Chrome became my Web browser of choice, after learning contestants at this year’s Pwn2Own felt it was too difficult to exploit. Yet, bad guys don’t have to abide by the same rules.


Chrome is one of the most secure Web browsers right “out of the box” due to sandboxing. Understanding that, cybercriminals are turning to a different attack vector, aftermarket extensions.

The dilemma

Chrome is relatively new, but its list of available extensions is growing rapidly. That’s good, yet creates a problem. How do you vet each extension, making sure it meets the development team’s requirements? This gives the bad guys a possible in. They can exploit buggy extensions or create malicious extensions.

Vulnerable extensions

Let’s see what Google does to protect users from being exploited through buggy extensions. Google based their extension system after methodology proposed by the EECS Department, University of California, Berkeley; in their paper Protecting Browsers from Extension Vulnerabilities. The abstract of the paper sheds light on the problem:

“Browser extensions are remarkably popular, with one in three Firefox users running at least one extension. Although well-intentioned, extension developers are often not security experts and write buggy code that can be exploited by malicious web-site operators.

We propose a new browser-extension system that improves security by using least privilege, privilege separation, and strong isolation. Our system limits the misdeeds an attacker can perform through an extension vulnerability.”

  • Least privilege: Google achieves this by requiring every extension to have a manifest that explains what privileges are required, and that is all the extension gets.
  • Privilege separation: Google divides privileges between what they call background pages and content scripts. Like it sounds, the background pages have no contact with Web pages, thus they can have the most privileges. Whereas, content scripts deal directly with Web pages and have limited privileges. This creates a condition where attackers would not be able to obtain privileges or escalate existing privileges.

Malicious extensions

Malicious extensions are harder to defend against, because they are intentional attacks. Google would prefer that users only install extensions that are found in their gallery. Google checks the extensions and rates them. Their logic is that malicious extensions should have a low reputation. Once Google notices that, the extension is removed.

Obviously, Google would rather not have extensions from other sources installed in Chrome. If they are, Google advises using the same precaution as when installing any executable code.


Earlier, I mentioned that the Chrome Web browser uses sandboxing. That alone makes Chrome formidable. In an interview after last year’s Pwn2Own competition, well-known security researcher Charlie Miller had this to say about Chrome:

“There are bugs in Chrome but they’re very hard to exploit. I have a Chrome vulnerability right now but I don’t know how to exploit it. It’s really hard.  They’ve got that sandbox model that’s hard to get out of. With Chrome, it’s a combination of things, you can’t execute on the heap, the OS protections in Windows and the Sandbox.”

Needless to say, Chrome was not exploited at this year’s Pwn2Own contest.

Lots of processes

One thing I immediately noticed about Chrome is that it opens all sorts of processes:

After the shock, I found out it’s by design. Google uses multi-process architecture. That means extensions, the browser kernel, and web content are all in separate sandboxed processes. Google has its own task manager, allowing you to easily understand what resources are being used by what process:

Having each process in a sandbox, creates a condition where a malicious Web site cannot compromise a vulnerable extension or malicious extensions cannot subvert the browser kernel.

So what’s left?

It appears that Google is doing all they can to create secure conditions for Web browsing. Sadly, when that happens, the bad guys usually revert to social engineering and that is the case with Chrome extensions. There are several posts online referring to a circulating email that offers recipients a cool extension for opening email.

Sure, it’s a con, installing a trojan instead. So, we still need to be careful out there.