Analysis In a mild PR flash, Google engineers this month insisted that the ad giant's startling Chrome browser extensions did not block ads. Instead, Google should make the plugins safer. These engineers have more to do than they seem.
Aside from Google's public submissions about the revenue threat of web ad blocking and the measures the company has taken in the Google Play Store to limit the disruption of the mobile app Advertising: The Internet Goliath has reason to be Chrome Extension ecosystem to revise – because it is as fragile as a house of cards.
Google insists that the number of malicious extension installations has dropped 89 percent since early 201
Chrome extensions are obviously useful for developers and users. You can improve privacy, add features, and enhance the browsing experience. But they are so powerful that they can easily be misused, and the security process that Google has set up for the Chrome Web Store is not a breeze.
Google: We do not kill ad blockers. Translation: We have made them too powerful, we will stuff this spirit back into the bottle.
The main issue is that Chrome Extensions can undo the security model of the browser and retrieve sensitive data. One reader on this topic suggested that people who truly understood, such as full Chrome extensions, receive a CVE rating of 10.0 and are excluded from business.
This may be an exaggeration, considering that the API at The center of this mess, in particular the blocking feature of the
webRequest API, will continue to be available to companies upon completion of the pending platform renewal, as this is so useful.
Raymond Hill, developer of uBlock Origin, disagrees with this characterization because the ability to change headers is in itself part of the design of the
webRequest API – no mistake.
"There is no CVE issue here because the extensions are opt-in, and what they can do is given to the users who decide to install it," he said in an email to The Register .
However, Google's platform decisions have implications for security. And Mozilla's too, since Firefox also supports the
webRequest API for add-ons (aka extensions).
At the SecTor Security Conference in Canada last October – coincidentally the same month in which Google announced its Chrome Extensions revision plan, known as Manifesto v3 – Lilly Chalupowski, developer of security applications at GoSecure, held a presentation titled The Chrome Crusader.
Chalupowski demonstrated that Chrome extensions can remove HTTP headers, including security headers. of website interactions. The result is that it is trivial to develop an extension that violates the same-origin security model of the browser.
As she wrote in a telephone interview with The Register "Injection is a feature."
"If you have an injection as a feature, then you have to worry," Chalupowski said, "especially when you pass functions to change secure headers on the fly and literally change them the way you want. "  During their demonstration, Chalupowski showed how to make a simple Chrome extension that interacts with the local Flask Command and Control server running for the demo to steal passwords from an online banking site.
Looks for malicious extensions, but Chalupowski suggested that some types of offenders could prevent detection.
Chalupowski has published PoC code on GitHub. Register has not yet determined if changes made to Chrome since the first release of the PoC code affect its functionality.
"uBlock Origin and others use this feature to change good-for-purpose headers" For security reasons, "she said," while using the same features in Chrome and Firefox for malicious purposes. "
And that's where Problem: A developer with good intentions can create extension code that is beneficial, and a bad-faith developer can use the code. The same API to misuse trust and steal information.
In 2010, when the
webRequest API, there was some discussion on the implications for privacy and security, but this was not the overriding concern. "The design document mentions the problem in passing:
Chrome Extensions used to be even more open. Hills announced that in 2013 Chrome extensions already added the network requirements of other extensions to the
webRequest API could see. It was a useful but also abusive feature and was therefore removed.
Google may need to reduce the risk of
webRequest but among those who are developing extensions, there is hope that the price of security is not right. & # 39; t Ineffective content blocking and below-average data protection controls.
Hill believes that Google should implement a more sophisticated authorization model for solving CORS and CSP headers. In this way, extensions that require specific features can request them directly instead of settling for a less powerful API. He also suggested that Google could deny
webRequest API access to a wider range of request heads, as it does in some cases.
"Chalupowski said," Changing that, "she said," is nothing but good news for users. "
For developers and users who are able to make responsible decisions about the software they install , this is a bit more complicated. ®