![]() Interestingly, according to Palant, the reason that Screencastify works with full access to Google Drive (extensions can, in fact, request access only to a directory of their own) is that without full access, an extension can’t display a list of its own files. (In our tests, Screencastify won’t work unless you have a Google account and are logged into it.) Palant quickly found that one of the requests that that these externally_connectable websites could send to your browser was tagged bg:getSignInToken, and making this request returned a Google access token for your Google Drive files. …which, don’t forget, has access to your webcam to provide a popular aspect of its service. Given that the special character * means “match anything here”, the specification above says that any URL on any website under the domain is automatically authorised to interact remotely with your browser, via the Screencastify extension… When Palant first looked, the connection trust list looked like this: This means that you can’t innocently wander onto a website, just to take a look around, only to find that the server you’re visiting is trying to take control of the extension unexpectedly.īut Screencastify provides all sort of additional cloud-based functionality from its own website, so it understandably included itself in the list of externally_connectable sources. Typically, other extensions and apps already installed on your system can do this by default, but for obvious security reasons, external websites can’t. One of the entries in a Chrome manifest is a list called externally_connectable, which states which extensions, apps and websites are allowed to interact with your extension. Palant started by looking at Screencastify’s Chrome manifest file, a JSON data file that comes with every extension to specify important information such as name, version number, security policy, update URL, and permissions needed. ![]() …web-based service risks can come from an implicit delegation of trust to many other vendors or providers who are involved in the service delivery process. Just like source-code supply chain risks, where you install software from A, which is licensed from B, updates from C, pulls in additional modules from D (possibly repeated recursively in many interconnected stages)… Security researcher Wladimir Palant, himself an extension developer, decided to look into Screencastify, given its popularity.Įarlier this week, he published what he found.Īmongst other things, his report is a well-written reminder of just how difficult it can be to work out who’s involved in the web of trust you need to have when you decide to use an app or service from company X. The extension boasts 10,000,000+ users (apparently, there is no higher category, no matter how many users you get to), and invites you, in its own description, to: Screencastify is one example of a browser extension that provides a popular feature that wouldn’t be possible via a website alone, namely capturing some or all of your screen so you can share it with other users. Access hardware such as webcams and microphones.Read and write files on your local hard disk.See and tweak everything you type in or upload before it gets transmitted. ![]() Peek at what is about to be shown in each tab after it’s been decrypted.Web pages aren’t supposed to be able to override any controls imposed by the browser itself, so they can’t alter the address bar to display a bogus servername, or bypass the Are you sure? dialog that verifies you really did want to download that Word document to your hard disk.īrowser extensions, on the other hand, are supposed to be able, well, to extend and alter the behaviour of the browser itself.Īmongst other things, browser extensions can: …they’d basically just be locally-cached web pages.Īn ad-blocker or a password manager that was locked down so it worked on exactly one website wouldn’t be much use a tab manager that could only manage one tab or site at a time wouldn’t be very helpful and so on. That’s because browser extensions aren’t subject to the same strict controls as the content of web pages you download, otherwise they wouldn’t be extensions… We’ve often warned about the risks of browser extensions – not just for Chrome, but for any browser out there.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |