Pop Up Chrome Extensions: A Potential Security Concern?

ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > General Software Discussion

(1/1)

Deozaan:
So I just clicked a link to view an article and when I loaded the webpage, Chrome popped up a little window asking me if I wanted to install that site's extension.

Pop Up Chrome Extensions: A Potential Security Concern?

I'm no security expert and I don't claim to know the inner workings of how this happens, but it seems to me it that it's not a stretch to imagine injecting this "advertisement" for an extension on any website and when the user installs it, it's actually some sort of malware.

For example: Is it possible for hackers to inject this code into (or make a fake extension for) PayPal.com and then when people visit the site they'll be invited to "install the new PayPal extension!" but it's really just some malware that steals their login details or something similar?

Am I the only one bothered by this?

Eóin:
I suppose the key here is in someone installing a PayPal extension that's not legit, seems to me that's user error rather than a security exploit.

Besides if hackers can compromise otherwise legit sites then your details are well and truly up for stealing as is, extension or no.

Deozaan:
I suppose the key here is in someone installing a PayPal extension that's not legit, seems to me that's user error rather than a security exploit.-Eóin (June 08, 2010, 08:21 PM)
--- End quote ---

A key difference, I think is that the user would easily mistake the malware as the official extension offered from that site.

Besides if hackers can compromise otherwise legit sites then your details are well and truly up for stealing as is, extension or no.
-Eóin (June 08, 2010, 08:21 PM)
--- End quote ---

As I said, I don't know the details, but in my opinion it would be easier to inject some code into index.html that makes Chrome pop up an invitation to install an extension than to crack an encrypted database with account information.

Eóin:
But if you can inject code into the webpages then you can reroute login details to another destination, so the extension isn't necessary.

Stoic Joker:
But if you can inject code into the webpages then you can reroute login details to another destination, so the extension isn't necessary.-Eóin (June 09, 2010, 07:40 AM)
--- End quote ---

True, but the injecting the extension code would be easier to automate. That and it affords the option of (getting a 2fer) tossing the client into a botnet somewhere.

Navigation

[0] Message Index

Go to full version