ScriptNo, Another NoScript Extension For Chrome

One of the two issues that I identified in yesterday’s review of Opera’s NotScripts extension was that it has not been updated for a long period of time. A script by the same name for Google Chrome, NotScript for Chrome, has also not been updated for almost a year now. Ghacks reader Vineeth just sent me a link to ScriptNo, a NoScript alternative for Chrome users.

The ScriptNo extension adds an icon to the Chrome address bar. The icon acts as a notifier that informs the user about the number of scripts that have been blocked on the current page. The icon color indicates blocked scripts (red), temporarily allowed scripts (blue), whitelisted parent pages but blocked scripts (white) or if the extension is disabled on that particular page (grey).

A left-click on the icon displays all blocked resources, the domain name and links to options and a quick start guide.

All script elements are blocked by default. Users now have options to change the preferred action for a particular script or domain.

• Allow: Whitelists the specific domain which does not necessarily have to be the root domain. E.g. whitelist www.ghacks.net but not de.ghacks.net.
• Trust: Whitelist the entire domain and all of its subdomains
• Distrust: Adds the current domain to the blacklist.
• Temp: Depending on the default mode the domain will either be allowed for the current session (if default mode is set to block) or allowed (if default mode is set to allow).

When you change a script’s state, e.g. from blocked to allow, the page will be reloaded to take that into account. If you click on the icon again you will then see that the script is listed under Allowed Resources and no longer under blocked resources. A clear button is added to those scripts to undo the preference change.

The options of the ScriptNo extension offer customizations. Here you can set the default mode of operation (block or allow) and allow or block specific HTML elements. The latter could be interesting for users who always want to see noscript contents on the page or audio and video contents. There is even an option to block images from being loaded automatically.

The options list four additional settings to configure the extension. Privacy Settings allow the user to configure the following features:

• Block Unwanted Content: (Default: enabled; remove unwanted content from known ad / malware domains; domains gathered from MVPS HOSTS, hpHOSTS (ad / tracking servers), Peter Lowe’s HOSTS Project, MalwareDomainList.com, and DNS-BH – Malware Domain Blocklist)
• Unwanted Content Mode: (Default: Relaxed; Relaxed = whitelisted domains will not be blocked; Strict = domains in the unwanted domain list will be blocked even if whitelisted)
• Antisocial Mode: (Default: disabled; always remove social widgets/buttons, even if whitelisted)
• Remove Webbugs: (Default: enabled; remove “invisible” third-party elements)
• Block Click-Through Referrer: (Default: enabled; blocks referrer information when clicking on external links)

Behavior Settings include the following options:

• Page Link Opening Behaviour: (Default: -Unchanged-; modifies how all links are opened)
• Respect Same-Domain: (Default: disabled; preserve same-domain elements)
• Auto-Refresh Page: (Default: enabled; auto-refresh page after list change)
• Show Rating Button: (Default: enabled; if ticked, adds rating button under domains in tab popup)
• Classic Options Mode: (Default: disabled; if ticked, closes tab options everytime an option is clicked)
• Sort by Domain: (Default: enabled; sorts URL lists by domains)

The remaining settings include a whitelist and blacklist where all previously added domains are listed (with options to remove), and import and export settings.

New users should take a look at the quick start guide. The guide needs a bit of revamping considering that it uses terms that are no longer found in the extension. But that’s not a big issue.

The extension is hosted both on the Chrome Web Store and on Google Code where the source code can be downloaded and analyzed. Google Chrome users who want NoScript like protection for their web browser should definitely take a look at ScriptNo, it is awesome.

---

© Martin Brinkmann for gHacks Technology News | Latest Tech News, Software And Tutorials, 2011. | Permalink |
Add to del.icio.us, digg, facebook, reddit, twitter
Post tags: block scripts, google chrome, google chrome extensions, google chrome security, noscript, scriptno

27 Out of 100 Chrome Extensions Insecure

Security researchers Nicholas Carlini, Adrienne Porter Felt, and Prateek Saxena reviewed 50 popular and 50 random Chrome extensions from the official Chrome Web Store for security vulnerabilities and discovered that 27 of the 100 extensions “leak all of their privileges to a web or WiFi attacker”. These 27 extensions account for a total of 51 vulnerabilities. Seven of the vulnerable extensions have more than 300k users each according to data provided by the Chrome Web store.

Bugs or bad programming practices may leak information like passwords or history to web and Wi-Fi attackers. The developers provide two examples of how extensions can be exploited by attackers. The two extensions mentioned, Open Attribute and Silver Bird, have since been fixed by their development teams.

The Open Attribute extension helps users read the Creative Commons (CC) licenses of web sites. In the typical use case, a user clicks on the extension’s browser action to see a web site’s attribution information. Open Attribute embeds the site’s CC license in the extension’s popup window, using innerHTML. A malicious web site could serve a fake CC license that includes inline scripts, or a WiFi attacker could insert inline scripts into a license provided by a legitimate web site like Wikipedia. The inserted code then runs in the extension’s popup window with the extension’s privileges. This bug was fixed in Open Attribute 0.7 by setting a Content Security Policy for the extension.

Example 2: Silver Bird 1.9.7.9
Silver Bird allows users to post and read Twitter messages without navigating to twitter.com, and it currently has over 200,000 users. The extension makes an XHR to Twitter using either HTTP or HTTPS, based on the user’s settings. It displays the retrieved messages in the core extension, using innerHTML in several places. If a user were to specify an HTTP URI, a WiFi attacker could insert inline scripts into the XHR response. Luckily, Twitter prevents its users from launching this attack by sanitizing user messages. This bug was fixed in version 1.9.8.4 by replacing innerHTML with innerText.

The two other extensions that have been named in the article are Last Pass and XMarks, which were both protected against those kinds of attacks.

Interestingly enough vulnerabilities were split more or less evenly between popular and random samples, as Adrienne Porter Felt points out.

Probably the most interesting aspect here is that the vulnerability count would drop from 51 vulnerabilities to 2 (a reduction of 96%) if the extension developers would have followed Google Chrome’s Content Security Policies. Implementing those security guidelines will block attempts by an attacker to “take over an extension by injecting malicious JavaScript into the core extension”.

The researchers have decided to not publish the full list of vulnerable and protected extensions at this time to give extension developers ample time to protect their extensions from these kind of attacks.

The developers are not aware of attacks exploiting those vulnerabilities at this point and note that nearly all important extensions with vulnerabilities have updated their extensions already.

The full security paper will be released at the beginning of November. (via)

---

© Martin Brinkmann for gHacks Technology News | Latest Tech News, Software And Tutorials, 2011. | Permalink |
Add to del.icio.us, digg, facebook, reddit, twitter
Post tags: google chrome, google chrome extensions, google chrome security, security vulnerabilities