development – even for extensions.

The group who wrote this paper has even worked with Google in order to better implement their own extensions directory. They proposed to Google a method whereby keys are used to help identify an extension. Developers must sign an agreement with Google to ensure that privileges for an extension do not have capabilites that allow for potential security problems before they can be listed at the official directory.

When installing extensions from the Google directory, which was launched last December, I had noticed a few times that the the URL for the location of the download was a bit unique:

This is by design, however. It’s a public key that has been set that identifies the extension with the website. The best part about this is that for the purposes of version updating, the key is identified with the extension and thus the URL that is located on the Google extension directory. This is in addition to scripts running separately from outside web sources and some other interesting features that offer a robust technical standard for these additional features of Chrome browser that independent developers are working on.

While Firefox offers a rating system that works to protect users, as well as a developmental system called Jetpack that offers narrow interfaces, I really got the impression that there was a lot of thought that was put into the extension system for Chrome. While trying to expose vulnerabilities through extensions doesn’t appear to be something that is deliberate by those who create them, there is potential for there to be problems down the line.

It’s also important to consider that if you plan on using extensions, you should probably use an official directory depending on the browser that you use. That means getting them from Mozilla.org for Firefox or the official Google extensions site for Chrome. I could not find an extension/add-in directory for Internet Explorer from Microsoft.

Firefox, Internet Explorer and Chrome are discussed in the paper in depth. Now that there is so much more that you can do with a browser with the speed of JavaScript performance increasing at such a huge rate over the past few years it has to be considered that browsers need to increasingly become more secure as they become more that just where you surf the web but also where you run applications. So it’s worth a read if you have time, and you can check out the abstract from here.

Tags: browser extensions, Chrome, Chrome browser, Firefox, Google, Internet Explorer, Mozilla, security