Vulnerabilities / Threats
01:01 PM

Top Google Chrome Extensions Leak Data

Study of 100 extensions found that 27% leave users vulnerable to Web or Wi-Fi attack.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
A review of 100 Google Chrome extensions, including the 50 most popular selections, found that 27% of them contain one or more vulnerabilities that could be exploited by attackers either via the Web or unsecured Wi-Fi hotspots.

Those findings come from a study being conducted by security researchers Adrienne Porter Felt, Nicholas Carlini, and Prateek Saxena at University of California, Berkeley. In particular, they analyzed the 50 most popular Chrome extensions, as well as 50 others selected at random, for JavaScript injection vulnerabilities, since such bugs can enable an attacker to take complete control of an extension.

The researchers found that 27 of the 100 extensions studied contained one or more injection vulnerabilities, for a total of 51 vulnerabilities across all of the extensions. The researchers also said that seven of the vulnerable extensions were used by 300,000 people or more.

"Bugs in extensions put users at risk by leaking private information (like passwords and history) to Web and Wi-Fi attackers," they said. "Websites may be evil or contain malicious content from users or advertisers. Attackers on public Wi-Fi networks (like in coffee shops and airports) can change all HTTP content."

[ Threats can come from many different routes. Learn how Social Engineering Attacks Pose As Corporate Copiers ]

The researchers sent vulnerability warnings to all relevant developers, and so far two related patches have been released. One involved Twitter's Silver Bird extension (version, which had a vulnerability that an attacker could use to hide scripts in the data feed sent to Twitter, although the micro-blogging service appears to sanitize all incoming data against attack. Regardless, the vulnerability was fixed with the release of version of Silver Bird.

Another vulnerability was resolved by Google updating OpenAttribute--used to help people read websites' Creative Commons (CC) licenses--from version 0.6 to 0.7, with the new version locking down the extension's security. According to the Berkeley team's OpenAttribute extension vulnerability disclosure to Google in July, a successful exploit of the vulnerability could allow an attacker to spoof a user's identity when making HTTP requests. In addition, they said, "a malicious website could serve a fake CC license that includes inline scripts, or a Wi-Fi attacker could insert inline scripts into a license provided by a legitimate website like Wikipedia. The inserted code then runs in the extension's popup window with the extension's privileges."

The extension vulnerabilities detailed to date are part of a larger study into Google Chrome security. The full study, to be released in two months, will name and include full details about all of the vulnerable extensions discovered. "We haven't released all of the vulnerable extension names because some of the very popular ones are still unpatched, and we're giving them some time to get fixed," according to a blog post from security researcher Adrienne Porter Felt at Berkeley.

The interest in browser extension security reflects the fact that as browser makers--including Microsoft--have become more adept at securing their code (to say nothing of Microsoft also improving Windows security), attackers have turned their attention to exploiting vulnerabilities in the third-party code--including add-ons and extensions--used by browsers.

Security professionals often view compliance as a burden, but it doesn't have to be that way. In this report, we show the security team how to partner with the compliance pros. Download the report here. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/26/2011 | 9:04:16 AM
re: Top Google Chrome Extensions Leak Data
Why don't you write out the extensions that you've found leak data?! Does't say anything in the report either!
User Rank: Apprentice
9/29/2011 | 8:52:56 PM
re: Top Google Chrome Extensions Leak Data
How does this compare with Firefox and its many extensions? Would Firefox do worse (there have definitely been past examples of Firefox extensions with security issues), would it do better, or worse?
To a certain degree, as with mobile app stores and general operating systems, there is a certain amount of risk with anything that you install to your browser.

Jim Rapoza is an InformationWeek Contributing Editor
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
DNS Threats: What Every Enterprise Should Know
Domain Name System exploits could put your data at risk. Here's some advice on how to avoid them.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.