3

For security considerations I am wondering if Chrome extensions had access to an app. I design a Chrome App which handles sensitive data. As far as I understand it, that app runs in a sandboxed environment which should be fairly isolated. If a user had by mistake installed a malicious Chrome extension, would that extension be able to intercept/modify any of the sensitive data in the app?

Please note that I do not consider other ways of interceptions outside of the Chrome environment, e.g. some virus that allows someone to get root access or alike. I would just like to understand to what degree a Chrome app is more susceptible to interception than a standard stand-alone application.

Sebastian

SCBuergel
  • 1,613
  • 16
  • 26

2 Answers2

1

On one hand, extensions cannot touch your app's windows (as in, inspection / script injection) in the default environment, even with "debugger" permission. Your "local" data should be safe.

On the other, I tested it and conclude that webRequest API will catch all XHRs you send.

This includes headers for both request and response, and request body. Response body is currently not available for inspection; however, a malicious extension can perform a redirect, modify your request or cancel it.

This was deemed a security issue; as of Chrome 45, extensions can no longer intercept traffic from other extensions and apps. Hosted apps were accidentally included too, but it's a bug that will be fixed soon - traffic from hosted apps will be open to webRequest as normal.

I don't know any other possibility for an extension to snoop on an app (without any anomalous chrome://flag configuration).

Xan
  • 74,770
  • 16
  • 179
  • 206
  • The OP asked specifically about apps, not extensions. Did you really observe that the webRequest API catches requests from apps? – Rob W Jul 16 '15 at 11:13
  • @RobW Yes, I specifically tested that. `` traffic is not caught, while XHR from apps' window code _is_. Does that constitute a security bug? – Xan Jul 16 '15 at 11:21
  • @RobW I emailed you the PoC code so you could take a look and tell if it's intended or not. – Xan Jul 16 '15 at 11:51
  • @Xan I would be happy if you could share the code here or email it to me as well. – SCBuergel Jul 16 '15 at 12:10
  • @Sebastian I want to confirm with Rob first. If it's a security bug, then Chrome team gets the PoC first. – Xan Jul 16 '15 at 12:11
  • @Sebastian Rob has confirmed that this, potentially, is a security bug. I would like to hide this post until it's triaged by Chrome team - but for that I need you to unaccept the answer. Thank you for understanding. – Xan Jul 16 '15 at 12:38
  • @Xan and RobW thanks for looking into this in more detail. I unaccepted the answer and would be happy if you could keep me posted via here, email or send a link to a bug tracking if available. Thanks again. – SCBuergel Jul 16 '15 at 17:01
  • Bug is currently hidden and awaiting triage. – Xan Jul 16 '15 at 17:02
  • @Sebastian Now that the bug is public I updated and restored the answer. – Xan Sep 08 '15 at 18:29
0

Extensions or other apps cannot access data inside other extensions or apps. An exception may be data in the syncFileSystem api, since an extension could be granted access to the user's Gdrive.

Daniel Herr
  • 19,083
  • 6
  • 44
  • 61