Top Google Chrome Extensions Leak Data

Study of 100 extensions found that 27% leave users vulnerable to Web or Wi-Fi attack.

(click image for larger view)
Slideshow: 10 Massive Security Breaches
A review of 100 Google Chrome extensions, including the 50 most popular selections, found that 27% of them contain one or more vulnerabilities that could be exploited by attackers either via the Web or unsecured Wi-Fi hotspots.
Those
findings
come from a study being conducted by security researchers Adrienne Porter Felt, Nicholas Carlini, and Prateek Saxena at University of California, Berkeley. In particular, they analyzed the 50 most popular Chrome extensions, as well as 50 others selected at random, for JavaScript injection vulnerabilities, since such bugs can enable an attacker to take complete control of an extension.
The researchers found that 27 of the 100 extensions studied contained one or more injection vulnerabilities, for a total of 51 vulnerabilities across all of the extensions. The researchers also said that seven of the vulnerable extensions were used by 300,000 people or more.
Bugs in extensions put users at risk by leaking private information (like passwords and history) to Web and Wi-Fi attackers, they said. Websites may be evil or contain malicious content from users or advertisers. Attackers on public Wi-Fi networks (like in coffee shops and airports) can change all HTTP content.
[ Threats can come from many different routes. Learn how
Social Engineering Attacks Pose As Corporate Copiers
]
The researchers sent vulnerability warnings to all relevant developers, and so far two related patches have been released. One involved Twitters Silver Bird extension (version 1.9.7.9), which had a vulnerability that an attacker could use to hide scripts in the data feed sent to Twitter, although the micro-blogging service appears to
sanitize
all incoming data against attack. Regardless, the vulnerability was fixed with the release of version 1.9.8.4 of Silver Bird.
Another vulnerability was resolved by Google updating OpenAttribute--used to help people read websites Creative Commons (CC) licenses--from version 0.6 to 0.7, with the new version locking down the extensions security. According to the Berkeley teams
OpenAttribute extension vulnerability disclosure
to Google in July, a successful exploit of the vulnerability could allow an attacker to spoof a users identity when making HTTP requests. In addition, they said, a malicious website could serve a fake CC license that includes inline scripts, or a Wi-Fi attacker could insert inline scripts into a license provided by a legitimate website like Wikipedia. The inserted code then runs in the extensions popup window with the extensions privileges.
The extension vulnerabilities detailed to date are part of a larger study into Google Chrome security. The full study, to be released in two months, will name and include full details about all of the vulnerable extensions discovered. We havent released all of the vulnerable extension names because some of the very popular ones are still unpatched, and were giving them some time to get fixed, according to a blog post from security researcher Adrienne Porter Felt at Berkeley.
The interest in browser extension security reflects the fact that as browser makers--including Microsoft--have become more adept at securing their code (to say nothing of Microsoft also improving Windows security), attackers have turned their attention to exploiting vulnerabilities in the
third-party code
--including add-ons and extensions--used by browsers.
Security professionals often view compliance as a burden, but it doesnt have to be that way. In this report, we show the security team how to partner with the compliance pros.
Download the report here
. (Free registration required.)

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Top Google Chrome Extensions Leak Data