2

What kind of common security practices do software developers apply when allowing extensions or plugins to be added to their software, like e.g. Firefox, Photoshop and GIMP do? It can be either on Windows or Linux or Mac.

Example of scenarios:

  1. What prevents the plugin from installing additional malicious code in the system that will allow it to do everything it wants (backdoors etc.)?
  2. What prevents the plugin from spying on the user while it's being used?

Obviously anyone can create a malicious plugin and no one will suspect. I wonder why it never happend to Firefox (as far as we know).

Anders
  • 64,406
  • 24
  • 178
  • 215
mnoq
  • 23
  • 2

4 Answers4

1

If you want to allow plugins, the only realistic methods to keep the parent application secure are:

  • Review the code

    Only permitting submissions that can be reviewed and putting in place sufficient resources to actually do the reviews. The reviews can be automated or manual, a mix of both is undoubtedly best.

    Review-only submissions also require some kind of official marketplace for plugins and you should also have the ability for end users to review and feedback publicly.

  • Apply a restrictive security model

    You could ensure that plugins can only take certain, relatively safe, actions. For example, you could prevent them from contacting URL's outside of your own to stop them from "phoning home" and leaking data.

    You could extend that further to allow less safe actions but only after a manual code review.

Doing both together is the best approach.

These are fairly common processes but obviously take time which equals cost. The second option is the cheapest but can also be the hardest to implement securely.

There are many examples of where this kind of thing fails badly, the most obvious being the Android app store where malicious apps are regularly discovered though all too often, only after years of being in the store. The Windows app store also suffered from this in its early days. As far as I can remember, each of the 3 main browsers have also had malicious extensions at some point.

To help protect yourself, you should only choose well used extensions that have consistent and large numbers of positive reviews. Preferably ones with well-funded support. Obviously you should keep the extension use to a minimum and something like Extensity for Chrome is good as it allows you to easily and quickly turn extensions on and off at will. Try not to use newly submitted extensions until you can see that they have been tried and trusted by others.

If you can, keep an eye on the news so that you may spot when an extension is highlighted either for having been independently security reviewed or when it has failed. And also watch out for extensions changing ownership as the new owners might not be quite so honest.

Realistically, most people are not going to be able to do those last recommendations though.

Julian Knight
  • 7,092
  • 17
  • 23
1

This is a question of trust, and I would argue that this it is more of a social than a technological problem. Sure, there are technical solutions (like only giving access to a limited scripting language, trying to sandbox the plugin, etc) but these can often be broken or abused.

Taking a look at how operative system deals with programs might be helpful here, because in a sense a program is a plugin to the operative system.

The traditional desktop OS lets the user decide what programs to trust and run them at their own risk. The user has to make up her own mind if she trusts the publisher of a specific program.

This has worked OK for the experienced user, but if you take a look at the number of browser toolbars on your parents computer I am sure you will agree it has been far from perfect. The internet it littered with trojans that makes easy targets out of inexperienced users (and some times the experienced as well).

The rise of smartphones and tablets gave developer a clean slate to work on, and they opted for a new system. Instead of letting users decide what publisher they trust, the OS vendors run official stores that all apps must be downloaded from. To be available there it must pass security review, and the vendors can punish publishers who try to spread malware by removing their products.

In this scenario users do not need to trust individual publishers. They only need to trust that the vendors do a good job in their reviews. Unfortunately, this system has proven to be less than water tight as well, since software in the grey zone as well as outright malware still manages to sneak past review.

So I think these are the two main options:

  • Let users decide what plugins they trust, and suffer the consequenses if they misplace their trust.
  • Have an official store where all plugins must pass review, and let users trust that process. If that trust is misplaced, both you and them will suffer the consequenses.
Anders
  • 64,406
  • 24
  • 178
  • 215
0

This totally depends on the development team of that product.

Usually,

  • Restrict of plugins (Access to cookies, browser history, sqlite databases). This actually depends on how much you want to make your product flexible.
  • Code Review/Audit : Reviewing code of plugins automatically and also manually before pushing the plugin to market where people and download them.
  • Block / Partially allow plugins downloaded from other sources expecting official market.
Atul Sharma
  • 101
  • 2
0

One further option to the ones already mentioned is to only load plugins signed with a specific certificate, which trusted developers / companies have to aquire from you. Of course, certificates can also be stolen and misused to create plugins that seem to be legit, but it would offer quite a big hurdle for malicious programmers.

knipp
  • 589
  • 5
  • 14