Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chrome Extentions Vulnerabilities. Introduction Google Chrome Browser Chrome OS Platform Chrome Web Store Applications Open Source Platform.

Published byDanny Crompton Modified over 9 years ago

Similar presentations

Presentation on theme: "Chrome Extentions Vulnerabilities. Introduction Google Chrome Browser Chrome OS Platform Chrome Web Store Applications Open Source Platform."— Presentation transcript:

1 Chrome Extentions Vulnerabilities

2 Introduction Google Chrome Browser Chrome OS Platform Chrome Web Store Applications Open Source Platform

3 Vulnerabilities Statistics 27 out of 100 tested extensions of Chrome Browser vulnerable to attack by extracting data (password, history, etc.) Malicious applications Gain control over your Google account (G-mail, Calendar etc.) Java Script- injection vulnerabilities More the 25% of testing extensions from researcher were considered vulnerable under this attack and 7 of those application used from more then 300 000 users!!! Security flows in chrome OS Hackers access your data on the cloud without event has access to the user pc. Exits design flows that gives extensions sweeping rights to access data on the cloud.

4 Research 3 types of extensions: core extensions- main portion of an extension content scripts - are JavaScript that are injected into web sites Plugins – native executable Each app or extensions ask for permission before install- but who reads them??? 2 Types of permissions : Time-of-use systems - prompt the user to approve of needed permissions at the runtime of the application. install-time systems -ask for permissions at the time the extension is installed.

5 Risk Management Extensions required permissions Plug ins – is granted full permissions to everything on users machine (because is local executable) Extensions with plug ins are reviewed Core extensions – comes with the extention API which is a browser manager that allows access to bookmarks, history and geo-location.

6 Findings 500 most popular extensions 91.4% of them ask for at least one security-relevant permission. This means that almost every extension installalation generates at least one security warning. 10% of applications request unneeded permissions. no developer tools on any platform with install-time permissions that provide developer tools to detect unnecessary permissions.

7 Scratchpad App example Scratchpad extension for Google Docs Installed by default on Chrome notebook The permissions allow it to auto-sync with user’s Google Doc account! The catch- Google Docs lets users share documents with others without first asking the receiving user if they want to receive the document or not. The result of hacking this app from the researchers: Johansen was able to share a malicious note through Scratchpad which, when opened, stole all of the user’s Gmail contacts.

8 Our experiment User downloads our app Goes to the blog and let say he want to write something. In order to right something a pop up appear so he can log though Facebook using his credentials What we do ? We still his username and password … So what’s is the conclusion ? ------ Don’t download our app ;D

9 Use case Diagram

10

11 Solutions The Good news is that: o 49 of 51 vulnerabilities can be patched just by using one of two proposed safety rules (Content Security Policies). o Peer feedback on applications (Ratings) o Trust No-one o Read permissions

12 Conclusion Google Chrome browser that the third-party code extensions cannot be 100% trusted every extension requests for permissions that are irrelevant to the purpose of the application. Humans are not perfect – checking code is not an easy task Suggestion : Google need better graphical interface which instructs end users that high level security risk permissions

13 Reference Felt, Adrienne, Kate Greenwood, and David Wagner. "The Effectiveness of Application Permissions." USENIX Association. 2. (2011): n. page. Web. 28 Feb. 2012. <http://static.usenix.org/event/webapps11/tech/ final_files/webapps11_proceedings.pdf 25% of tested extensions of Google Chrome admit stealing data, http://letsbytecode.com/security/25-of-tested-extensions-of-google-chrome-admit- stealing-data/, October 2011 Chrome OS Hacked via Scratchpad, http://www.thechromesource.com/chrome-os-hacked-via- scratchpad/ Chrome OS has security flaws, claims researcher, by Lance Whitney http://news.cnet.com/8301-1009_3-20075801-83/chrome-os-has-security-flaws-claims-researcher/ Security Expert Raises Questions Regarding Security Issues Regarding Chrome Web Store ARUPCHOU on MAY 29, 2011 http://www.chromeplugins.org/ chrome/security-expert-raises-questionsregarding-security-issues- regarding-chrome-web-store/

Download ppt "Chrome Extentions Vulnerabilities. Introduction Google Chrome Browser Chrome OS Platform Chrome Web Store Applications Open Source Platform."

Similar presentations

Hacking Web Servers April 15, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Hacking Web Servers April 15, 2010 MIS 4600 – MBA © Abdou Illia.
©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Georgios Kontaxis, Michalis Polychronakis Angelos D. Keromytis, Evangelos P. Markatos Siddhant Ujjain (2009cs10219) Deepak Sharma (2009cs10185)

Georgios Kontaxis, Michalis Polychronakis Angelos D. Keromytis, Evangelos P. Markatos Siddhant Ujjain (2009cs10219) Deepak Sharma (2009cs10185)
Chromium OS Chase Rogers. User Interface Unobtrusive Use small amount of screen space Combine apps and web pages into one tab strip Floating Windows Search.

Chromium OS Chase Rogers. User Interface Unobtrusive Use small amount of screen space Combine apps and web pages into one tab strip Floating Windows Search.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn.

Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn.
The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.
Objectives Moodle is an online learning environment where instructors & their students interact. In this workshop you will learn: 1.Configure system requirements.

Objectives Moodle is an online learning environment where instructors & their students interact. In this workshop you will learn: 1.Configure system requirements.
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Browser Exploitation Framework (BeEF) Lab

Browser Exploitation Framework (BeEF) Lab
Safer Web Browsing Terry Labach Information Security Services IST.

Safer Web Browsing Terry Labach Information Security Services IST.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.

Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.
Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.

Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Similar presentations

Ads by Google