Talk to a Security Expert Now: (800) 721-9177

Google Launches Chrome Web Store; Sells Browser Extensions

Google launched the Chrome Web Store this week, much to the delight of Chrome users and Google shareholders alike. Branching off of the success of the Android Market (also owned by Google), the Chrome Web Store allows developers to easily sell Chrome browser extensions. The popularity of OSX “widgets” (and the announced Mac App Store), Windows “gadgets” and, of course, smart phone app stores proves that there is a consistent market for these small, easy to use and powerful applications.

One of the oldest (and most frequently voiced) concerns about Chrome among web savvy users was its long standing lack of extensions. The Mozilla Firefox Add-ons page has long listed many useful and popular add-ons to the browser, but Chrome only recently added in the ability to run extensions. Although Chrome had previously had a search page interface for extensions and themes, the Web Store adds the unique element of monetizing browser extensions. Now, users can easily sell their app to a wide (and growing) market share of Chrome users–or they can integrate Google Adsense into their free application to make money from banner ad clicks. This type of marketplace is relatively unexplored, so it will be interesting to see how developers fare in this new frontier.

From a security perspective, browser extensions are an interesting niche. On one hand, they exist on the client side and will not be able to interfere with sensitive server-side data. In this way, the credit card information that you have linked to your Amazon account won’t get stolen if you are infected by (or accidentally download and install) a malicious browser extension. Data on the clientside, however, is vulnerable to tampering.

One of the information security engineers here at Redspin wrote an amusing Chrome extension as an office prank: it intercepted images and replaced them with those of David Hasselhoff. Although not a terribly malicious extension, it certainly does underscore the inherent risk of running someone else’s code on your machine.

The open nature of Chrome extensions lends itself to easy source code audits that would prevent this type of attack. One would assume that before adding it to the Web Store, a Google engineer must audit the code to make sure it’s not trying to grab credit card numbers. However, the growing size of the Chrome user base and the ease of extension development does present a juicy target for would be attackers.

Although it is too early to gauge its success, the Chrome Web Store certainly looks like an interesting and novel way to distribute software to the masses.

This Post Has 2 Comments

  1. Monetizing browser extensions? Not sure how i feel about that, after using free FireFox extensions for years..
    Excellent write-up.

  2. Interesting – the Hasselhoff prank does highlight the kinds of creative security exploits that might get into the wild with Chrome extensions…. by the way, is the Hasselhoff extension available for download.

Leave a Reply

Your email address will not be published. Required fields are marked *