Grenzgenial

Security - Google Chrome Background Pages

UPDATE: Actually Chrome Extensions do ask you for a permission, when you install them to have privileged access to certain domains, which they couldn’t access due to Cross Domain Origin Policy. However this just means, that e.g. they cannot do e.g. a POST to yourbank.com, if you hadn’t allowed them. But nothing hinders them to spy on your passwords, etc.

This is a fast writeup of what came to my mind today. As the Browser is always more becoming a Platform for “Applications” (Extensions) to run on, I started thinking about some security implications today.

I am using the Google Chrome Extension API lately to develop for a Google Chrome Extension.

I realized quickly, that many many extensions can load Javascript (so called contentscripts) on every page, doing all kind of weird stuff.

This is nothing new, cause everyone knows that Javascript is not safe right? Well no!

Javascript is as safe as any other language, but the point is the architecture of Web-Browsers today allows extensions to run scripts and potentially, spy on your web-browsing, banking activities and so on.

Background pages and content scripts are actually a big security flaw. Just immagine only some things they can do:

• open and close tabs in the background
• click ok for you somewhere in a page (e.g. while you are authorizing someone via oAuth)
• listen to keystrokes
• make cross-domain XMLHTTPRequests in the background using or transmitting your session secret and/or banks mobile TAN.

The only “normative” force is that extensions are actually delivered in Javascript and therefore can be inspected by developers. So normally they won’t do weird stuff. But anyways, who knows?

I think Google should start allowing only signed extensions, which they have reviewed to not do any harmful stuff, similar to how Apple reviews their apps and let only signed extensions run on the Google Chrome platform. By the way the same is true other web-browsers like Firefox and IE9 too.

I think Safari is the only browser allowing only signed extensions, which is a big plus.

Comments are appreciated!

How to manually set a breakpoint in Chrome / Firebug / Firefox

I just found out a feature of Chromes debugger today, that I was searching for a while, but never found out:

How to set breakpoints in code, so that when you run over a function the debugger will automatically stop at that line of code.

Whenever you use the special keyword debugger in your script, FireBug / Chrome will treat that line as if it was a breakpoint, and stop your script right there.

This is so handy! Of course you can still set breakpoints by clicking on the line number in debugger.

So have fun debugging your code!

Inspecting cookies using Web Inspector’s / Firebug’s console

Ever wanted to know, which cookies are set for your domain?

Modern Browsers often have the possibility to see the cookies saved on your system.

Google Chrome even has a very detailed list under “Preferences / Show Cookies and other data for websites”, which also gives you the possibility to see if a site uses HTML5 LocalStorage.

However there is a simpler trick: Just open up Web Inspector in Google Chrome /Safari or  Firebug in Firefox and type “document.cookie” in the console window.
This will show you all  cookies for a given website.

Cool isn’t it?