topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Tuesday March 19, 2024, 2:25 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Pop Up Chrome Extensions: A Potential Security Concern?  (Read 3793 times)

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,746
    • View Profile
    • Read more about this member.
    • Donate to Member
So I just clicked a link to view an article and when I loaded the webpage, Chrome popped up a little window asking me if I wanted to install that site's extension.

Chrome Extension Ads.pngPop Up Chrome Extensions: A Potential Security Concern?

I'm no security expert and I don't claim to know the inner workings of how this happens, but it seems to me it that it's not a stretch to imagine injecting this "advertisement" for an extension on any website and when the user installs it, it's actually some sort of malware.

For example: Is it possible for hackers to inject this code into (or make a fake extension for) PayPal.com and then when people visit the site they'll be invited to "install the new PayPal extension!" but it's really just some malware that steals their login details or something similar?

Am I the only one bothered by this?

Eóin

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,401
    • View Profile
    • Donate to Member
Re: Pop Up Chrome Extensions: A Potential Security Concern?
« Reply #1 on: June 08, 2010, 08:21 PM »
I suppose the key here is in someone installing a PayPal extension that's not legit, seems to me that's user error rather than a security exploit.

Besides if hackers can compromise otherwise legit sites then your details are well and truly up for stealing as is, extension or no.

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,746
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Pop Up Chrome Extensions: A Potential Security Concern?
« Reply #2 on: June 08, 2010, 09:51 PM »
I suppose the key here is in someone installing a PayPal extension that's not legit, seems to me that's user error rather than a security exploit.

A key difference, I think is that the user would easily mistake the malware as the official extension offered from that site.

Besides if hackers can compromise otherwise legit sites then your details are well and truly up for stealing as is, extension or no.

As I said, I don't know the details, but in my opinion it would be easier to inject some code into index.html that makes Chrome pop up an invitation to install an extension than to crack an encrypted database with account information.

Eóin

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,401
    • View Profile
    • Donate to Member
Re: Pop Up Chrome Extensions: A Potential Security Concern?
« Reply #3 on: June 09, 2010, 07:40 AM »
But if you can inject code into the webpages then you can reroute login details to another destination, so the extension isn't necessary.

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: Pop Up Chrome Extensions: A Potential Security Concern?
« Reply #4 on: June 09, 2010, 08:07 AM »
But if you can inject code into the webpages then you can reroute login details to another destination, so the extension isn't necessary.

True, but the injecting the extension code would be easier to automate. That and it affords the option of (getting a 2fer) tossing the client into a botnet somewhere.