Introduction

• Google Chrome Browser• Chrome OS Platform• Chrome Web Store • Applications• Open Source Platform

Vulnerabilities

• Statistics • 27 out of 100 tested extensions of Chrome Browser vulnerable to attack by

extracting data (password, history, etc.)

• Malicious applications • Gain control over your Google account (G-mail, Calendar etc.)

• Java Script- injection vulnerabilities

• More the 25% of testing extensions from researcher were considered vulnerable under this attack and 7 of those application used from more then 300 000 users!!!

• Security flows in chrome OS• Hackers access your data on the cloud without event has access to the user pc.

• Exits design flows that gives extensions sweeping rights to access data on the cloud.

Research3 types of extensions:

• core extensions- main portion of an extension

• content scripts - are JavaScript that are injected into web sites

• Plugins – native executable

Each app or extensions ask for permission before install- but who reads them???

2 Types of permissions :

• Time-of-use systems - prompt the user to approve of needed permissions at the runtime of the application.

• install-time systems -ask for permissions at the time the extension is installed.

Risk Management• Extensions required permissions

• Plug ins – is granted full permissions to everything on users machine (because is local executable)

• Extensions with plug ins are reviewed

• Core extensions – comes with the extention API which is a browser manager that allows access to bookmarks, history and geo-location.

Findings

• 500 most popular extensions 91.4% of them ask for at least one security-relevant permission. This means that almost every extension installalation generates at least one security warning.

• 10% of applications request unneeded permissions.

• no developer tools on any platform with install-time permissions that provide developer tools to detect unnecessary permissions.

Scratchpad App example

• Scratchpad extension for Google Docs

• Installed by default on Chrome notebook

• The permissions allow it to auto-sync with user’s Google Doc account!

• The catch- Google Docs lets users share documents with others without first asking the receiving user if they want to receive the document or not.

The result of hacking this app from the researchers:

Johansen was able to share a malicious note through Scratchpad which, when

opened, stole all of the user’s Gmail contacts.

Our experiment • User downloads our app

• Goes to the blog and let say he want to write something. In order to right something a pop up appear so he can log though Facebook using his credentials

• What we do ? We still his username and password …

• So what’s is the conclusion ? ------ Don’t download our app ;D

Use case Diagram

Solutions

The Good news is that:o49 of 51 vulnerabilities can be patched just by using one of two proposed safety rules (Content Security Policies).oPeer feedback on applications (Ratings)oTrust No-oneoRead permissions

Conclusion

• Google Chrome browser that the third-party code extensions cannot be 100% trusted

• every extension requests for permissions that are irrelevant to the purpose of the application.

• Humans are not perfect – checking code is not an easy task

Suggestion :

• Google need better graphical interface which instructs end users that high level security risk permissions

Reference Felt, Adrienne, Kate Greenwood, and David Wagner. "The Effectiveness of Application

Permissions ." USENIX Association . 2. (2011): n. page. Web. 28 Feb. 2012. <http://static.usenix.org/event/webapps11/tech/ final_files/webapps11_proceedings.pdf

25% of tested extensions of Google Chrome admit stealing data, http://letsbytecode.com/security/25-of-tested-extensions-of-google-chrome-admit-stealing-data/, October 2011

Chrome OS Hacked via Scratchpad, http://www.thechromesource.com/chrome-os-hacked-via-scratchpad/

Chrome OS has security flaws, claims researcher, by Lance Whitney

http://news.cnet.com/8301-1009_3-20075801-83/chrome-os-has-security-flaws-claims-researcher/

Security Expert Raises Questions Regarding Security Issues Regarding Chrome Web Store ARUPCHOU on MAY 29, 2011

http://www.chromeplugins.org/ chrome/security-expert-raises-questions regarding-security-issues-regarding-chrome-web-store/