Security/Privacy: Academic Research on Extensions
Reported by
raffp...@gmail.com,
Mar 8 2017
|
|||||||
Issue descriptionDear Google Chrome Team, I am writing to you from Newcastle University as part of some academic research I have taken part in. Our paper was recently scheduled for major changes and one of the points the reviewers made was about responsible disclosure. Our paper is a survey type paper, thus I do not think any of the content is relevant to the paid monetary bounty, however, the paper does highlight some issues present with the current status of extension systems (of Chrome and Firefox). One of the most pertinent points we make is that web-stores are not a panacea to removing malware-extensions, in which we managed to upload a "malicious" extension (unlisted so no one can download it outside of our research) to the store with a disabled server so it can do no harm. (https://chrome.google.com/webstore/detail/newcastle-page-manager-fo/oojcaijancijonephclnodohaoapaehj). We of course will remove this extension from the store (we currently have it as proof that our academic research worked, and disabled the server so it can't do any harm) if requested. Some of the issues we address in the paper may be beneficial when discussed internally, we attach the paper to this submission - as the paper focuses on Chrome and Firefox, feel free to just take a look at the sections discussing Chrome, and Table 1. PS: I hope this is the correct place to disclose something outside of the bounty's scope, as I couldn't find any other contact point. best regards, Raff
,
Mar 8 2017
I've reviewed the paper, thanks. I don't see anything here that is a surprise. The "malicious" extension you've linked does not request a significant level of permissions and thus I would not expect it to be able to exercise most of the capabilities discussed in your paper. Your paper does not identify any circumstances where you found that the extension's capabilities exceeded the requested and granted permissions, so I trust you have not identified such a flaw? In a quick scan of the prose itself, I noted a few things: > (In practice, phishing websites rarely use certificates as they are usually very short-lived; furthermore, a certificate is costly to obtain and requires checking the identity.) This is no longer true; see e.g. https://textslashplain.com/2017/01/16/certified-malice/ for discussion. > The browser must warm the user if there is any abnormality in the certificate Typo: warm -> warn Elsewhere in the paper, there's discussion of replacing a legitimate site with a phishing site (e.g. Phishbook) -- it's unclear why an attacker would bother doing this, given that his full-privilege extension could simply watch the user's input into the legitimate site. The attacker need not build any phishing content at all unless he wishes to collect data the legitimate site does not request.
,
Mar 9 2017
Hi, That's correct, we haven't identified such flaws in Chrome, the paper is a survey paper and is meant to detail the threats present with extensions, rather than identify security flaws with the implementation of your extension system. Thanks for the feedback, that was an interesting article (and something that has been fixed in our rescheduled version). The idea of introducing various attacks is to enumerate all the possibilities an attacker may have in evading automated vetting processes.
,
Mar 9 2017
Out of curiosity what is Chrome's philosophy on dealing with the threat of malicious extensions, and with the web store not being able to 100% vet all malicious extensions?
,
Mar 9 2017
You can read about Web Store guidelines here: https://developer.chrome.com/webstore/program_policies I'm not aware of any other public statements beyond our blogs: See https://blog.chromium.org/2015/05/continuing-to-protect-chrome-users-from.html and the places it links).
,
Jun 15 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by elawrence@chromium.org
, Mar 8 2017Labels: OS-Chrome OS-Linux OS-Mac OS-Windows