In fall 2011, Nicholas Carlini and I reviewed 100 Chrome extensions, including the 50 most popular ones. We found that 40% of the extensions contained some type of vulnerability, and 27% of the extensions contained core extension vulnerabilities (i.e., the most severe class of vulnerability). In an earlier blog post, I wrote about some of the vulnerabilities.
I’m now releasing the full report, which contains our methodology, the full set of findings, and the list of vulnerable extensions. We e-mailed the developers of all of the extensions with contact information, but the following extensions still remain unpatched:
- Google Translate 126.96.36.199, RSS Subscription Extension (by Google) 2.1.3, Awesome Screenshot: Capture & Annotate 3.0.4, Speed Dial 2.1, SocialPlus! 2.5.4, Fast YouTube Search 1.2, SmileyCentral 188.8.131.52, Select To Get Maps 1.1.1, Forecastfox 2.0.10, The Huffington Post 1.0.5, X-notifier 0.8.2, Print Plus 184.108.40.206, 4chan 4chrome 9001.47, ScribeFire 1.7, Blank Canvas Script Handler 0.0.17, Happy Status 1.0.1, me2Mini 0.0.81, Noooo button 1, Nu.nl TV gids 1.1.3, Smart Photo Viewer on Facebook 220.127.116.11, Democracy Now! 1.1
If you use one of these extensions, I recommend contacting the developer and asking him or her to fix the extension. However, there is no need for you to be alarmed: we have no reason to believe that the vulnerabilities are being actively exploited by anyone.