Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 10 submissions in the queue.

Possible Compromise of Google's Chrome Extension Library

posted by LaminatorX on Sunday December 07 2014, @06:12AM   Printer-friendly
from the CAN-ANYONE-REPLICATE-THIS? dept.

blackest_k writes:

There is a gaping security flaw in the Chrome browser and I don't know what to do about it.

What happened was I wrote a couple of simple html5 pages and uploaded them to my web host. While testing them in Chrome on OSX a new tab opened claiming I wasn't running the latest chrome browser (I was) the url had some random letter .info address so I was suspicious but decided to play along a little where I was invited to download setup.exe (yes on a mac).

had I been on windows this might have been almost plausible.

So where had this tab come from as I only had my page open at the time.
Well, it was my page! Looking at the source in the browser it was identical to the source I had written. However downloading the webpage complete through the browser also downloaded app.js and when I loaded the html into my editor Ifound the header had acquired two additional javascript files and an additional css file.

This was also the case on Linux Mint with the Chrome browser but not with Firefox. with some googling I found one link was privacy badger and I joined the mailing list to find out they inject code into webpages to replace the Facebook like buttons. but the other 2 were not theirs.

In the meantime I found removing the Privacy Badger extension removed their injection but not the other 2

So at this point I removed all extensions from Chrome and it removed the other 2 injections.

It seems conclusive to me at least that Google's extension repository is not to be trusted.

While I was targeted with Windows malware of some description a little more work could have pushed a dmg or deb or rpm file instead.

To be fair the possibilities are endless, it would be fairly easy to log all of a persons web activity even the emails they write with these trojan extensions. Trouble is people trust Google's repository but Google can't be really maintaining any security if this is occurring.

I am very worried about this, as so many people use Chrome, extensions are for the most part cross platform
If you install an extension on one platform if you login to Google on another using Chrome your extensions get sync'd and that security hole is now on your Linux box or OSX box.

So what should be done about this?

 
This discussion has been archived. No new comments can be posted.
Possible Compromise of Google's Chrome Extension Library | Log In/Create an Account | Top | 28 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by kaszz on Sunday December 07 2014, @10:00AM

    by kaszz (4211) on Sunday December 07 2014, @10:00AM (#123446) Journal

    The extension could demand that all CDN served ads are signed with its authorization key?

    (and Google should isolate extensions from the core browser in the way the kernel keeps userland out)

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2