nature of Chrome extensions lends
Google launched the Chrome Web Store this week, much to the delight of Chrome users and Google shareholders alike. Branching off of the success of the Android Market (also owned by Google), the Chrome Web Store https://useposeidon.com/ allows developers to easily sell Chrome browser extensions. The popularity of OSX “widgets” (and the announced Mac App Store), Windows “gadgets” and, of course, smart phone app stores proves that there is a consistent market for these small, easy to use and powerful applications.
One of the oldest (and most frequently voiced) concerns about Chrome among web savvy users was its long standing lack of extensions. The Mozilla Firefox Add-ons page has long listed many useful and popular add-ons to the browser, but Chrome only recently added in the ability to run extensions. Although Chrome had previously had a search page interface for extensions and themes, the Web Store adds the unique element of monetizing browser extensions. Now, users can easily sell their app to a wide (and growing) market share of Chrome users-or they can integrate Google AdSense into their free application to make money from banner ad clicks. This type of marketplace is relatively unexplored, so it will be interesting to see how developers fare in this new frontier.
From a security perspective, browser extensions are an interesting niche. On one hand, they exist on the client side and will not be able to interfere with sensitive server-side data. In this way, the credit card information that you have linked to your Amazon account won’t get stolen if you are infected by (or accidentally download and install) a malicious browser extension. Data on the clientside, however, is vulnerable to tampering.
One of the information security engineers here at Redspin wrote an amusing Chrome extension as an office prank: it intercepted images and replaced them with those of David Hasselhoff. Although not a terribly malicious extension, it certainly does underscore the inherent risk of running someone else’s code on your machine.
The open nature of Chrome extensions lends itself to easy source code audits that would prevent this type of attack. One would assume that before adding it to the Web Store, a Google engineer must audit the code to make sure it’s not trying to grab credit card numbers. However, the growing size of the Chrome user base and the ease of extension development does present a juicy target for would be attackers.